blackshades | b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Size

520KB
MD5

9ad804a81fe08950e54547454d6bee4e
SHA1

a10ef9d0f0c53035435c8fa5af655cd7969bd4fd
SHA256

b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e
SHA512

ee54de0bf577925e3103630dfb27a727d2c872f5c1ae1fbe489192d9ce55afc5632fd766f60d7555f2dc7e5a0f45d07b6653cf8ccdce599cd514a4b961f5d0ce
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXm:zW6ncoyqOp6IsTl/mXm

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 5 IoCs

resource	yara_rule
behavioral1/memory/2036-1605-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2036-1610-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2036-1613-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2036-1614-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2036-1615-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYIPEDEAFAVQDL\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 64 IoCs

pid	Process
2732	service.exe
2632	service.exe
1476	service.exe
532	service.exe
2956	service.exe
596	service.exe
1588	service.exe
1248	service.exe
2736	service.exe
2972	service.exe
1688	service.exe
2064	service.exe
2924	service.exe
2832	service.exe
1348	service.exe
2024	service.exe
2932	service.exe
2692	service.exe
2548	service.exe
2164	service.exe
1700	service.exe
2352	service.exe
264	service.exe
1620	service.exe
728	service.exe
2096	service.exe
2892	service.exe
2560	service.exe
1080	service.exe
1296	service.exe
1472	service.exe
2884	service.exe
984	service.exe
2236	service.exe
1980	service.exe
2284	service.exe
2316	service.exe
2888	service.exe
2548	service.exe
624	service.exe
1688	service.exe
2168	service.exe
2500	service.exe
2420	service.exe
1036	service.exe
2288	service.exe
2660	service.exe
1668	service.exe
1188	service.exe
576	service.exe
1272	service.exe
2792	service.exe
2488	service.exe
1984	service.exe
2940	service.exe
2256	service.exe
2672	service.exe
1372	service.exe
1080	service.exe
624	service.exe
1688	service.exe
676	service.exe
348	service.exe
2580	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
2732	service.exe
2732	service.exe
2632	service.exe
2632	service.exe
1476	service.exe
1476	service.exe
532	service.exe
532	service.exe
2956	service.exe
2956	service.exe
596	service.exe
596	service.exe
1588	service.exe
1588	service.exe
1248	service.exe
1248	service.exe
2736	service.exe
2736	service.exe
2972	service.exe
2972	service.exe
1688	service.exe
1688	service.exe
2064	service.exe
2064	service.exe
2924	service.exe
2924	service.exe
2832	service.exe
2832	service.exe
1348	service.exe
1348	service.exe
2024	service.exe
2024	service.exe
2932	service.exe
2932	service.exe
2692	service.exe
2692	service.exe
2548	service.exe
2548	service.exe
2164	service.exe
2164	service.exe
1700	service.exe
1700	service.exe
2352	service.exe
2352	service.exe
264	service.exe
264	service.exe
1620	service.exe
1620	service.exe
728	service.exe
728	service.exe
2096	service.exe
2096	service.exe
2892	service.exe
2892	service.exe
2560	service.exe
2560	service.exe
1080	service.exe
1080	service.exe
1296	service.exe
1296	service.exe
1472	service.exe
1472	service.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\UFDHCKWAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RIROJSDTDSTQLRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OABEQRMKNCQXHSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIASJGBUYKLIRDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNHIYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWBDTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\REIECSYQHHJEABK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAQQOWIP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLXIHLYCMSKBADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSWKANJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVMBLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAAVQDLFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTORVTWHMREBQYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGSECGYYUVINU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALEYFWPS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXGGRYOMQLTHIBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPKAOVEQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVAWKXIHLYCMSKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXIUTUQOUQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVANDRNKPCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UWMGELVLQIQEOFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TECHYUVINUVGAOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWUDXNDIARIGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MNKTFLQBDGSTOMP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOINKV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUBBHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABWSNAWHXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLXOYRQSEINBMV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVOTMCMGEGXTUCP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVJJKFDKGWJQA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQBAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSBVXLPVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICVYCT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FUUHJECEUIPJOLW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBVXLQVBCAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LHITQOSNVJKDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQFEFBGBWREMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANTKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQCAEWVSTGLSTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUDPU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\REMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWPFPJHJWXES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJFAQJKTXYKLIQC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWMXQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYVWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUCQPBJBSKGBRKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMKRNDQXH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TEDHYVWIOVWHBPX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJBRJHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAJASKGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNMGPXHDOIJSVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LTLAUQLVGWBFVWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKIKAOVEPUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWHIGOAHLCN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRDSCSTQYKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJKDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJJQFEFBGBWREMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWTHTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBUEQPQMKRMCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYUWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRMCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VTRWJNJGXVLLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QSICAHRHMEVMAKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXUVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MNJHJMUDOTDQBAY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQVGHENFKBY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKYHHSPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYIPEDEAFAVQDL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LSWIGKFNBYDVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTHIDBEUHOJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUCQPBJBSKGBRKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MKOCGBQVOEEGBIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGEAYUJXFOFDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQHUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUGEIDLWBYTRAAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLODRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJRDKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LMHGIYLTCNSCPAX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPTFGDMEJYX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAJASKGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTMCMFEGXTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOAHMCN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJYXGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTHIDBEUHOJOKWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PCGCQWOEEGBIWES = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MNLTFMQCAEHSUPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWGNCBCXDTOBJD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ULAURMVGWBGVWTC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYWNXQPRDHMAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTHKGEUTJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWFFRXNLPKSGIYA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3056	reg.exe
1332	reg.exe
2132	reg.exe
1684	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2036	service.exe
Token: SeCreateTokenPrivilege	2036	service.exe
Token: SeAssignPrimaryTokenPrivilege	2036	service.exe
Token: SeLockMemoryPrivilege	2036	service.exe
Token: SeIncreaseQuotaPrivilege	2036	service.exe
Token: SeMachineAccountPrivilege	2036	service.exe
Token: SeTcbPrivilege	2036	service.exe
Token: SeSecurityPrivilege	2036	service.exe
Token: SeTakeOwnershipPrivilege	2036	service.exe
Token: SeLoadDriverPrivilege	2036	service.exe
Token: SeSystemProfilePrivilege	2036	service.exe
Token: SeSystemtimePrivilege	2036	service.exe
Token: SeProfSingleProcessPrivilege	2036	service.exe
Token: SeIncBasePriorityPrivilege	2036	service.exe
Token: SeCreatePagefilePrivilege	2036	service.exe
Token: SeCreatePermanentPrivilege	2036	service.exe
Token: SeBackupPrivilege	2036	service.exe
Token: SeRestorePrivilege	2036	service.exe
Token: SeShutdownPrivilege	2036	service.exe
Token: SeDebugPrivilege	2036	service.exe
Token: SeAuditPrivilege	2036	service.exe
Token: SeSystemEnvironmentPrivilege	2036	service.exe
Token: SeChangeNotifyPrivilege	2036	service.exe
Token: SeRemoteShutdownPrivilege	2036	service.exe
Token: SeUndockPrivilege	2036	service.exe
Token: SeSyncAgentPrivilege	2036	service.exe
Token: SeEnableDelegationPrivilege	2036	service.exe
Token: SeManageVolumePrivilege	2036	service.exe
Token: SeImpersonatePrivilege	2036	service.exe
Token: SeCreateGlobalPrivilege	2036	service.exe
Token: 31	2036	service.exe
Token: 32	2036	service.exe
Token: 33	2036	service.exe
Token: 34	2036	service.exe
Token: 35	2036	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
2732	service.exe
2632	service.exe
1476	service.exe
532	service.exe
2956	service.exe
596	service.exe
1588	service.exe
1248	service.exe
2736	service.exe
2972	service.exe
1688	service.exe
2064	service.exe
2924	service.exe
2832	service.exe
1348	service.exe
2024	service.exe
2932	service.exe
2692	service.exe
2548	service.exe
2164	service.exe
1700	service.exe
2352	service.exe
264	service.exe
1620	service.exe
728	service.exe
2096	service.exe
2892	service.exe
2560	service.exe
1080	service.exe
1296	service.exe
1472	service.exe
2884	service.exe
984	service.exe
2236	service.exe
1980	service.exe
2284	service.exe
2316	service.exe
2888	service.exe
2548	service.exe
624	service.exe
1688	service.exe
2168	service.exe
2500	service.exe
2420	service.exe
1036	service.exe
2696	service.exe
2660	service.exe
1668	service.exe
1188	service.exe
576	service.exe
1272	service.exe
2792	service.exe
2488	service.exe
1984	service.exe
2940	service.exe
2256	service.exe
2672	service.exe
1372	service.exe
1080	service.exe
624	service.exe
1688	service.exe
676	service.exe
348	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2764	2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	30
PID 2124 wrote to memory of 2764	2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	30
PID 2124 wrote to memory of 2764	2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	30
PID 2124 wrote to memory of 2764	2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	30
PID 2764 wrote to memory of 2696	2764	cmd.exe	32
PID 2764 wrote to memory of 2696	2764	cmd.exe	32
PID 2764 wrote to memory of 2696	2764	cmd.exe	32
PID 2764 wrote to memory of 2696	2764	cmd.exe	32
PID 2124 wrote to memory of 2732	2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	33
PID 2124 wrote to memory of 2732	2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	33
PID 2124 wrote to memory of 2732	2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	33
PID 2124 wrote to memory of 2732	2124	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	33
PID 2732 wrote to memory of 2392	2732	service.exe	34
PID 2732 wrote to memory of 2392	2732	service.exe	34
PID 2732 wrote to memory of 2392	2732	service.exe	34
PID 2732 wrote to memory of 2392	2732	service.exe	34
PID 2392 wrote to memory of 2592	2392	cmd.exe	36
PID 2392 wrote to memory of 2592	2392	cmd.exe	36
PID 2392 wrote to memory of 2592	2392	cmd.exe	36
PID 2392 wrote to memory of 2592	2392	cmd.exe	36
PID 2732 wrote to memory of 2632	2732	service.exe	37
PID 2732 wrote to memory of 2632	2732	service.exe	37
PID 2732 wrote to memory of 2632	2732	service.exe	37
PID 2732 wrote to memory of 2632	2732	service.exe	37
PID 2632 wrote to memory of 1188	2632	service.exe	38
PID 2632 wrote to memory of 1188	2632	service.exe	38
PID 2632 wrote to memory of 1188	2632	service.exe	38
PID 2632 wrote to memory of 1188	2632	service.exe	38
PID 1188 wrote to memory of 2300	1188	cmd.exe	40
PID 1188 wrote to memory of 2300	1188	cmd.exe	40
PID 1188 wrote to memory of 2300	1188	cmd.exe	40
PID 1188 wrote to memory of 2300	1188	cmd.exe	40
PID 2632 wrote to memory of 1476	2632	service.exe	41
PID 2632 wrote to memory of 1476	2632	service.exe	41
PID 2632 wrote to memory of 1476	2632	service.exe	41
PID 2632 wrote to memory of 1476	2632	service.exe	41
PID 1476 wrote to memory of 2292	1476	service.exe	42
PID 1476 wrote to memory of 2292	1476	service.exe	42
PID 1476 wrote to memory of 2292	1476	service.exe	42
PID 1476 wrote to memory of 2292	1476	service.exe	42
PID 2292 wrote to memory of 2960	2292	cmd.exe	44
PID 2292 wrote to memory of 2960	2292	cmd.exe	44
PID 2292 wrote to memory of 2960	2292	cmd.exe	44
PID 2292 wrote to memory of 2960	2292	cmd.exe	44
PID 1476 wrote to memory of 532	1476	service.exe	45
PID 1476 wrote to memory of 532	1476	service.exe	45
PID 1476 wrote to memory of 532	1476	service.exe	45
PID 1476 wrote to memory of 532	1476	service.exe	45
PID 532 wrote to memory of 2264	532	service.exe	46
PID 532 wrote to memory of 2264	532	service.exe	46
PID 532 wrote to memory of 2264	532	service.exe	46
PID 532 wrote to memory of 2264	532	service.exe	46
PID 2264 wrote to memory of 2928	2264	cmd.exe	48
PID 2264 wrote to memory of 2928	2264	cmd.exe	48
PID 2264 wrote to memory of 2928	2264	cmd.exe	48
PID 2264 wrote to memory of 2928	2264	cmd.exe	48
PID 532 wrote to memory of 2956	532	service.exe	49
PID 532 wrote to memory of 2956	532	service.exe	49
PID 532 wrote to memory of 2956	532	service.exe	49
PID 532 wrote to memory of 2956	532	service.exe	49
PID 2956 wrote to memory of 2636	2956	service.exe	50
PID 2956 wrote to memory of 2636	2956	service.exe	50
PID 2956 wrote to memory of 2636	2956	service.exe	50
PID 2956 wrote to memory of 2636	2956	service.exe	50

C:\Users\Admin\AppData\Local\Temp\b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
"C:\Users\Admin\AppData\Local\Temp\b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempHHQMU.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWFFRXNLPKSGIYA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2696
- C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
  "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
- - C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
    "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempTYFGD.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALEYFWPS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
      "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGRYOMQLTHIBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWLHPG.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LSWIGKFNBYDVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2928
      - C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMDYBN.bat" "
        7⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKWAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
        8⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHJECEUIPJOLW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRVQXM.bat" "
        9⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTHIDBEUHOJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXFNE.bat" "
        10⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUGEIDLWBYTRAAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIW.bat" "
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLODRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKP\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKP\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "
        12⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOIJSVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
        13⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDVUQR.bat" "
        14⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMHGIYLTCNSCPAX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYX\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYX\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRDLDG.bat" "
        15⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGCQWOEEGBIWES" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        16⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRDSCSTQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        17⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASKGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCOUKI.bat" "
        18⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LTLAUQLVGWBFVWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQRWD.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
        20⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOINKV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUBBHAE\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPFTBJ.bat" "
        21⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MNLTFMQCAEHSUPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEPVMK.bat" "
        22⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
        23⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXXMVH.bat" "
        24⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQCAEWVSTGLSTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        25⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJKDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJJQFEFBGBWREMG\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\RJJQFEFBGBWREMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJJQFEFBGBWREMG\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOULIN.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ULAURMVGWBGVWTC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWTTT.bat" "
        27⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHMCN\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHMCN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHMCN\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        29⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWTHTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBUEQPQMKRMCQXG\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\UBUEQPQMKRMCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UBUEQPQMKRMCQXG\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJNBEW.bat" "
        30⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJFAQJKTXYKLIQC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
        31⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJYXGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIFKFM.bat" "
        32⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RIROJSDTDSTQLRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVYLMJ.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TUCQPBJBSKGBRKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNDQXH\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNDQXH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNDQXH\service.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "
        34⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEGXTUCP\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEGXTUCP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEGXTUCP\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWVSST.bat" "
        35⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQBAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUQXM.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTHIDBEUHOJOKWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUYLMJ.bat" "
        37⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TUCQPBJBSKGBRKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXH\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXH\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempESAIA.bat" "
        40⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MNKTFLQBDGSTOMP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKJXEU.bat" "
        41⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TEDHYVWIOVWHBPX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOXODM.bat" "
        42⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LHITQOSNVJKDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLOQVB.bat" "
        43⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
        44⤵
        
        PID:308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRNKPCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UWMGELVLQIQEOFB\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\UWMGELVLQIQEOFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UWMGELVLQIQEOFB\service.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGBOXK.bat" "
        45⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYVWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        46⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASKGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVNTLCMFEGWTTBP\service.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFO.bat" "
        47⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"
        47⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempESRDL.bat" "
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MKOCGBQVOEEGBIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGEAYUJXFOFDO\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\TWMGEAYUJXFOFDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWMGEAYUJXFOFDO\service.exe"
        48⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "
        49⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REIECSYQHHJEABK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQQOWIP\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQQOWIP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQQOWIP\service.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQHUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSAONH.bat" "
        51⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLXIHLYCMSKBADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        52⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVAWKXIHLYCMSKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOUQGTBK\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOUQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOUQGTBK\service.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNIWVI.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTHKGEUTJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKJWDT.bat" "
        54⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TECHYUVINUVGAOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VTRWJNJGXVLLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMAKB\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMAKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMAKB\service.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVRFC.bat" "
        56⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe" /f
        57⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCFGQM.bat" "
        57⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKANJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVMBLB\service.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVMBLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVMBLB\service.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        58⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICVYCT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
        59⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHUFDI.bat" "
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OABEQRMKNCQXHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe" /f
        60⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIASJGBUYKLIRDJ\service.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAAVQDLFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe" /f
        61⤵
        Adds Run key to start application
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVGAOX.bat" "
        61⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSECGYYUVINU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe" /f
        62⤵
        Adds Run key to start application
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVGAOW.bat" "
        62⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXUVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
        63⤵
        Adds Run key to start application
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
        63⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe" /f
        64⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEWVRS.bat" "
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MNJHJMUDOTDQBAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe" /f
        65⤵
        Adds Run key to start application
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        65⤵
        
        PID:616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUHP\service.exe" /f
        66⤵
        Adds Run key to start application
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUHP\service.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYHHSPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe" /f
        67⤵
        Adds Run key to start application
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe"
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe
        67⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        69⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe:*:Enabled:Windows Messanger" /f
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYIPEDEAFAVQDL\service.exe:*:Enabled:Windows Messanger" /f
        69⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        68⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        69⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        69⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.bat

Filesize
163B

MD5
c1486f9adf8fdaa68f5bc645834ed3bc

SHA1
ff5d684f44feeaa8eba3931e4ee963fb4e85447a

SHA256
2dfbd988ccfe097bb080e5a842ec9a958f5d22492a653226a7bdf8a23187ab12

SHA512
19c72985375366f36156959eb3cc3abbae403a6eb1111243d19797480274916457c32d49dd3bcbb512ff4df92987b6d8a1ed4d786c63b29c95ac05260a6f9839

Download Submit
C:\Users\Admin\AppData\Local\TempCFGQM.bat

Filesize
163B

MD5
3cc5c72d76f8b8f07841992e61d65568

SHA1
4f67cb7665b900c1397fe5e48e0177f412faaae0

SHA256
5d1d782e82506ff38e224bb286a0ae47538a9c083ea9bbd6d9aeaaabf0a47baf

SHA512
fa451f3d179988d76b05d2f83e225fc8d8183f7d305410c5169eb6cd78bb6dad67b10c0cdedf7344881c5e9bd7a9c84abf6dc06435703a3450986f4c138bfa41

Download Submit
C:\Users\Admin\AppData\Local\TempCOUKI.bat

Filesize
163B

MD5
ea236f89173dec9eb554f16d07834556

SHA1
a404675e9cddb9457d11c373f56d3d8a12444e52

SHA256
77a3de9909b8bcfcd2925d1b4eec70296b57d348d6f1b680438253b6b0f3e219

SHA512
f9c31a58fee3126b269d25633060f1b094479b49fa7e7b0e25a2b21af4fc640b52916a632600ac50811e1e349428eeb97a80e8cb11f5769d4c8f2073bf261612

Download Submit
C:\Users\Admin\AppData\Local\TempDVUQR.bat

Filesize
163B

MD5
0e0745e2c1e8fa721b0e7da1066ebb21

SHA1
b178db429a15f244d1c4b1072960b90afc183263

SHA256
66212740d4f9aa8d1d39c7b474cc5c5c334756dd02f826e470c7fa0a079d4d53

SHA512
cb2d48cb32fe37a7156f04144bb7a1f5120d61585bb2c5e97932a3e94774125a70ca2e78bdb57d7f76651f64fd0bbc706468ecda5e8ed0f9c2acf0261792243b

Download Submit
C:\Users\Admin\AppData\Local\TempDXWLU.bat

Filesize
163B

MD5
dfd4cab5f88961f37b56f920f0a3bb11

SHA1
20ff1258fc401b7bc515f6d7718123bc2fbae639

SHA256
9cd237b7606401f31ec6b1f136480b59cee627b1c57c6aa16c8dcfb01240fe6c

SHA512
2ea225c72ce94447d6a204a98ee8038a03e8d043f81a4f2f66ab930592dd984923e272342a08e2ac08e02b713dd4d948ff931fe8df6646058a71d6ab9f69e06c

Download Submit
C:\Users\Admin\AppData\Local\TempEPVMK.bat

Filesize
163B

MD5
fc74de560f539af16f764bd34ec91dbc

SHA1
783c4d8e9ec9563341ae3037358ee2ac7b35c986

SHA256
5d11feb6a5a38a19fd5fbc71f1c08090e76f56495ae4b0029f5b833669a213d4

SHA512
8090d6d80844303b14f55cb22230eda974c21152431b8cafc79da05d30f448d2fddac0374cf6e7d2cfb7f21a014327b552c5a468e8fa806760d08dcfab252083

Download Submit
C:\Users\Admin\AppData\Local\TempESAIA.bat

Filesize
163B

MD5
61318277e4c50035858e264313920ad5

SHA1
318f64f6c505ec4cea79a3cfce96a02520a3968f

SHA256
f6525ec6602b61415d7e9fc9856b85ac0ee21b241903769cc4712b2760cbf28b

SHA512
ba2eff381346adbbe9f99971b2c7bb5126ee8a9c82a250f5f242a2ab08c684aa26c4f53772ec6f93f69e323ba189b03f1b91e69d3344ffeaab29967cab3957dc

Download Submit
C:\Users\Admin\AppData\Local\TempEWVRS.bat

Filesize
163B

MD5
2b6bb6b79f1760c96d8dae8345350053

SHA1
8807b01e4ea23dd9bde22595b40ba99c021372cc

SHA256
b13d848a0987be1a1d10b47c99ddb0585d6eed3846485c82b740fee5a39b045d

SHA512
eac54b58f8d90bcaf13aff8bf3f86b239a895fab713705ccfc8212114c4b14e8cc69627eaf85a19324316bfa09c4d8f4c95753b8239080364679e8b2e65c7dd3

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.bat

Filesize
163B

MD5
4892d7bdda30f4a1f532648de54ea9cd

SHA1
64777ed854c5071a060c57c23d6f2b00d5dcb326

SHA256
803a41299d53228bff3844e4e58016f18549fca040e58fbad87871318de871d7

SHA512
ba760b5b49aaced0f3d82ad23a6990f593d0c2b03797b85b8a246804a08876b80de65fcf9e7f315fd97ef25f2dbcd09b5c62e1668b72bd8fdac0c7865633e34e

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.bat

Filesize
163B

MD5
62fa9a51a9584b485bc67ba178c52a15

SHA1
042d01728a84ca3a9e8e081c422ce42e01ed9c1e

SHA256
143dd310c846ebc104fd5a77c2a9406b92c48e64a04dc3bf42c54015be7059be

SHA512
16f913f45a5b76b4c6972747e8a0f1980be0c278078da82af86cf38b4881bcfb2dce19486796b45fa32030e4b56d054276ed833526ec4e699dff3d865512fc35

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.bat

Filesize
163B

MD5
55eac6291ede42a90de5207804c0e0ec

SHA1
f53972b85dfc194f41acf4fec1ac1ae71f8d63f9

SHA256
40b95e7cd44d32cf66e2a6add1cbd09310d05a51d59d88e9dc656ee90602efae

SHA512
d041313443f64f4571a67fda74352f256e85cd7c2d343f4171c4eecaac9c468eca9dbc427ddb8005da088bae2d6b888908245a5fa520b4ee92167a2f0819e3dc

Download Submit
C:\Users\Admin\AppData\Local\TempGBOXK.bat

Filesize
163B

MD5
49f6a9f71ddfd18bae5774c47201e4dd

SHA1
2d37d12b4932b2ae86bdce2b09f18dff8b51b41e

SHA256
660553e78a640e69e49558406d68b0fb7a6e38509d2af39c8ab26ae347c88dba

SHA512
fc440411d483d3d0c5dd6c1f793a8c8b83680e15f7d0d1c6ac20074974ee7989470864c393742b848ec0dcf25c05d9fb976dda2bf5b00d14462df4f95ff35966

Download Submit
C:\Users\Admin\AppData\Local\TempHHQMU.bat

Filesize
163B

MD5
bc77b2208ce8f06d3e1154945fdf9fc5

SHA1
8531e98367475c96a6178b937562f14c4ec7c0e1

SHA256
be836ba080be939f4531b0b34106e09a34b64417445f95c77ec710679a5f534f

SHA512
be45358e835d4da19db4fb3c9360baee52a35ce91fbb44ab3e979607517b14890fc09d83ffe175adab4577c01a692d95387cef2f76e517386691f94f37167a2d

Download Submit
C:\Users\Admin\AppData\Local\TempHUFDI.bat

Filesize
163B

MD5
5da4edbb989708d2fa5839cd169b0698

SHA1
7c87cfdb0ee01619c4c658aef77f0e226d6627db

SHA256
2431109ab179f2cc2d325b6d13ef7c3b3010341f815dd9efff7adfb3797a67aa

SHA512
f9c70b4bc89314254419a52e1fd1a1606a10805599847b7d7bfb1bc2d1563c23a5a5cdc34922b0ca29311c5bb80ee88ea44d8624aac7b961d902b8fb070c28b0

Download Submit
C:\Users\Admin\AppData\Local\TempIFKFM.bat

Filesize
163B

MD5
05267b8a25dbf6d3b0e499dd5d3dddd4

SHA1
32ceff715a19e5317794661ba24c9c6a1803bc8f

SHA256
0d60b4a11afbf30ba329769d2683bc730be54a66f71c38c18ef76b85007e66d6

SHA512
f63e30807f8d8a02d0c627731ddd3e4a694a67fe0907cffff326aa878cece8f56bf3d7973ecc4c970f9e4c7f75acdce1de556311a8b8478b08aff374fb79b270

Download Submit
C:\Users\Admin\AppData\Local\TempIRDJO.bat

Filesize
163B

MD5
d0a99f988ed10c9865e8d7e0cbd943d0

SHA1
2020c6f09879c62def109cf40885683728d67404

SHA256
9fcf37449eb46b635e2c606cb34219d8838bf91f96d55d98ffa822c654d35623

SHA512
961dfd0bd0bbfc83e7d5a96501931fcb939b136b92fb6c62e81c841f6960b8b6eb76570a80b893bbccc5a81a449efdbabfd15b4fa7df57cbf8f5a0b5946ed89b

Download Submit
C:\Users\Admin\AppData\Local\TempIRNVM.bat

Filesize
163B

MD5
bb036ab7d9b77084d9ef84cfba8e3da0

SHA1
6b2c587c8dfa95733c4e8243e51a3047ab3403cc

SHA256
dea80655cb3bd24b1e3aa04d62a4441f8d7953c4dd3e3afd6ac249de0d7738dd

SHA512
420c6ac76a84b9472b8021e4de315cfc8b107232f5b1950dc3e5adecc04f356b74a6799fdf6f613bc2c1b1b95f59fb699f587d0050cf3d997c933f8c67b7fb7c

Download Submit
C:\Users\Admin\AppData\Local\TempJGPBH.bat

Filesize
163B

MD5
f87d5c52eef43f4774ff1f3f5546abbd

SHA1
1f2d1221095c4a20ef510c93fed95eb39532bd5c

SHA256
77242b1505b2b7eee2f8283d34d521a7e434775dcdd5df622d77297bed8b1843

SHA512
1f0f1d1274f3b95a8e0532a573b909f501304f9c06191142193adec33bd2cef6b5cc4acdede95a2dfad4e21faf30363a7a7dea5f883e6d704e36a716da96a673

Download Submit
C:\Users\Admin\AppData\Local\TempJNBEW.bat

Filesize
163B

MD5
7b450cfa5c325822e4de94025e9b913c

SHA1
be4d1cc72edb6d312b431e60cfeb7efaac91b2d8

SHA256
15835b3d3377abe9c4ed563f64a904f28c113af814a07216098b3c2b6f5de440

SHA512
fce27bfb4f5df7c48c9f09ad943dd002ba94412b8a1ff056b6028a161540283e6a4dde4e56dcdb2bf6c52caac4d7a3d6ad64fa6691897048f920482f60bd3694

Download Submit
C:\Users\Admin\AppData\Local\TempJSOWN.bat

Filesize
163B

MD5
eb82934b438b7915fbae2dbfbadb9a36

SHA1
24a23c6b92031b17d0d796edf99a3b0dc1085837

SHA256
80f7d74dcdf611cca1d76ca8929c79d5be6ac988da1dae2f259e671d11005df3

SHA512
3a114c8f2758b0237bfa05e9365b4267e42591dc1c4de0c03b16991c3ded72c0b4d8abc1b7933dc1c6ac49434bbfc9785811348a9e3cc2558d46e562fd62d44c

Download Submit
C:\Users\Admin\AppData\Local\TempJXFNE.bat

Filesize
163B

MD5
116a7f1ae3b35b7c41e3bd80e36be49f

SHA1
2fa1e3043e4f53decb7d2bfd5e59ef8e8bdb1de1

SHA256
818efcff5853a15b10b98e2910f5688b3e2b14add4a38501330e12233333b263

SHA512
f442cc4db5fa4495683c3c8934523dc5b01d1092e5d89c2b9d63383452c1707d466999d0137b57ab7f509da01d9201f60c7988aaa494c8c068fa14c6faf6f23d

Download Submit
C:\Users\Admin\AppData\Local\TempKJWDT.bat

Filesize
163B

MD5
edb959f4cca7c95188e225d3f0e9697c

SHA1
4b046443e62babc6e5817c55a2d339e133f26eee

SHA256
0d15b933793b0b28523a9de463679a5d911b151a63ff4976638f4e44c1d6e8c0

SHA512
13fb3ad5b571d827da4de47b3ee3abdda277fe58641d1c345b0b3d97d79bfd324148c9cc31741c1d0805a9d69a76cb9e45d7ee0641af88da44c82de20951bf50

Download Submit
C:\Users\Admin\AppData\Local\TempKJXEU.bat

Filesize
163B

MD5
77dcadcbc1745fa2a3bb9dcbe70993bf

SHA1
dcc0d52660b9b789964c9cbb5a0b11df90153d86

SHA256
f9e9966ea32e74d3443bceb8b74bbfd99566dd5fc66b5d3c690cf7491e034fe0

SHA512
654b3f274009126155967d8fdea440ff86d1146f8829bb7974ca6c2cbef21fc2ee1750cdaa52d55d3fb9e2618ccb5cf16c108c19de1f6aed604e0699de0e7abd

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCO.bat

Filesize
163B

MD5
a562ba50ac89ceabb531ef21fddcab00

SHA1
f0c75eb1085b6816d77e4b151e18cf6e395c213a

SHA256
38b2253fec95804b3b5f3fb791a74900820f6d905d352e3d9c1e545028e30094

SHA512
ca2f2155e8f80f7ed7e5e4018952104433f0c328eb78f89af1b2535a6c4126efc043d5b676d34f276b2987687fcf14a8fdccd987f96184ac320a47dc327ad61b

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.bat

Filesize
163B

MD5
9fb89caec6f093f5b98a120aa434a6e6

SHA1
7ac90bdec43895a090525864e7e03191b1e9862b

SHA256
0487f19665acc64817da8d7c6566bc0f2e05de4fe3dda344f2da61e9fbf6680e

SHA512
1959f45c5cae5618a7dd50a2a1417022db08067257cf996b8f80711c2d1a2efee2a733b175708eb9508d930032b37379190877f864ac36c325a32cee0d06d2f5

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.bat

Filesize
163B

MD5
8b97263970632a3c1ff9bf70412b7f84

SHA1
0371cbfe0ac9c589053d47cb4ab9bbc1767d9ae0

SHA256
a7b2f76c913d03ab65c01792c0d01fb2cf7fcbd391f4de64ee1fc83f44e7907d

SHA512
d619dd5b74b8c3746cb8ceb968f2fe6caf24c2ea537cfb4ac15b30f4ea066581291e8b92e1634c844e524f9ded809dc4132b3d86674add60dfdfe7e9142dba3a

Download Submit
C:\Users\Admin\AppData\Local\TempLOQVB.bat

Filesize
163B

MD5
5f03c17191959612e6bf0978090d281f

SHA1
d1a3a1c55f0205a157b7e2937ed34ff4190d8fbe

SHA256
cb703a76099495b5a7492268f5fcbaede3f7c5889aea7891e60fdc4249ca2831

SHA512
f33fe7482a8f2bb96d3afd58169a8f47caaab7c62be5776c2cd1d9c8df6c36d4b007d5ff11bdecf83b1e742c4d15a0cf10359aa08c257cf3fa94c2fe0a0f2662

Download Submit
C:\Users\Admin\AppData\Local\TempMDYBN.bat

Filesize
163B

MD5
92327e9738cd499d4afdd62db159348d

SHA1
a73e83f12ba167599d541350ae75015435020f71

SHA256
0d9bee85ed125b19687b9868f546361aade2853ebd8cdaf03cc6db354ff2fa09

SHA512
4baf7c704ecc3ea4f13450ae0b1cba288060e6b9d4099ae9aecbe20c3121a1d3d2d50cb6289dfaef8dcb20fe77a6206c3967396fc11f9b2189032cabcf49868a

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSA.bat

Filesize
163B

MD5
a4d004ad29d3b8175a96f922359cc315

SHA1
0fa15cba7e806e78247ff7a5a5aef1172dbeed47

SHA256
3e67df9708b257edbe5dc59a43ca15b93a69924b932332eb540da0ef422b729c

SHA512
81259fbf60b4f0153dbcd04484d0ad28ab3fecce6d4945a3a72b8535d6d120b20ceea5d1be9bbf32c5f35c1e7ca97cff84ecde6f288ebd29019b98f1783af423

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.bat

Filesize
163B

MD5
b8a8e615c133f884006d3ff8cbac62f4

SHA1
349e61084645268e12eac775b479a0cc7578fcf9

SHA256
555d165a7e5f84baaebc7bbb79b7d8ea7fbc2551681870e5949c2ef7d5434e88

SHA512
ba8f818e293421e2374788d0b255f8ffba4f3df1489cc5b5eecaa9fa20292a4280a0fd50731c221001e576e345f8b638ccb02f8c558efc7e1b0967e2496e9547

Download Submit
C:\Users\Admin\AppData\Local\TempMQRWD.bat

Filesize
163B

MD5
aaf2c13de05e3c7e1bd38fe5a0cea537

SHA1
914cb5684e7f6c63a40ee5c03c38dc8b3c2e8e6d

SHA256
588c16354f1affbc3c8fca466640d7fc3f20e0a08f64548e7cb15d89f7d49631

SHA512
3a04699c25d2742ba6b2486f42e1f547623fff61b0643bbf67b2097b068f8da1357b36d4f4dcb8827958f8dbcb09e6064daba2554608c13fc6b7697909e77f22

Download Submit
C:\Users\Admin\AppData\Local\TempMVRFC.bat

Filesize
163B

MD5
5d51186b0c695bd0bfcef3b0ada8be70

SHA1
c9282525e5c0594b0f68704d3f95a7aa9c967597

SHA256
b4de230656c06e08efbb232d4eb34a45cfd632f0164be479998b378becc80e8c

SHA512
f71bd231afc6f3259deeee28f3bec584c3f76e4d3f35ec8340af2b56507db9bdd09e121d10fc87d6771aeea278ae53a288f1ec41cfdb532c7a891bdf38080615

Download Submit
C:\Users\Admin\AppData\Local\TempNIWVI.bat

Filesize
163B

MD5
bafb50a1971b8546c449cbdebb9e6964

SHA1
0bdb7fabafbc7f2d3703d6ddab0e97ba0ccd0baf

SHA256
4f5079af7f4649ed59b30f899f14d364dc414c0abad886a7fefc8a6ac1b8124a

SHA512
e7ffcde9ee652c8625b151f8e82f5fb8d5b9afba03257a3b23c98f3932913ea44ff703b015340e9c616a928485bb679f89108080d311a8747bafd76336323fc6

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.bat

Filesize
163B

MD5
abdf815d63e8555d14fd45c44fa4870d

SHA1
db5b684a741883e1d999a126f5bed967747a9967

SHA256
98f58fafe79882a38007fcbb49a074f86446263301e079a3b7616d359d985407

SHA512
d38894eb0fc1aec80a34decc87b07659e4f142b07a253b01f2296f66b791e12c34053b2badab1ca29f6d9af5355a297d72c01e49c5d0b1187cde59c4eae7aab2

Download Submit
C:\Users\Admin\AppData\Local\TempOULIN.bat

Filesize
163B

MD5
c01804d04d7aae2fe9daaec9ec0494b5

SHA1
843a1b29b2fd79b22a405437f8608cb14e834a51

SHA256
ceb5a8f506052dc474433e08d21bc248eaaa20e42296748b6b4ddf1c3093d37f

SHA512
1449a9ec7ea5b5c79af8c36f428e52571a9180978c1c377d1c943206c89b58698fda88da94ffd201f56fa5c1e85fe88f811b09938caf1ed0f739626d7d00d647

Download Submit
C:\Users\Admin\AppData\Local\TempOXODM.bat

Filesize
163B

MD5
382732f46ae18b3c9f2edfd1a50e04ab

SHA1
973a63714303d4235babcd2f2298019e4ce80c37

SHA256
3b9b5a3b4f1f6c9dddb5692159c022d450c453be67f6de22bfd417abc25d3a65

SHA512
18c394178e3e61789e020b8082090cc2efa97e73af1a5f400111108370c0d6f3a39456ce8a0ac9694568e90e78547905ba8a9ed097bad4f5ea02eead234fe8d5

Download Submit
C:\Users\Admin\AppData\Local\TempPFTBJ.bat

Filesize
163B

MD5
1b2b644ee57b41d54e8d5ed7a5b1e585

SHA1
54b9ca819dcda23c9819652d91434c61fe7aa6a9

SHA256
80142839c3760b77ba4a8829fce31c52e132f4962cfac00f6cf5888c75de4497

SHA512
d18253bf35ab0d9ff50e8a932b987a22b804a3e14ce0c4cab39f9335279368c23b420b5f9050400e50c17ede1811a7a5b8b443a40d42cef741a40881b81f26d8

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAT.bat

Filesize
163B

MD5
28dac74be860d616fc2e60c307aa9f76

SHA1
a01781f5e3ed2baf0c3ec26e44899a4b7cb204a9

SHA256
f12c00003ebb3f29638e2935451ffa777862c60f117908ad0069ae626efa9dae

SHA512
da3612c8a03303cd5a54f75248fae4162c3ff7b4b54d97b318df2b2cfdc3920c7401d7f4e94973c6ecc540f5c3b4226f9488ef59322b7d2f063c8d7b25473515

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.bat

Filesize
163B

MD5
e6e8c0424ae1e715169b3e6ecf75fda0

SHA1
1cc57ef6d1ccea6fee7573ab89a1d00ac2fc2a84

SHA256
a7124ca088b40ecc12c2335050e84d7baf076884671c3da4cc093c4e143bd025

SHA512
d0f64d005f3c77e61cf58ff4b257f5685b8497bd1445ed2e736ee05aa84f0ba81a6c9cd80e01bd0049df882ceaaeeaf6bfeea1d02a4d42f92ebb597e6732d03b

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.bat

Filesize
163B

MD5
8680f9d1e766238ac5ef8cce14b72a1f

SHA1
85b397c7a9195e2e612031de3db215707c0c9bfd

SHA256
aec51838aea6b108ce9c6790c4dd91ad85a34732e747f1992084c9a30999664f

SHA512
5dbece545c752024f0d8d9d034f9bb45957cf3d58025a4a93c1d139a0e470a7de6d011d7a2b39a15d5536ef5841a0c792f13d8aef56b9fbc0686569ec43f63ff

Download Submit
C:\Users\Admin\AppData\Local\TempQUQXM.bat

Filesize
163B

MD5
3c826501342cbe4e8131efa6b6811b11

SHA1
f52027d1ad44d98559eac2865301671612fc264c

SHA256
e273e776c50d46a2199c13e2519917b5dbe3df6e469e4ba77d6dfc5608a0deca

SHA512
aa71cd61d7d9483cda52a9461cae6d58e925dc5908fdd53a350e43686f3db91d53d528eadab69ea84d8fa1cd477842d16adea836154b201de687278a01188126

Download Submit
C:\Users\Admin\AppData\Local\TempRDLDG.bat

Filesize
163B

MD5
1f73a639388b645d2ce6819b5a812d6f

SHA1
bef2a6fecd038ea812096f92aff697c1d7a92a87

SHA256
1286663f80dda40e712bac08186e853c2f24ea2b02a7f87d07703877c05d8581

SHA512
9346651adc110142f86b8993a3bdf1e9e9b70c8415f1cfa1d8381834022a23d3c33482bf5feaf569c4bba63f5acefad37ac400750219e9ec6a4da0d5bbd4274d

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.bat

Filesize
163B

MD5
a4963aba3ce95dbdbc2a8b355d15db70

SHA1
6381c3fddf31277e3a643371d13707bcc036b5c0

SHA256
14acce0c2ba59b3163b863693b8832963e8ae5896d90f754a4c71215cbab6683

SHA512
6a9826e06a2574fbd4e2fb230605e8bce06012cf2bdbc8ec2f2dc7c7a31173588a916d853d35266c124748b9ac7f0044893fd9d6635cf05153b68171d6cc3795

Download Submit
C:\Users\Admin\AppData\Local\TempRVQXM.bat

Filesize
163B

MD5
c8a5abce95c3ec6f82309abd82753e05

SHA1
e34619a4b4367cf3150f6af18d8254fe1217733c

SHA256
913b603ca39f382bccd086d08bb1205376b261aa6a6ccf98203ac441b72dd133

SHA512
80c5f11454b1525ab013434ebed7ea964eb0bf6e31827f6280eaa60c114409c9856af6dd8f84032e138153709991da20c0bb508abdebbc072f496107c04df7ff

Download Submit
C:\Users\Admin\AppData\Local\TempRVQYM.bat

Filesize
163B

MD5
cca137880022155eb1ae5e4a1e8cc46b

SHA1
98f7b54551aa6ca13ef94d577f16da0f99338dcd

SHA256
087a31df68cc4b18712e544cb459f4721173264bc87dda724de0e0a161efcb27

SHA512
3f59023dc0fcf4cded16814e91ae74308394a334ea5704a04e088381ba9735e6d1976796554124a6d8dfc5fd1c9d3cf235251cd0ecceecd3a2d76c7e4185d226

Download Submit
C:\Users\Admin\AppData\Local\TempSAONH.bat

Filesize
163B

MD5
b56d2aef6eb272088da999c4ca61ff15

SHA1
c99e3a660fdeb7fe50837ef6399ac662739bd5eb

SHA256
dd5dcacab5b7857e3a7f7c73d11354cc7804bff10255cbc9eac25ebe16a6d7d6

SHA512
abfc12e28832887cd3beb543fb5b653b433e3f2717e66c7f3d6527cfe76bd15229b8b3a89ec3b322f5763e087468af20cdfbf92b3122bacd7b76b370c9e7a44c

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.bat

Filesize
163B

MD5
dd787b7a40270bd2ff8f584a859b220f

SHA1
58aa72c78d4b9f53edcc8f2b66a645ebeedb17d2

SHA256
eb8bf9e0587fd9877e5ff7cfb523532d1ff8bc30264ed0b207ce15727e1e58dc

SHA512
4df20186e4541ffb3ab268b7166263a076dca627238c06bec758c4808091a21aff76eb60e9b002a49dc93c21157cbce617ac73ee1c02ce845e43f1046908c0ea

Download Submit
C:\Users\Admin\AppData\Local\TempTRVQY.bat

Filesize
163B

MD5
d6b227bb2a48a3ed18462019886bc0f7

SHA1
a814b306791790127f49e5aa21fa6830a4af0724

SHA256
dd36c12c0a124c5c3553a33b4971b01c02574d3451aacd04d1b7f3569eeab9ad

SHA512
6ece2568901093885364347a0b251cabfd57c64ac34e2c4ac5cd9d8bb5a515fc3f06b6dddd1add5a60d2db0a31d4374b1f3354a9a9f1e5e35210962064ba6685

Download Submit
C:\Users\Admin\AppData\Local\TempTYFGD.bat

Filesize
163B

MD5
78be5efd6f00a17dd035880f8b17f7b5

SHA1
557d916dfc0a62bcc340f3f54f15edeb8ce2a14a

SHA256
68d647e33e63f912b96928a9146aa07146c51e812e573e0015797f67040aef5b

SHA512
09eb040eab976a5bd9f1226cb583c31b5270107ef35db5ab50cff97659a79206646f015828eaee73119dfdb1a323cb3df256683b0f7c076e66616a16498880be

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIW.bat

Filesize
163B

MD5
3a7b5daecf6d94a28bef46118b7e9e8a

SHA1
764d0657e9703db73c28bec777b74833b9d5e79c

SHA256
5b74be599194d39ee14be10ad502cbd2cc1eaff435ff5ec3d3431d261aaeeb8d

SHA512
e2266445526d6a55ea86340f8fc5aba23720d7c8fcf9b3d6c20a402410bdab3b710fabde8ac8a17b5e15f4f2b9717ed77f8c8b85bee3344833650bc397058f9b

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
38097e1b24f57471d24680739b536973

SHA1
622ea50ee17aaeb4bbcbfe0c10fb7f98271f536f

SHA256
266ef99301ba6db3b9454e9ea1af017104a1c29bf47860034da22bf82ae516a2

SHA512
a19a94c7654377f18fdaebd1abc35e9f280cd2b042fa87f59203f462db6c6b50795aaacd27c98c6084a3d5968e6f98a01e5581aa4edfb595453027b555adc727

Download Submit
C:\Users\Admin\AppData\Local\TempUYLMJ.bat

Filesize
163B

MD5
2a8ecd4f4d9d7f3bf09a28f08ecfb6c1

SHA1
bee71558a8e4d45a853a567d1390f03828f243fc

SHA256
284a6be0a9085395198aa97fb0181834689816cb2d3b1c3d169bea2693d78aaa

SHA512
0de144288f8f82f477dae66b635df2c906c30d8c21907f1bb4320053c1b830ad933c87a1d6e09276bef55df2ec464602deddafcd687ac063a68ec0ed7c243901

Download Submit
C:\Users\Admin\AppData\Local\TempVGAOW.bat

Filesize
163B

MD5
fe5d4ee7b49b20431a910d565c5f9b9c

SHA1
d73a6dd3a7d59b7fef87d81cb2f048dbf92535f3

SHA256
52e8d88a6ffda3384fbfe8cd9e9b3a5a93548d14473452b6fe88443ea3c04736

SHA512
f41eb2dbbd558429f606bc59d02f205933bf54f5a2453d880dd1a12819fc91f55c47bea6bcdf81dccee60f5cf79294bfc82b8b58a727e8006b7e75737a4ae99a

Download Submit
C:\Users\Admin\AppData\Local\TempVGAOX.bat

Filesize
163B

MD5
c2a4762e032cbbe793d4bc3802349b03

SHA1
a267ba061ff095b053a2db506c206783b8d35160

SHA256
8d3d719e2acdbbd0d8aabf115abb5249b263b539a0f1370a24f7c32d39568391

SHA512
4f27c5af33eae2f129b5560034d134c9e5eacb389378eb0ff5daa7eaec7e35d7ad28d0fedac064334e2a528fe310c45386aeecf5b65954d68924ea9eb74e0be1

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.bat

Filesize
163B

MD5
6c0c0682818e396dd2f8d9cc3b15a377

SHA1
a7eef2f27232378b934bab9619f061106b788aa8

SHA256
67b5558d7dcd6bbba6bb4af5c56c29ac8051add17ef2e9f8e2f1881230ff9492

SHA512
3a31d50d9a6c59aa3e3d742a5bbd6d4f7a5eaf40e8d3120ec43d088be209e321f8e9efd3497c408bd1f639dd0dab0bfb1b9525b80d50e09774bda341a3e16bb0

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFO.bat

Filesize
163B

MD5
dbfd9b6db7038be035b143a5c27f6de5

SHA1
4ea42c16695201dcc20a48815f3af93c59c892d7

SHA256
b90b026d1eb0eba3c20292a65232d3beeb08b012d29063d427879b455366a2cc

SHA512
03b713d9248e078de7c3d2262e504d7454076bbffce59f94bb8dad5e394a0eeecacec6eba35a8f5f67972225c20873e4f17affe70d573a7d57ae0a952f958403

Download Submit
C:\Users\Admin\AppData\Local\TempVYLMJ.bat

Filesize
163B

MD5
c3318b15f42b017e3d1b9151d104f2bb

SHA1
0c4a8cb7b36dd2312cc7120476b96d23fe087bcb

SHA256
30809da4e70e252cc155998515e633dab26a02c5df8517af694fabad2d1859ca

SHA512
b1a1bb15e9589da6aa9395c23c4f6de9511d3c5760b6121fe7cff8fe3b06c8790dfb1406d523b94045c1e4c792616b5b114abab570876903f718da40c07f4631

Download Submit
C:\Users\Admin\AppData\Local\TempWLHPG.bat

Filesize
163B

MD5
47376af364c01fa68ffc4ff4dfe5aa24

SHA1
89b3da7d77dd38aee3cbd92ec96e2423488b8723

SHA256
7eeda6e5b13e712f35601853ad61c2d053bb2a1f11fa38d1da4c163fd3d60451

SHA512
9eafd3d81ba539f80dc3b05c995ca31563ea5ccc2cd531f29e796ff6eb59004464db0fe56f39e656788c2f5636c005560ef921740cbbea1cbb70c18bebbbfbd9

Download Submit
C:\Users\Admin\AppData\Local\TempWVSST.bat

Filesize
163B

MD5
86550c4045ded27f9bfcc444dbc3fe24

SHA1
01b7dcdc9ee8c7ff89d01066db04249a81eeff91

SHA256
36dadacba29ee174b5948d034f9c17ab59afaeb3e6b696f7633f2e4c717a3d78

SHA512
90794a8e5f439b0771d24a3e84800e5340d42e184fa232b0395e809a9ef6953a68e8347c49a8074ce31014100319eb7a6fe80d9557e169f75bd8b60795bd1dad

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.bat

Filesize
163B

MD5
2d88b6f973244a550fc52969ff4731d0

SHA1
c2ee94c917051b866b4e86c4a9172cb5bd55fcbc

SHA256
725fb8315a8dcc5fc12d0de6a3a0e307b80ad030920bb41897555c0948b4372b

SHA512
7c09587a68a3813cf9554294c66cd27828ff4852dc1fc2d66aa792da3f78716b4e626b749ce0264a0148093c1400b6a1f8120777d76f1408f295854d6e8fb693

Download Submit
C:\Users\Admin\AppData\Local\TempXWSTT.bat

Filesize
163B

MD5
22abdaedcc167e08640650f0b0365efa

SHA1
97a14669110d8d28b6b09ec91f3972afcd0d5d85

SHA256
7e289a598dcff1e659c493574bfd3915771cd40748ca4f81e573b97552f7a16d

SHA512
22bbd26fa520c88c48cf4ec9ca5181d6f240883186a0d8eceaec1cbb05edf0b7e21e561e2f6a03e750cb873c916b2871fe5f9aa5afe5e625503c831dde4264ca

Download Submit
C:\Users\Admin\AppData\Local\TempXWTTT.bat

Filesize
163B

MD5
83a5c7ea29f52fd714fe9135d4c9f0ed

SHA1
475a7a0425bc90d70dea40631da61d1bbb900a1b

SHA256
33c18740003f38f83951594d39122444c9375cf788eec4197d7a5b3123b2f24a

SHA512
9f3754e2ab92cb8f43fd403106a3ae58609317b00b483fc8f18da1e61261b044f5150b4f8a895e87085102e73ab7441cb31adf00a44b75a5adacd16d1aca54ac

Download Submit
C:\Users\Admin\AppData\Local\TempXXMVH.bat

Filesize
163B

MD5
499f28c3cf9f9a65e910a96285200b04

SHA1
afc96b158c405ea2f14d7c25ec591cbd96f5bbbd

SHA256
f3628fed62e94cd59dc8b4425aef376e24671f44c5be4c46ec8c421fa31e1d30

SHA512
866dd62b66d4ea962e6801cc1c944e20bec90c8575da3c3484424618e21e9789b38a5cf6ebd0e90e400ce1891dca447f9dac507e45682880605cbf9376488dfa

Download Submit
C:\Users\Admin\AppData\Local\TempYGUTF.bat

Filesize
163B

MD5
86de30a65a5f2f69c1f4d7f48aeba780

SHA1
e661175575432485929b421dc1c7dba249669a6d

SHA256
2b2d831a75cd7493dbc4e4fb694dd2540ff76028466e608437dab79c98e8978a

SHA512
70016d728df0df14b84bb7d3f715ae4e6e9f0cb01ef08631b3864b159ea5e3a894fdc0e47ccd9289138be17b9e9377ec4431aa114e5353a7cfaf0aa77a948d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe

Filesize
520KB

MD5
fa390d2895a78408c2879519f777feb1

SHA1
86562ff475952f64cc5b79e8a97744445c9bf7e5

SHA256
6078c1903ba4e600640f375cc74f20931c7695ede4ba5bc5be89fcbb40f54b7b

SHA512
7ef56442a9cf7073776251e8a3ef1870ce562fa26ed2f7f7e0fc4489b096e6b2b415070cfd515a3318a3d8a665b775a986d12ecdfc2cc4990b95b3671e6dc1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

Filesize
520KB

MD5
14a2ae4a01855ab18136cfc3b78e860f

SHA1
62ba96f5b5cd8012a191bf52103a9e64e3dbef31

SHA256
a8227950dd7b95672d21ad169886d7519a1fbee94a1be1a71a2134d8732c6993

SHA512
51b45e4bdcde7effbe7ea15244a7c4c8a9dfc4fcc318a3034294173057454629fe3fdd0922fafbc9017b35c0857c0af0c582d60acbe48495814bcd5b6202fe31

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe

Filesize
520KB

MD5
33001b4d576b88dac966dde39b721312

SHA1
5c41c1b4d015de2e19a6fc39ba5069bbdb80e27c

SHA256
89c43700e16e7e21e0bfa9838b5f8baf96581d202e76b848b89a0cdbc93190ab

SHA512
e0fdc7b4448eb14484b6ce8712cd9b26f59697afb88287bcbd7181088e14530fa965010fb5c0029ec3e02a49b247bb8b4d5a1fb7741c803631aa3ba8185407fa

Download Submit
\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe

Filesize
520KB

MD5
7217ad88d705e27dc143d4ca924c2239

SHA1
2b677b4a9ea78c50520e34e5acf595ef9c0fc4be

SHA256
01f039b06bc1ec450caeaa1112166b97034767a3f8eb1d5b71b796b33bfdcea8

SHA512
5a8ed907cfbf72915eab29fe5318abebdae9ebfb33e74381ca5accac967eacf8c50b908a36350a8ce52f132bd2ea9915a82911cdd74e769a34e2252b6092912e

Download Submit
\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJRDKP\service.exe

Filesize
520KB

MD5
b7d89fddaab58c73bfb437592b634306

SHA1
7cb30b600ef072b815ca67f77d3d807c6be308a4

SHA256
92f722881cc036dce49e5e2222a8b9ad5c0f662c0bfa3e298416e1d0009da238

SHA512
0f94b57a198cc1b0f5917a002693154162ddc0236aab40b3f5f31ad288ac2ae52b6a6c829e7efc33d97b6a9eafb3f57eca1efc2f624b27882f8913a6fd273ef3

Download Submit
\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYX\service.exe

Filesize
520KB

MD5
177e650e6ccb8f66358c4f850f6165c1

SHA1
803af6ee8995804cec72704a91731a8e8025151e

SHA256
3cc8546c233bdb9d1c60486cd011109646badfd7470eb4a172d2bf98305fd303

SHA512
c886a469c908c6c320c53c475f3baaf72f3e93a70b6df3a2a40a44abc729a18be2524c8c7cc830745cf78db5b297a0c6425bda6350daee1178be543d06817b7f

Download Submit
\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe

Filesize
520KB

MD5
09a36a85963aa01468899ebef027a3e4

SHA1
faed56d9e1ffa1bbf469e3b0939a976adc9cc20f

SHA256
529916d1519e64018df85493542dbed4d1338ce7e05a9bfd10cdb6c857108d13

SHA512
b0ca88275687a2e9e1a6d8fab9100fbdfe5b26731a69473546d13565689390f3c6328df67234883a9771d38fa95defeb14879543d966e9cad909cea20538f41f

Download Submit
\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe

Filesize
520KB

MD5
72a554fdc47e4834804b979230d6b2f9

SHA1
59fdc5152961989b2e0a7e4a25109dbb8219d472

SHA256
244423f7fd412f6d3165eb979a5ba4c0f424ad443183396146d938efe4e8b174

SHA512
4148186ff263495018d09ac6660ee0bbd571d2e4f08059f4cc55ea8d25298fac7519ad21c9ec1d596b27069d5b83e5ebc152a528feca38b7c2a6644e91db0c7b

Download Submit
\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

Filesize
520KB

MD5
e7036a5c92e0ff82375e735db0183c69

SHA1
b437150ccc6d48365b79520a5c6a98b6ce084184

SHA256
1b399123bf8ab2dce69f199417a8965b0214b680de19a14fd3ea1556659898c4

SHA512
eee32b711f386feae16feea6f58d4a118376aa6fef4d1a7063782ebb747dcca8ed8c3e89c303b5d3f77db39fb1ceaa6b52404a7ab41e91a6cee171a37ae53791

Download Submit
\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe

Filesize
520KB

MD5
36ce104b6f695d1e7cee8af7ed83e896

SHA1
20ca5d415eca6fe8509df2c12f6339958427d0c7

SHA256
680ad53d458679c93b3fd1f30de619d4382b1f01b81a4d235d26b7a23c57ebcb

SHA512
5332b0c6445017f9e13b13fea3b01d6a5fd2998fd2651e84fd7b0291c7d8e591f758da47277cb6ee08f8ae8a0b187cd1aab55d3c18788e9ae6ac403cdbebdfd2

Download Submit
\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe

Filesize
520KB

MD5
baef1215a332ba0e5f6a1d4bdbb2c688

SHA1
3941d7b79dc60b0df82df8063b45d4d3906054ca

SHA256
1a9790bb34f8f41251e43cae5207ca820d35f059289462b2c0d669050f49334f

SHA512
283eb0ac9f8ef73e4d179c4b79597897d9f2356a3618e6ca7750d973db52e4df65416ac38bfe3b2c9cc2b5f7f5a6a3658a1b105fe107476f457698d3cf12ef81

Download Submit
\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe

Filesize
520KB

MD5
bd6a6136589e5b2fdb9b6724c2adc53d

SHA1
b0acaef4c81ef0a63add8f8ed6093be7d4961719

SHA256
ba42961a03176ce9b1eb20aa1ba29c16ae4197a5f7dc2424e889519c7447c5c2

SHA512
c3cc358ce4f564024252b1bcb5744dafc0406ced96293de7c8a983ed2960de55d072dc8574ca03a77404649db9a01ad8e586e3d6e73c90dfb0f7023397a3b301

Download Submit
\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe

Filesize
520KB

MD5
a2bea6e8c7e9500c00261a9239d8168c

SHA1
eca6f0b5154056e8844c2289f4721fa46b778069

SHA256
5d33c9defc95143b2bce4008cefeeb2b5bcf4b7782ca53cd7ee2f0c8a91a7e1c

SHA512
eeabc6604ed054aec6821110579a64cb7d0f79b4a44132b749a743074e46737c03cd8e3e926e5bd76c95353220b7fccb1862c4d9df6140972d659935df73af67

Download Submit
memory/2036-1605-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2036-1610-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2036-1613-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2036-1614-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2036-1615-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads