blackshades | f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2

Analysis

max time kernel
147s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
Size

520KB
MD5

6171daa8191b44fd399b665185507d0c
SHA1

d2e308c57612313bc6bdbde0442e3c1906ca0caf
SHA256

f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2
SHA512

4325c597c31dcd5e281aa67e9388947c7cb083a08c772adeadc6cb3d63af3f3e89621e8d359ad4e8e04664d8550634029d93d193275189015109baeea84bf650
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXU:zW6ncoyqOp6IsTl/mXU

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral2/memory/4376-1386-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4376-1387-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4376-1392-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4376-1393-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4376-1395-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4376-1396-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJFDKFVIQK\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 55 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 56 IoCs

pid	Process
440	service.exe
3928	service.exe
3024	service.exe
2176	service.exe
3656	service.exe
1824	service.exe
3408	service.exe
116	service.exe
620	service.exe
3008	service.exe
1364	service.exe
4228	service.exe
2860	service.exe
2128	service.exe
2176	service.exe
3564	service.exe
8	service.exe
3228	service.exe
3080	service.exe
996	service.exe
4440	service.exe
4000	service.exe
2808	service.exe
2656	service.exe
3820	service.exe
1096	service.exe
1856	service.exe
1912	service.exe
3076	service.exe
216	service.exe
5004	service.exe
3380	service.exe
1072	service.exe
8	service.exe
3396	service.exe
1732	service.exe
3508	service.exe
5024	service.exe
2080	service.exe
2972	service.exe
4048	service.exe
2808	service.exe
1076	service.exe
208	service.exe
700	service.exe
2860	service.exe
2412	service.exe
348	service.exe
4552	service.exe
784	service.exe
2424	service.exe
4180	service.exe
3492	service.exe
2676	service.exe
1404	service.exe
4376	service.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYWFFRXNLPKSHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDTOCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYCNLKOBFBPVNDD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BVWKXIGLYCMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VRFRCBFXWTUGMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWCSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OWNBCXTOBXJYDIX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DINAMUMBVRMAVHW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQLBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIFKFMBYCUSBCVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBRAIROJDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UFDHCKWAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLFAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ITYVJVGFJWXAKQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSHGHDBIDYTGO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XOKJWDMWTEAYLEY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJFDKFVIQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQUHLHEVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYXFPFKCTKJT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NREIEBSYQGGIDAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVUCWMCHQHGQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IIVCLUSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDXTOCYJEIYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQSNLODRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJREKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVVIKFDFVJQLPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXYMRWDDBJC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JURQUHLHFVTKKMH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVGSRSOMTOERIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXENWUFBMFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQIOVGHAUBSOYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACWTNBXIYDHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFSAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEPMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJIKGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNLJNBEAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XENXVFBMGGXQTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXUIUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUFRQRNLSNDQYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RJSPJTEUDTURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LHCSLMVYLMJSEKP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWOB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QRNLNDQYHSXIUFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVQTXVYJOTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYWAOESNLQDQSNG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIDCIEUHPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTWYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVCLYUSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTEFSYQXMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNSLBBDFTBPOAID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDWUDDWMIQHFRON = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXIJHPBIMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LEUDLAVARMGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVQJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMFLSDERXOWLVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOCOAXCVUQREJQR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMAABVBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCHVUGOGXPLGWQB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQBNY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGJVWER\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DPQLJMBPWGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRIFATXJKHQCINA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KPLLXURVQYNOBGN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPWRHUCLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GMRDBFAITUQOQGT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JEDRHVQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKDIPYBBPUMUIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UBBHAETTGIDBDYT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJPGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QGCYXBOESOMRDQS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJNJHXVMMOJCFGP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROIDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFGCACXSFNHMJUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 4376	1404	service.exe	328

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1152	reg.exe
468	reg.exe
2556	reg.exe
3380	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	4376	service.exe
Token: SeCreateTokenPrivilege	4376	service.exe
Token: SeAssignPrimaryTokenPrivilege	4376	service.exe
Token: SeLockMemoryPrivilege	4376	service.exe
Token: SeIncreaseQuotaPrivilege	4376	service.exe
Token: SeMachineAccountPrivilege	4376	service.exe
Token: SeTcbPrivilege	4376	service.exe
Token: SeSecurityPrivilege	4376	service.exe
Token: SeTakeOwnershipPrivilege	4376	service.exe
Token: SeLoadDriverPrivilege	4376	service.exe
Token: SeSystemProfilePrivilege	4376	service.exe
Token: SeSystemtimePrivilege	4376	service.exe
Token: SeProfSingleProcessPrivilege	4376	service.exe
Token: SeIncBasePriorityPrivilege	4376	service.exe
Token: SeCreatePagefilePrivilege	4376	service.exe
Token: SeCreatePermanentPrivilege	4376	service.exe
Token: SeBackupPrivilege	4376	service.exe
Token: SeRestorePrivilege	4376	service.exe
Token: SeShutdownPrivilege	4376	service.exe
Token: SeDebugPrivilege	4376	service.exe
Token: SeAuditPrivilege	4376	service.exe
Token: SeSystemEnvironmentPrivilege	4376	service.exe
Token: SeChangeNotifyPrivilege	4376	service.exe
Token: SeRemoteShutdownPrivilege	4376	service.exe
Token: SeUndockPrivilege	4376	service.exe
Token: SeSyncAgentPrivilege	4376	service.exe
Token: SeEnableDelegationPrivilege	4376	service.exe
Token: SeManageVolumePrivilege	4376	service.exe
Token: SeImpersonatePrivilege	4376	service.exe
Token: SeCreateGlobalPrivilege	4376	service.exe
Token: 31	4376	service.exe
Token: 32	4376	service.exe
Token: 33	4376	service.exe
Token: 34	4376	service.exe
Token: 35	4376	service.exe

Suspicious use of SetWindowsHookEx 59 IoCs

pid	Process
4408	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
440	service.exe
3928	service.exe
3024	service.exe
2176	service.exe
3656	service.exe
1824	service.exe
3408	service.exe
116	service.exe
620	service.exe
3008	service.exe
1364	service.exe
4228	service.exe
2860	service.exe
2128	service.exe
2176	service.exe
3564	service.exe
8	service.exe
3228	service.exe
3080	service.exe
996	service.exe
4440	service.exe
4000	service.exe
2808	service.exe
2656	service.exe
3820	service.exe
1096	service.exe
1856	service.exe
1912	service.exe
3076	service.exe
216	service.exe
5004	service.exe
3380	service.exe
1072	service.exe
8	service.exe
3396	service.exe
1732	service.exe
3508	service.exe
5024	service.exe
2080	service.exe
2972	service.exe
4048	service.exe
2808	service.exe
1076	service.exe
208	service.exe
700	service.exe
2860	service.exe
2412	service.exe
348	service.exe
4552	service.exe
784	service.exe
2424	service.exe
4180	service.exe
3492	service.exe
2676	service.exe
1404	service.exe
4376	service.exe
4376	service.exe
4376	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 2988	4408	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	90
PID 4408 wrote to memory of 2988	4408	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	90
PID 4408 wrote to memory of 2988	4408	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	90
PID 2988 wrote to memory of 4220	2988	cmd.exe	92
PID 2988 wrote to memory of 4220	2988	cmd.exe	92
PID 2988 wrote to memory of 4220	2988	cmd.exe	92
PID 4408 wrote to memory of 440	4408	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	93
PID 4408 wrote to memory of 440	4408	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	93
PID 4408 wrote to memory of 440	4408	f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe	93
PID 440 wrote to memory of 116	440	service.exe	96
PID 440 wrote to memory of 116	440	service.exe	96
PID 440 wrote to memory of 116	440	service.exe	96
PID 116 wrote to memory of 1184	116	cmd.exe	98
PID 116 wrote to memory of 1184	116	cmd.exe	98
PID 116 wrote to memory of 1184	116	cmd.exe	98
PID 440 wrote to memory of 3928	440	service.exe	103
PID 440 wrote to memory of 3928	440	service.exe	103
PID 440 wrote to memory of 3928	440	service.exe	103
PID 3928 wrote to memory of 2540	3928	service.exe	105
PID 3928 wrote to memory of 2540	3928	service.exe	105
PID 3928 wrote to memory of 2540	3928	service.exe	105
PID 2540 wrote to memory of 1396	2540	cmd.exe	107
PID 2540 wrote to memory of 1396	2540	cmd.exe	107
PID 2540 wrote to memory of 1396	2540	cmd.exe	107
PID 3928 wrote to memory of 3024	3928	service.exe	110
PID 3928 wrote to memory of 3024	3928	service.exe	110
PID 3928 wrote to memory of 3024	3928	service.exe	110
PID 3024 wrote to memory of 4808	3024	service.exe	113
PID 3024 wrote to memory of 4808	3024	service.exe	113
PID 3024 wrote to memory of 4808	3024	service.exe	113
PID 4808 wrote to memory of 4744	4808	cmd.exe	115
PID 4808 wrote to memory of 4744	4808	cmd.exe	115
PID 4808 wrote to memory of 4744	4808	cmd.exe	115
PID 3024 wrote to memory of 2176	3024	service.exe	117
PID 3024 wrote to memory of 2176	3024	service.exe	117
PID 3024 wrote to memory of 2176	3024	service.exe	117
PID 2176 wrote to memory of 3168	2176	service.exe	118
PID 2176 wrote to memory of 3168	2176	service.exe	118
PID 2176 wrote to memory of 3168	2176	service.exe	118
PID 3168 wrote to memory of 440	3168	cmd.exe	120
PID 3168 wrote to memory of 440	3168	cmd.exe	120
PID 3168 wrote to memory of 440	3168	cmd.exe	120
PID 2176 wrote to memory of 3656	2176	service.exe	121
PID 2176 wrote to memory of 3656	2176	service.exe	121
PID 2176 wrote to memory of 3656	2176	service.exe	121
PID 3656 wrote to memory of 2548	3656	service.exe	124
PID 3656 wrote to memory of 2548	3656	service.exe	124
PID 3656 wrote to memory of 2548	3656	service.exe	124
PID 2548 wrote to memory of 4816	2548	cmd.exe	126
PID 2548 wrote to memory of 4816	2548	cmd.exe	126
PID 2548 wrote to memory of 4816	2548	cmd.exe	126
PID 3656 wrote to memory of 1824	3656	service.exe	127
PID 3656 wrote to memory of 1824	3656	service.exe	127
PID 3656 wrote to memory of 1824	3656	service.exe	127
PID 1824 wrote to memory of 4388	1824	service.exe	128
PID 1824 wrote to memory of 4388	1824	service.exe	128
PID 1824 wrote to memory of 4388	1824	service.exe	128
PID 4388 wrote to memory of 4628	4388	cmd.exe	130
PID 4388 wrote to memory of 4628	4388	cmd.exe	130
PID 4388 wrote to memory of 4628	4388	cmd.exe	130
PID 1824 wrote to memory of 3408	1824	service.exe	131
PID 1824 wrote to memory of 3408	1824	service.exe	131
PID 1824 wrote to memory of 3408	1824	service.exe	131
PID 3408 wrote to memory of 4416	3408	service.exe	132

C:\Users\Admin\AppData\Local\Temp\f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe
"C:\Users\Admin\AppData\Local\Temp\f03422ea91c93c113ce844fe84263499cc5a066b71df6353285219c1619d5df2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYYNV.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFRCBFXWTUGMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4220
- C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe
  "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1184
- - C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe
    "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIKFDFVJQLPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe
      "C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4744
    - - C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYWFQW.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OWNBCXTOBXJYDIX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:440
      - C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCGWXU.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DINAMUMBVRMAVHW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempADEOJ.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JURQUHLHFVTKKMH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRAQRO.bat" "
        9⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCHVUGOGXPLGWQB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQBNY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNGKLU.bat" "
        12⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QGCYXBOESOMRDQS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQWMKO.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWTNBXIYDHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
        14⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQUHLHEVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKJT\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKJT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKJT\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
        16⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIEBSYQGGIDAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLYKSK.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJNJHXVMMOJCFGP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
        18⤵
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
        19⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFSAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "
        20⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RFGCACXSFNHMJUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHCIWE.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEPMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        22⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJIKGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFRXNLPKSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSSGP.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
        25⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIDCIEUHPJ\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\UMLTIHIDCIEUHPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTIHIDCIEUHPJ\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQSXDE.bat" "
        26⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IIVCLUSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        27⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDXTOCYJEIYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDQ.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBEAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEMD\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEMD\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHEMFK.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMGGXQTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKIQCI.bat" "
        30⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTWYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
        31⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXUIUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "
        32⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSPJTEUDTURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCHYUU.bat" "
        33⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLJMBPWGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGPGE.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFKFMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRXDE.bat" "
        35⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYQXMWMI\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYQXMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYQXMWMI\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBDFXR.bat" "
        36⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LHCSLMVYLMJSEKP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
        37⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIVWWB.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QRNLNDQYHSXIUFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIW.bat" "
        39⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLODRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMDYBN.bat" "
        40⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKWAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJLUQD.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYWAOESNLQDQSNG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYRXJF.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNSLBBDFTBPOAID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        43⤵
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFAHVD.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYCNLKOBFBPVNDD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSFLQ.bat" "
        45⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCVVKT.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SOCOAXCVUQREJQR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSNAHC\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSNAHC\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWSSH.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KPLLXURVQYNOBGN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXAMY.bat" "
        48⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /f
        49⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBKBVK.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GMRDBFAITUQOQGT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXIBCQ.bat" "
        50⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ITYVJVGFJWXAKQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        51⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKXIGLYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe" /f
        52⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMOXTA.bat" "
        52⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JEDRHVQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHOINK.bat" "
        53⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UBBHAETTGIDBDYT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJPGXOCND\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJPGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJPGXOCND\service.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREIIC.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDWUDDWMIQHFRON" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXIJHPBIMAD\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\HQIESXIJHPBIMAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIESXIJHPBIMAD\service.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVORT.bat" "
        56⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XOKJWDMWTEAYLEY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        58⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        59⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe:*:Enabled:Windows Messanger" /f
        58⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe:*:Enabled:Windows Messanger" /f
        59⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        59⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        58⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        59⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempABPYL.txt

Filesize
163B

MD5
96b4ca64d7342dec2f9c031d813bf5a8

SHA1
92a2a016d2b0a5675c55d68f49bd49b0f35504e7

SHA256
db82a69e00689304f91706cb74399b74737e80d518f269683a46c9ca10ea23f1

SHA512
33e7dd4f90a225ad4e92cec3b665a4bb2b10303b8e6903b823dcda97dc5b208942919169fd53e110ac452b9673f9e26f63dfc23bc3d7e4589063d693942262a4

Download Submit
C:\Users\Admin\AppData\Local\TempACESA.txt

Filesize
163B

MD5
2a28d3eb244de60a40c4fd3612ab8c71

SHA1
bf705208da5e11170daed7c38869ec3416defc40

SHA256
6144e661320f24b4bf026af8b513273d6313fbf0ac21dc86a40031e30107a93f

SHA512
132127b030c84c266d3fce7c0b8589aae5612764a98a5198e271d8d984df91a30e174ca840071da364fcf2f2661deb03b1429981633cd3fa522f8f9c7f798373

Download Submit
C:\Users\Admin\AppData\Local\TempADEOJ.txt

Filesize
163B

MD5
f37b935d9a6a73c798fe7278cee73b97

SHA1
1466e1eef0b81dd021209ed40de8d9dc0b4d34f2

SHA256
4a6e9d01d02d7ef0096f735a3da7d955de4591110a1e6f5529fcc89a47098bc6

SHA512
a40b8d56e5e0488abdb8bad2140929f7487b2a25fb8c4c562c6e9dc35e826ff2cbd49c107c98eb4c7b46eb11362ae3c0a41a071527ff17f17959b6d0aae3c8f3

Download Submit
C:\Users\Admin\AppData\Local\TempAHHQM.txt

Filesize
163B

MD5
b84ec645cfd273b8b4d675400f9b031f

SHA1
340c8c92f96441966420fffd3272fbba7740f733

SHA256
d7e3cea5c38a74198ee889846ae8ef1573b6704668a94a362829fba56fc0be00

SHA512
5f77b99d2996483ae17c6ec4b6fdad0076550eb0052f2a1cc1462f56c7d24c1b95351653cc94507a633bce8e251e2fafbda23d4a179284567d79506f2740c874

Download Submit
C:\Users\Admin\AppData\Local\TempAHVDQ.txt

Filesize
163B

MD5
3e90970df67721a1ab6c1de072aed8f4

SHA1
5281c3fe45e13e8c803463bd960d78a1c3fb9a91

SHA256
3080fa10e98cfb25be34ea00c30106314c83ef301e2f7427a5678d6f0171f3ea

SHA512
bd817c6acffe7a8ba380530e9d09a035c9c42c78b6afd51079548dd76f6c4f834a948150e4043c8b1b1fa825168b4c638b3f52de3deab191ab6ad4ba6e2f931a

Download Submit
C:\Users\Admin\AppData\Local\TempBDFXR.txt

Filesize
163B

MD5
fceaf6526d61d2674da912c2fa0b0d6e

SHA1
598864dde9cbc73eef5cfc0798e02e7175b9c08d

SHA256
dc4f2ceb5281754828db7e06bca9776c86073ea3e19b4c3de48cb461aa7aa1c3

SHA512
28af59c26f4ec812b9897ebb5c1066440068e0475829befb79d6403f0159c43d5a55a124dfa8665b7a01084c0c21060634ae96c188ee4c387d9f918034872c53

Download Submit
C:\Users\Admin\AppData\Local\TempBKBVK.txt

Filesize
163B

MD5
855be85add3b347a5124a7667dec9328

SHA1
abc559f729738109c563a9d6abb5f0e19db3c0d6

SHA256
c78c4e1ef3faad7f3e6a35deb2d9b28e8995263fdfde9da2b7f63c3b398bc989

SHA512
5515cf2da317a63699de39a00a6280029e165feb24ccd5311829fb83c788f6dd6487069f19ad02adc613f81540e92b385f867f14daea501ca9973a4096a5db2d

Download Submit
C:\Users\Admin\AppData\Local\TempCGWXU.txt

Filesize
163B

MD5
862d7bb83c5e4645545af1f0228bdc15

SHA1
5867e14f7b4894a0915376ea98f0a8f0cea125e1

SHA256
be55bd2aba0a876983354e81a8b91cca72450568adc46c12e16353b3adfc6c3e

SHA512
6e279e34a860cf61fee995ad95d002bae855f7d3bf81132035db696816875bf0c8bdc55d839a78d1096e4dbb57a7437020b69245f8f6902bb2b89ba6c3dec21d

Download Submit
C:\Users\Admin\AppData\Local\TempCHYUU.txt

Filesize
163B

MD5
fe86a1bcc9e6ab20e4c242d1b4b8a4a5

SHA1
8acdd52e21c9479143e8f19462ef8ae7d1f25e23

SHA256
4aade04c584e35c19dc188ec5bbce171d35b47a8d97244022dfd4df2ede1daee

SHA512
063953813d9d26ae3e7deddb68a44145fdbce3677dec57f9d31a6b946ff7bc42d540cf5f0bb5b570c80208fc2034cc0992dfdfcbe9a0abba32014ebe0922d65e

Download Submit
C:\Users\Admin\AppData\Local\TempCVVKT.txt

Filesize
163B

MD5
0912d6834484edcf4437011dd7da5493

SHA1
71542e8b17b809a4e3f4503ff8b5eefe09f549cb

SHA256
b84ceabb5e71b60136a126c25855b2a9cf523d59e9e95cf0bd1e487db047e2ff

SHA512
a69649eb4ee50ad913d3d539208cbc3434894abb62b285ec80b3451443c24a1dad19d75dc9fdac79c4bd4c9fe6a2c62e905ae4102268befef3244507a6da0d09

Download Submit
C:\Users\Admin\AppData\Local\TempDXAMY.txt

Filesize
163B

MD5
1f1d8e37cc450a99ddac87c7cb1f9a86

SHA1
031098a964f57adccfbc899b05f332bd80dbc259

SHA256
8ff70b00b060797307632716f7cf8022ca98950d439be373e5edb3a805f03891

SHA512
b87f0443f3710186636c4dfbb59e0b4f6b680a4e01f2c1b342025dedac022616d98e8f0f73ee8d974799ad7ded018ede6d9466a2375710d1899d4070ca341692

Download Submit
C:\Users\Admin\AppData\Local\TempDXWLU.txt

Filesize
163B

MD5
dfd4cab5f88961f37b56f920f0a3bb11

SHA1
20ff1258fc401b7bc515f6d7718123bc2fbae639

SHA256
9cd237b7606401f31ec6b1f136480b59cee627b1c57c6aa16c8dcfb01240fe6c

SHA512
2ea225c72ce94447d6a204a98ee8038a03e8d043f81a4f2f66ab930592dd984923e272342a08e2ac08e02b713dd4d948ff931fe8df6646058a71d6ab9f69e06c

Download Submit
C:\Users\Admin\AppData\Local\TempDXWLU.txt

Filesize
163B

MD5
cff11131c687ac8251e56c86de107394

SHA1
8e29cf9e4371943b580e93410862dc28fc0bc5a7

SHA256
5b12a46d3221c850e685732f9c9c5c745eb9ca97a885069bdef0ef25b9df56a9

SHA512
00555af5b35ad1db21d15f5ff67a6ac46ed17a93305c55565084c4c40797a3efe64f1bc6f3d7c8a436c5260e5b661159d196c532cbd528c44865e8c741a4c618

Download Submit
C:\Users\Admin\AppData\Local\TempFAHVD.txt

Filesize
163B

MD5
e394b9855c485f356497f8cfb5e2fd51

SHA1
a6ab560b0a9cfcc52986ae4a75696d34c32f80d0

SHA256
ad8b148230d12501c438a9e3adbd4f07323179fd5b4a46ed4fb6f0890fae5afa

SHA512
c95d7a13fbd76143aae9acec3ae21fd12f8270050b0901faa435f37f63c71e1e6067e1ab750da0209cef1a3cc4c2c11e91e21ed634cd66d5ebd9ddd6832655ae

Download Submit
C:\Users\Admin\AppData\Local\TempFGDME.txt

Filesize
163B

MD5
3005d0fcd06cc7876a54afe25f740cd5

SHA1
d23fecb1c6c2b981bb3bf95f1c81eb75b9f72f68

SHA256
23013d0573733ee1724744ff693569f91b6e27c95ea4c44af98e6279b4ad9789

SHA512
415c9340aeaf9d972fd9c982fc5f9fa8373b566ec16d82824e6253104e4699f5deca8555b8418de1d4d547883a0135f6aefd67e2aab00e9880eabff2b7227d4d

Download Submit
C:\Users\Admin\AppData\Local\TempFVORT.txt

Filesize
163B

MD5
48425cd5146e4dce755a0af2603362c4

SHA1
c3687fbcc578e9545067c6b6ba2a132a49a77a7c

SHA256
b479f6dfce7583be32581b64fffbd8697943852deeda8b364d40671193232e19

SHA512
2a2209b5549e65580d0766c14bd5e1ba67e7cd36dd9c97bf9d1c55d921304754525a22917b09846e59ec6d4f9924671ffd4522a40077d699c9107ce71e8439fc

Download Submit
C:\Users\Admin\AppData\Local\TempFYYNV.txt

Filesize
163B

MD5
24af914e2bde57c4a44cb79995737db7

SHA1
973a1b33d958a5179586b15a0c2f88f59977b901

SHA256
2312c25986d358f09959c90e9266ca9e7cc333c60fbe3d9975f71f1b878466c0

SHA512
97f99c55df0a02dc4b43140a0cf89cd61fb14a7d66ff22309a2cb24deda33fb17f885acb8cd3fc25fcef21b32db36201dc1b0f22950e3a52654a82772f4023af

Download Submit
C:\Users\Admin\AppData\Local\TempHCIWE.txt

Filesize
163B

MD5
6680d055114ccab2fc1c75b9218f0227

SHA1
e5d1791b8bd7f1707b0f152156df4e49845a736d

SHA256
4fd47e0f04a731ad6e4d8a4233c3a1beda87f48b3651291352ae92eee93bbe0b

SHA512
6102e80d1e85220aece0b67b30d420340e31a213869b5f7d25cad39736e288bb7cdc0f7ba551d7d3c851954868a5e2f484e65db559969f65f796d41601f9d747

Download Submit
C:\Users\Admin\AppData\Local\TempHEMFK.txt

Filesize
163B

MD5
da000290cd4c1570246e10c52c706ded

SHA1
1e9325069f98ba2de00632d0e24ff9a7887289a3

SHA256
8cc1c7e35601b97c9181ab01760b6408638d34c43d5b3c6a7f3c03dece510e30

SHA512
572ab3671a5c1c1be91f06ffc02ab5e0ce869734ff704ec090f3ceb5db4f0308151162518abc3cadfe5bb2cbdf9184bd2609ba28361b2f371b7fb9137797bcda

Download Submit
C:\Users\Admin\AppData\Local\TempHOINK.txt

Filesize
163B

MD5
f8e68814f5b246a01fd3581111738cbf

SHA1
8a4b551fafff4735ab651458547638328e3bd344

SHA256
4444356640f1336781a810a89062f2b73108ba07a3397f697ec87a61bcb81838

SHA512
952f9ee86eace778db387c369492831e94c2015d59f26be9345abf3a7bc01d16447a44de4db7a5c893999d9a37081575a1642c38919f0a19f679c1a6675f6514

Download Submit
C:\Users\Admin\AppData\Local\TempIVWWB.txt

Filesize
163B

MD5
366a41538de6f9e6e34443018c7f127f

SHA1
4cec965807386a541ea2db1676ac3f26d88cb4f8

SHA256
c5eee6251a9d71806100e3ffbdc5b089478c6cc0d1cb1a8f6991416f8b7d889e

SHA512
3e71d5fd8c6f6ee2cc6c76c8c267c1e599354fa8309a62a9333308494f0a3d46eca072290766736fb8e42660222bd61023c6c2bc2e16aec4460ca6505a99827d

Download Submit
C:\Users\Admin\AppData\Local\TempJLUQD.txt

Filesize
163B

MD5
54f97599e9ecc568d571b6a54c613cd5

SHA1
e332edd70875fdd7c7e3bfab063d4356044c64ef

SHA256
5693f7953720f106725229d666e70ba8860443e54ea44d65df3644fa2d95b892

SHA512
0b49002ba2df18985622b8c2acdba0c34a90384656521342efd4529eee52be3f5df9d231e9e2c548ae61eeeb3e3408f9f4d810d8bc59812d364b21531f612852

Download Submit
C:\Users\Admin\AppData\Local\TempKIQCI.txt

Filesize
163B

MD5
ad8b3a75642c6f8653d0e21597ab3e39

SHA1
354ee5e7f33e058e8b7eb0b081a10f9ef329b8c4

SHA256
f21df8487c91bb37e65df344f08e4f6c9f6519f314ab5bfd8cb8631ae1692fa8

SHA512
3fb110d259e7834053f037faacafe7a6de51187ae8969f6975b479b5872608a0e636ef9afc7b94ceed0571fa4e655f25c24db12d1a171366e8a4b01c46008bd0

Download Submit
C:\Users\Admin\AppData\Local\TempKSFLQ.txt

Filesize
163B

MD5
b26c8cc3ca5f915507cdbd939df6cd98

SHA1
41df0368c5141d0135229e8b792c94bc18980b4f

SHA256
f524ba0a509958fd34d65982d56b0c0da42676ed927bc88e19ac90a611b839a3

SHA512
57278b1b8023f38c0da26b937adf984b850efc224b9a1f73731a80a69e3235bebff9ed8c5d1b6a725ff89aa887f2b13bf5af20a3dd6eec7efff4b3ca9afee655

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.txt

Filesize
163B

MD5
7a15e09f41d05fc64ee9e4cb16948b61

SHA1
d94c6b5e73e51a7ece157d81e54ac876e61006c7

SHA256
b60dcd6a5d898ec2fdd419c0de1919a01d3173f32b1f6298a9428913e3f5ba33

SHA512
c39da3ca8c21dfd1d0d3e52af08a69bd9fe6a56e4065b1b9c9fc3f6ec473f913a7c134fb79074d71093b16fda582702379db73b80bd5ca6089b1194ad6e1013b

Download Submit
C:\Users\Admin\AppData\Local\TempKYGUT.txt

Filesize
163B

MD5
bfe87af784bde263c3f6cdf5cd36b72f

SHA1
f72c588450099da0760b82d9d48f1759a71e27a8

SHA256
aa48511caeb9d17d096dafc2f0f10cdb98e9347cfa9803888d1c03f8d038868d

SHA512
6aba5e69540ad6d6a9b9c3113693d69235566e75746b5481261173765460c5a033656ab3e697dbcd790089597bf61863069df9ec4b9725c6d65bd3431f79fbdb

Download Submit
C:\Users\Admin\AppData\Local\TempLYKSK.txt

Filesize
163B

MD5
625ea99f9987228b00e412beaabec739

SHA1
d26d2c19177578c3cdf9266f24a60383994651c7

SHA256
c57bacc825d1b4bcc0864bd6bea13e5233130d9a7b6f9e72526ebac2dfbb6b93

SHA512
4b7add8e83020fa3daade45fcce188630c1099700ff381feea05feaa9a796a2a755b13e66f7521f6422659bd70d12789436c88f5e1af0c192106529044751d41

Download Submit
C:\Users\Admin\AppData\Local\TempMDYBN.txt

Filesize
163B

MD5
603cf994ae696788d0fc577e52971d2f

SHA1
96330b38b46bca48bf7ba3c2d90a2a7bcffa51ae

SHA256
45bf3cc9caad9ca287b58b2683c1bacf4d0241684aa972bc99eca13990a09568

SHA512
e2e5b5501621a47ce48d063bfd436f2a6ed847e7c01f8188f17dfee444ab6fb31ebe8ad69f3a802128fcc14fd7531f678e7f0b9130cf6001d6a449103bfd3d6d

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
c615ff888de9b31ab0df3a9fd9c66be3

SHA1
3de79cb7d5f18ffddb2118be31247bcce52221e0

SHA256
3547e6502bac8d3359d48e7b6bef718f3f977b17867196e9151698553a5ea29c

SHA512
d40244416ab5b535b85b8feee6c491d13f20de5f8c37906365720a570ee802719d6ee0549fd8be924828153c22db3b09a90ed2f5f76fb3edd22b1426e39cb4a7

Download Submit
C:\Users\Admin\AppData\Local\TempMOXTA.txt

Filesize
163B

MD5
f923f9a874c558471f95291c85bdffd1

SHA1
5d9d4180276ab572dbfb8778cd374af8c40aefd3

SHA256
b79c4503f56fd3510f51d8f71e5da7efb64906de3de3f2b831faf37446c6e65c

SHA512
3fe23517954add4d4ba04b09feb547a275d85e116df3bf9d2a19ed60cae56253f20923e98f60d633d755980cb99080be3e08f64596527feab9787d319c67a31e

Download Submit
C:\Users\Admin\AppData\Local\TempNGKLU.txt

Filesize
163B

MD5
b056ff39f749c62421fc756b095b8c0d

SHA1
085794e784a2fe187803100a34d1292ed92af4da

SHA256
5c1b61df548a8efec021271c25aad17cc3788462054479ec7a83681ae133dc68

SHA512
d5e657bf86700ae525f3b0fe480e0c08aadf473f98b49a14a01d6cbb06d461db1c19fa4ea997b7d0741a5465b57db193f1c71df925b344444700b32d0d7ceb70

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.txt

Filesize
163B

MD5
842060c6457fc3dbc7d32facf481b979

SHA1
5bb342e8e9e738b8197148724171fafe32b369b0

SHA256
2ba67b7e60a2e4d40e35509f913df5fe2c3d0a1828c44d4dd7ae7fb9083590b9

SHA512
c55c7dfa04e45113689e4149bb0e864d85c943700529d46b8439388516e55813fe601c337a856ad043f183d7d4eb34ed70e6e2e754a42f32b05b85101e29a12b

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.txt

Filesize
163B

MD5
7e488893ead94784cbfdb3cad2be1267

SHA1
e179fa18b240c727b240a45d068e0eefb474c166

SHA256
4a63114693dfd3e67f87986e7bb37d64c885329c0817c3334b10ae87c5143cac

SHA512
2ecb16b534c6209b89d2f1cab3c7957d914228ac4c2bf9d3057150835c8b02638a25fa5350cc2d0059af153bffbf0743af9f08e0ded6418660079f0e9162ffa7

Download Submit
C:\Users\Admin\AppData\Local\TempNWSAF.txt

Filesize
163B

MD5
d2c9f517eacbdcb07002fc7dfe68913e

SHA1
11d9e0ed93406182b36c3bbaaccbb5581028548b

SHA256
7c4eb66144fd1df19059cdf87e21af9fc03eb6519f7193c597d08dca68e4388a

SHA512
d5ab2b68ad518eb79a1425b99dd148cedbbc6d61aa804b58e1b4074a94e9713d73efe7eca9f006f8763859fe537b5d2d379b2194aaa2b60b7e4aee9bddbe3d5f

Download Submit
C:\Users\Admin\AppData\Local\TempOWSSH.txt

Filesize
163B

MD5
d124cb7617298048f7e70e34d6bd98d8

SHA1
7b6073e08c4ae03b7f6c044ad15ef0152a0fbbac

SHA256
f716953a71423937e4c8eb5f1a0abd8087b978f6ffe0eec21d69bd76527d613a

SHA512
f530b3af9e664686ef0126f0f0b98c9438e4408e3ccb1e2df2eae940cc5f6430fac1c46644985b45782716cd1c05dd7e4afd19bfd4dad789ce6e96b7c23c63b5

Download Submit
C:\Users\Admin\AppData\Local\TempPTOWK.txt

Filesize
163B

MD5
8c5d98fbda7d79e28c162146daffbdf0

SHA1
b0af89df54a4509d813b562d176276dfd2f143b3

SHA256
97a02ae2338d1384c249e677b1faddfa3176f4b83855fc0b3e62f5c91ef862ce

SHA512
222135c050f529358704594edb77520474575e525b34aee51ec25e9b71195442120bbdbf0a915d8f446b9c7345836b9bb0aa1bc1aa4ee3bc0f77f57ff19c8066

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.txt

Filesize
163B

MD5
c0b3385161f32248102b45fb6b269bfa

SHA1
065ce91871e5f9045ed3d0e5c53419666664374d

SHA256
65f6985545d77851dccd9e3b752aebf0d17eaa29b0490911a10eb2cb306ab4e3

SHA512
21d0dd3076c353efb738dd93aa6670f6dc1495e7bcef8277466a5684e3b1345230817a5c5830b5820137010d0b4b1ae2d9c5b6dbe6c2753d644792da79b6f911

Download Submit
C:\Users\Admin\AppData\Local\TempQRXDE.txt

Filesize
163B

MD5
b8fd523ed03420c6841a1c5bfd5c6b38

SHA1
624d7133cd50d821efb32f2584a82285a54c9e75

SHA256
51341163a2584d33d8fdf7e41ba3a169dc758afd9aa902bbfed531f9628699d0

SHA512
e91df96c6b80bbce435a069c6e5f7f4b6876b651802676340e38602ba6123de021f4411b365aca54c0b578e9facc277601a1a25a0993ffea78ca97174c68c8f8

Download Submit
C:\Users\Admin\AppData\Local\TempQSXDE.txt

Filesize
163B

MD5
94c75620a6987e6e1f13a90e4cd44a84

SHA1
19740126542f9823d530cfe1a567be58c1be84cf

SHA256
0003919366118ec928f8e33033f9942960ea6e0bacb473fe0f3b73c9c4431853

SHA512
8cae1e4ff5447609018fb78d26665522e0ade78d3b0c46a6f03a7d4974c2685f1643e3bd1b240d850cfaec91cdbb8ebe6207402a8c2de24b74265f07fd6498c9

Download Submit
C:\Users\Admin\AppData\Local\TempQWMKO.txt

Filesize
163B

MD5
a043f02835dad303c1429240508802b7

SHA1
5ee62658090a5de3b0829dad0c403e8064c17492

SHA256
9e77587d0c213e0ec3e88a597ebb55b96bc0c32759a5e8307cb2c21fb5b428ea

SHA512
12d045af37c149a50d14903f735713a412b0279a20b7ec647b4f2deed409640983136d6423dec8f377cae717d88cb2e83bf4d8d0eba6c92abb4cfc035c50043f

Download Submit
C:\Users\Admin\AppData\Local\TempRAQRO.txt

Filesize
163B

MD5
544389bf9514e2cf20d273d0d23fde18

SHA1
32f494563a2c69e750e12c4ad9f6ef3e91a65d0b

SHA256
806909dc3800a65a8698a43133ddac8060a00b67c571af736aa7bf59180232ab

SHA512
41155e5f42757af9ff1257bf6e442710e135e4d045cba2c9ee85c0b7534bb94089a49db91fe8239c749e54c17d933f8f6806819d4ccda9abd775e067a6406ba3

Download Submit
C:\Users\Admin\AppData\Local\TempREIIC.txt

Filesize
163B

MD5
08a8e949c178b408f57fe0abb02af48b

SHA1
9d4b72e23695757fb891043f20a497ec9e401299

SHA256
02711d079844ff03fc379a290796a9050583bfccf6c43f7c2b02c99388f5fe9d

SHA512
106ebb36d6daccecee51e87cef9ba0a4f00a6351f0ea8797ccfb5d82873a0103b230b1ac051c08c5646026c64cb78abfbc33c51bd557395ce69152ee160c61c8

Download Submit
C:\Users\Admin\AppData\Local\TempTFLQC.txt

Filesize
163B

MD5
2a203fa95c511f4fb3b42526e9c38269

SHA1
08fdb577504ba55a11d89dbda642ec864b792b51

SHA256
ce994fc8d684e32a48593a350bc056e2fbbf2c0e593deda1d1438c90ec5b6301

SHA512
c5653976a7f3a4fb082a74d55391fefed64defef20c1cd347a634b46aedfce988eb04a181dd9e99774fdce526bc43df3e3f8c5d2802ab5eb57b3a1d6a197b486

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.txt

Filesize
163B

MD5
455c8a6689513eaa82789d6053a1c49f

SHA1
316ee3812705351df713e6c2e2fd8137d35a7d6d

SHA256
a8d343b3418d974a4a3c11511a5f827664bc00e103b3d2a8dfbaba0701df82e5

SHA512
6f03a8bbb981589a1df53ffdd53ed07d77aee6a1f1b2b63bd0c2bc516ebc6698a7c5d39d712ba4fefdec248af97c2d02ef2c683bee8d8180c31e809f6b5aa5c5

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIW.txt

Filesize
163B

MD5
1f5b0a440773b1dbb89d3187b7e32108

SHA1
2bd09f5cb3ab6a3beb077b4848607654414f011b

SHA256
ec4fa25a78ce38848c382b67057b80ab4e045d3704bfd33b4973a8203b147336

SHA512
86dea559c5744a01dcb7744151f57c5fc11cb42ff0ec3c203518abb470d7101bfd7e4bd6f689721367069b4ba29f488c632539d3c1f5caeb043e993430241c3f

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.txt

Filesize
163B

MD5
ff8e58391da9324586183bb56df45f3b

SHA1
5ade693737bf29d5d09cabbbaa74d053a1b2c7ca

SHA256
e788d311d66e3d9d7ac41cbfb252c60b7797c29dd6ab5d374870808a06231e20

SHA512
f2b61352add4a5fc36e25465d04d17b6ed31791e07ea2a33d25bc71c6f3b395e88b1900adb0df2ce1c3715951c27abc4966faa191db4ebdbbb98399d59f72a3e

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.txt

Filesize
163B

MD5
7fc83caa51827e24a9cb316306a8a179

SHA1
1e2b67cf403653ac666382c3d9ebc83b94b9d48a

SHA256
130879b093bedb944e2c94661322f86925a1f4de8b10f081c45b6ea253f32ad1

SHA512
bf1a97fa8d2b18e20b2920b005656008af7fa2e7c01e1bcd031f6243d0d20c4b892deb554bd46f8338a547f4364fc6171e2fbbf6743b3b629868871672b26ecf

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.txt

Filesize
163B

MD5
8908c4d1492a2acb5b8db833be4b7532

SHA1
87ec2d5a8aac6715b06055194ac5c2754eead4a4

SHA256
5a4ab10ad79680d818d0ce4545483e491e3261fd75989d3a3508c35ece9d7d58

SHA512
ecfa22a654b2e2223b2ec921d4535e0c92677913082caaa352b6643565e87707eae857cbd16d082a919153bd9521ef4a32e28251de29216aed874b39679b0aba

Download Submit
C:\Users\Admin\AppData\Local\TempWSSGP.txt

Filesize
163B

MD5
1a5ffb40bb1b61b3f2de211f85cb4452

SHA1
29109dfbde3136692272d25d2d366334885c34ef

SHA256
829b3c15ff9c57dc1ceaa8a4270a42885c7cb995198164721e5470fb4bada793

SHA512
01351190368e3c557103977be10a37f2dad788178af57888e50a98d2e0ca69f8b7a4a1b28df5143d149a745d0292cd4eea9c20e3d9b0003a44398f84442248ce

Download Submit
C:\Users\Admin\AppData\Local\TempXIBCQ.txt

Filesize
163B

MD5
49f468308f0b77bed80061cf931d5f3e

SHA1
3d816984b13a4a13c0c10df6d770e0c4189877a3

SHA256
a6b6f141eea0704618de7d47233fbc9d02a0d01c46ae57da17e2e8580f2ca7cb

SHA512
3b81731764dbd9a68e9ccdc9f971945f25c21cb891a0026220e8019665ac5d9393434315ad77adbef16127d730ca45ad00185af2a6726d52a5fac36e1fd24f42

Download Submit
C:\Users\Admin\AppData\Local\TempXIGKF.txt

Filesize
163B

MD5
8680829bcd64384b95a4bdcf40fd7c94

SHA1
6550e673800305b01f7fe33296f3466ddd4236d1

SHA256
b5de1b2a43ae8840bdd7dd12483eeb5b999ac91fe9120cb6696cb85d0679cf3a

SHA512
a545d6164e64bdcd1c662901697b86c8017dcf27a7c6ab1c46cd1450ea8935f740a7bfcb0b32c3f76f3fc265f72f32ef82a3a2c2497b54abdb3577083a6364e6

Download Submit
C:\Users\Admin\AppData\Local\TempXUASW.txt

Filesize
163B

MD5
8ed447bcbfba8014e6df09865182d8aa

SHA1
680b8acbcbc2e6bcb60c3b333df5e0dcbcbcd27b

SHA256
339929ca2060be90e940b74f12479f13a30f60b30227d495725488a7c2df1b6a

SHA512
4e21be3c3877ce19b6ddf740f57d2fa20fa5fe3a13652cf1eb8f7103ebe71077e143f381998678cf90ccc48bb8f6853f31670e9f60fe428f7ceb6fa35b1c7cf3

Download Submit
C:\Users\Admin\AppData\Local\TempYGPGE.txt

Filesize
163B

MD5
dd71641077f5ddb5fe8aab2476cf4e65

SHA1
833f6912c64880c723934ba2edad506e635d25a6

SHA256
83ebad02495a7e925bb8aaf327e0ce32812765ea12c7722b187d0183496f5dee

SHA512
87f7e2c062d41aac7124060ded7518c17b20a6f31837c58dc423c431127e384e226f7372cc2d4e6f393c67e7cd544d694b922b0af0efb3959f0a42ec45e29ffe

Download Submit
C:\Users\Admin\AppData\Local\TempYRXJF.txt

Filesize
163B

MD5
910a1fd74fbb2b3085671f7f55558cff

SHA1
2689041522b34d9c2c0d985665d3ce01802b57c0

SHA256
2f459afd45d30be669c26fb10f6b95a190451e6a68dacb04bf1f7175b4f991bc

SHA512
40a721498a392a07f548009a2b274cfda7665c93d063756a5fd924c12313b9e1e903e4059463711f2f621a6d838cdcac24dd5df52904162e2809e0880ae0cb15

Download Submit
C:\Users\Admin\AppData\Local\TempYWFQW.txt

Filesize
163B

MD5
f136f19e2598ca5870b946d5199d2053

SHA1
889ed7d42fd1710fd10dc06e1b6d48e63395863a

SHA256
9409e4459db8226ce29e5227e4674146d5691eaf3c7ab57af2fe9822c137d99e

SHA512
3789ef81b34df7fe18d5783e9cea4f63d916d937c91829c301c07ed40676e309c59d4968f7a18cbe084fd30c71c90ee4ff3c90892f0a6c169b6678368795c971

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe

Filesize
520KB

MD5
7e263799c9379877d032b10680d5d1c5

SHA1
5677f81ae5ddb0abf6d598d5021746096410be7b

SHA256
7a35bd26eef9f11f89151d6620c8e0f692b699ac6b84d658383952548becdd55

SHA512
4ff6214597b89eb5b27c275ae607bd9f976bc3638d6f185f38410bf434b5ee51a50996e737d0435a312b0c4e579d8a259e8fd9a2ce551e59422048aa8596feb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe

Filesize
520KB

MD5
075260dfad4328622bab243f148530da

SHA1
90eef3fcd76e6eef6bdfd99f556cf8ab91466306

SHA256
44ae8f4fd8d050688ba062bac1e53a973b4fc166b12c8cb8303409ae7fc24edf

SHA512
c37736e318a677adcde332dd901541bd06455cca85891c18c62ecdc4424e5c7840b0378b0d2d2633a8ecd2b57aeae0b4a3e62ef4a5b6d8aac5de662b525652a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

Filesize
520KB

MD5
6c51fa9d5be5df29b1ea429c34247cf2

SHA1
98280496bd7d881855147729f8351fcb470e8b94

SHA256
8c2b75a7611813e5917769f7e37bbdb4b9f0ce0c01cc7db85fb93397f5eec95e

SHA512
0c8313bb0e94416ba3001dae98d2ea7e722b73c6aee11960088b3243a8d54f8917c45ba941f40e7c42b2bc0781b809a67aa862691e6e2ae712b3b8c02235bf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

Filesize
520KB

MD5
9cd4750f7b2934eae15f2f5a0566974f

SHA1
64753b13ccb356806ce72165ce73416b46f63335

SHA256
cf719d346c6958109b9642364d1819b4959473a36a2b81668db609d8c95298ac

SHA512
0f855b9d70e0b04ec5939d8fceffcc57f12b37fde0865d677cc8804cd51510bbffc179759ded98637aa87a2344460a220395c202db204cfcbb14f77d66c49426

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe

Filesize
520KB

MD5
65a1535a5a7cb2d3bd3994782c9abe33

SHA1
853c72ca1ebffab338e082dd11bebacd5d8e2f7f

SHA256
99d4619fec8801332dcb053e6b650911a6c6802b33fbd5c759880e74ec46a513

SHA512
b463350115ec79c9c30dfa8796dee092d9dad203d145b3de556a6110b4e2ec10c7f7dee38203c0bfa412c14ddc8b46476434ba3526f573061ad9fd56be301393

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe

Filesize
520KB

MD5
d89bac44cc5a4d44538d06c13be058f2

SHA1
4ab4b0b122ea6ccf942fb9cd13539d8610083ce8

SHA256
da297826b1f4482267e71a93d9bf2b6b8346aae7c44f67e0c6bf681542e9ab44

SHA512
40a499b9272071724c66acaa7a1ef23d0a3e47075116132c906e5d3647feb7d54e566d696a6cd30392397f376d3498da2296bcf3889cf645e0a10dde726c0f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe

Filesize
520KB

MD5
05a55629ef83828fe843640dc0980975

SHA1
a268eea8457155e0a30ab531fc3848a597de0611

SHA256
2f75af173b7c25c73774c3a75f3f46dbf260314b00552f150c508465ad4486fc

SHA512
390ef38e052975bca191543d4d35aed0bf441cf05e9c2d46514cdeef70db14aa3e67d0d833ebaa986e677ea2cf7be7f28197306d609e74618ff6199242493384

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe

Filesize
520KB

MD5
d060e5257a8cf02eedba5dda3b2131ff

SHA1
a19e64d63d871a6900b5d8107c95833dc85abbac

SHA256
8967e9745c5d1c1a1b3668a866f97f56d1834dc1a20ca42a99d17d2157707499

SHA512
3c7cba06f9939eafda5f3ebf66233fecc078a2553d9049c62a1e84a1cb6e33a0e24dc7774609ff8338045ee312d7d37c40130d57e215221adbdb6fcf281f65c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

Filesize
520KB

MD5
e405fbbb243269580190d5b477fd15e7

SHA1
7b100873ce70bb8ba9777c9e940ea8c41542ce24

SHA256
604f0c1c351880ddb9be87be5bee4678e80e70c32223ca137d5d7ef334b10bd0

SHA512
05967c40b82872174147af83208c6039998d5cd19649f01ad3a06800e2e0349cd91627ce65616d638d2e1fad14be668ae82e4d1cbf078b6f7848fd9bb59c0903

Download Submit
C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe

Filesize
520KB

MD5
cdd903a743cfe7e53307afc43d9623b7

SHA1
4b64b25f5349d3f57ba58540daabd405ed917241

SHA256
1331732472c6b2c9b4407f560df0098ab83571f5ce4fa90864ff99668a3e096d

SHA512
fcff4723a56fc2ff27c1b1e8594edbf36e024500ae832d8d8a6d209a55dd96bdc23e5f1fb8f9a4574296c44700fc6599aaa7de8ebb4f749c999dd09e4fade8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe

Filesize
520KB

MD5
635ef72e35f2607eb5e8d67f5fe4e74a

SHA1
3d028a57704aab51cc6228d307672a7570a906fd

SHA256
45ca4b9922473f7809c1effc7675f9329af36b206a2d96613013a57c0baa5f90

SHA512
028970fffe80df4a257ba320e0e99fb27d825ecddb90dd8927859bb860dc40f4f55456b8d5ed2510fbedf8f4e5d125adabb2ce0a505ec65a587c4de11b4c6f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.txt

Filesize
520KB

MD5
f2f474e0e697e6a7b0690e4ac19d1995

SHA1
415c86ae270cae233546d71a125ff3d4db0b4c49

SHA256
5723c62aa5a1555247f18564fae543626aeedc6f0eb1fb015dcd0b291294e70b

SHA512
86583ccdfd14e67139cd4e383088f0b0e256c5955979adc4e08bc43514b3c7b85a272c39beb65dfd8c681e49dcb8992219a7f1749ee6c689b263ded7fbb83ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe

Filesize
520KB

MD5
f236278c2f6fad29dffb6bacb0773843

SHA1
403da1e8d0af3c7f788a7efb3672ab8c268b8dc0

SHA256
e7f699eaf5ec2e123365ffc47c351abd677e02bb9d7fe0fa94d48f12c6bdba94

SHA512
4c89079a1eb8941b9c9430aefb53881bcbfad85ec761b19dc78a6eb31806bfce0de15a8f8747b9b1ffba026d0c5fcf692d99a7501cc12a2f053453c3993f4051

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe

Filesize
520KB

MD5
9c4fc6f2961b874b495df97283e0deb3

SHA1
7d0385d48ed20e3fa48dafc1caf2a841b31a9d83

SHA256
d58d9e69765655adb6b1ba2baf878b3c62aca717c1aed0809979076573ebe0c8

SHA512
0baa7bcfb923180dbfcc35c89bccb20c62a2ee46f0bd61c16f4ecb97045767ac8242a75c1c28faa0c76125e18bd5bd26feb0cafa13838c8dba83ee54cceed188

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe

Filesize
520KB

MD5
51b7e5b74cac20ce5c97784504c46c10

SHA1
cede50b3e0afd1c3ae919c726ca91839fbd15842

SHA256
2f20197e419ea1dfe0976d3514391934f63a73e8caa70a65866e3f801e323422

SHA512
401679ffb4338758ebae5d56d9cc0c32c0370736155ecb3c2e6a96ab82f558c61b16de6068f586cbe8944b6d1b07b37a7f9a1bc498c76488d509246386d43f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKJT\service.exe

Filesize
520KB

MD5
aaca5aad0405d5c9ecfc4a089b53a3bb

SHA1
67600bdf4dd8a81f5ddd95c0d3cc6b840f0b6f52

SHA256
b6870af0d6529e6d1653a62aef675852ca69e72831bbb97becdca39deacc5f83

SHA512
a475f8fcc991f40e375d7cbbf5269db85fb471934ea91700b41f9baab52bbef530046b3a2b8a103f4717637b694e001c17e9cbf66c8e629f28155f4540b48dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe

Filesize
520KB

MD5
a35605512cd66bbc69709b12d100a1f3

SHA1
36c96e68306a07160aaea46dc80e519deb9fd87e

SHA256
97d210506b66d1cd437a09b52a9c5855439423a83e90aa503342fa2ef5501ab5

SHA512
a2f32f057c097806fde01c532eed54d39ecf33e947923037e6bd9a4d2e20c253cf2b9f67ef1e9ca28ac5fb932c3052a4f7229202cda9bf82f3a07310b3fb7018

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe

Filesize
520KB

MD5
d6a48678950cca57fa72aea4db46cf5f

SHA1
457b69fd67cc1c937c3c01f7becbd1471b6c0acd

SHA256
2bed7f92728f8c4897fbd780d4e72653646576aae028d3f1d4d283f46ebc2aa7

SHA512
d2b018c26354e5e726588e37f1fc3b2f5055ac51c20b9df4c548bb6e6971cea33ff0dc6f454dc3342f83ce798072a0b87e9bc8ceb94b91c03536903e8c32c1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe

Filesize
520KB

MD5
0814fb413308b54a25d81907b5accbb5

SHA1
d20a271d4403d96027bfde576e94818b12173d62

SHA256
7539bcf3635cfc14fd64aa3cde5771b7444bf3edde6ade10fde0887bd933d5cc

SHA512
0f5a489bd04fecf164b07734be2840e9504f32ee7e4a9293676c6eaa53389cc13131d8748d9a10adcff208740b2b0a718128147240a7881a07d4a97c6fe332d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe

Filesize
520KB

MD5
81976e132d36f6d13fe75d7ae3dc5dec

SHA1
4400e405170c2bd4cba11fa87adf4fc5a77eb346

SHA256
7eb0b06ed92b287478c37d87b38a7d2994fa7cc70f106dab09189c3d38815aaa

SHA512
dcb85c4041bcac227cfa1ca3dc05e4beff31ca791d9fae4c9d8000d1d0960cdcb63c63805a3152aa8f46e1ccea2660c89d19822168bd615b457f7675f8c477da

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

Filesize
520KB

MD5
422c29a5b7df28243d8ed3e178b25b05

SHA1
dc3fbe9b5586ac602e3961cf7c14173780ee6bee

SHA256
300afb65ee2c3d3621df498b357438d0d8849d6d8d9a448f70c2df4d02dc440e

SHA512
ec70c257ca094677dc8b1d78ca42c89facea089f6f721a2be3590e3635cb74e01e9bc7bad3dc43fd674e6a1fa84a54034a6390145e2ac9bf1560bb361741077e

Download Submit
memory/4376-1386-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4376-1387-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4376-1392-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4376-1393-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4376-1395-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4376-1396-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads