blackshades | 502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650

Analysis

max time kernel
147s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe
Size

520KB
MD5

5f0d754290ddbe8ea444e8b23e882808
SHA1

80354ad2bd8251e4334f7de7f30015a2d83d889e
SHA256

502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650
SHA512

1388ebdee3aa3326c7e7bdcf616a3f3025155bc200640e9bd0ba8ba4b2daa2e39bb5603a840e1691b0ac7b1633f6d038758bd5820ce8716c38f9b28e37a050c6
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXM:zW6ncoyqOp6IsTl/mXM

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral2/memory/4728-1482-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4728-1483-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4728-1488-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4728-1489-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4728-1491-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4728-1492-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 59 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 60 IoCs

pid	Process
4008	service.exe
5004	service.exe
2060	service.exe
2352	service.exe
2724	service.exe
1860	service.exe
4420	service.exe
5052	service.exe
4408	service.exe
3472	service.exe
4828	service.exe
4992	service.exe
2400	service.exe
988	service.exe
4268	service.exe
840	service.exe
2204	service.exe
2980	service.exe
1364	service.exe
5064	service.exe
2628	service.exe
3716	service.exe
800	service.exe
4180	service.exe
5072	service.exe
2204	service.exe
3956	service.exe
404	service.exe
3872	service.exe
4944	service.exe
2916	service.exe
1684	service.exe
2348	service.exe
4276	service.exe
2264	service.exe
3872	service.exe
3776	service.exe
3640	service.exe
1976	service.exe
4140	service.exe
3576	service.exe
4848	service.exe
848	service.exe
752	service.exe
3528	service.exe
3404	service.exe
3112	service.exe
4016	service.exe
512	service.exe
844	service.exe
2256	service.exe
3936	service.exe
920	service.exe
1172	service.exe
2748	service.exe
2836	service.exe
1860	service.exe
4988	service.exe
540	service.exe
4728	service.exe

Adds Run key to start application 2 TTPs 59 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTGIDBEYTHOJNKW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCHAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVOAPPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFWSSAONIRYJFAQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VWESRDLDUMIDTNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELHWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAKXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMFLSDERXOWLVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXIGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOYPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDBGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKIPLBOVF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UWIMRFCQQEFABWR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGDHCKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMGBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVASWROPBHOPXAT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWHIBVACSPPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MDQMKYPBPRMFIJS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OGXPLGWQBQAQROW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLJMYCHVUG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDQMKPBPRMFIJTO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RNOBHOOXTSHQDYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QWNLPKRGHYGHQLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLBMFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSPKEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONIRYJFAQJKTWXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSKBLEYDFVSSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RFGCACXSFNHMJUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UFDHCKWAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGSECGYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSOCOAXCVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLFAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHPGYQMHXQCR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BVTRVJNIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQHMEVMAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TSEMDVNJEUNOXNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HCYRWPFPJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KTPKUFVAEUVSBNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQALR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHWUKUOMPAEKXWJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LOEJXWIQIRNIYRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDEAFAVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEYDQGUQNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOYAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ADTPQLLYFOXVGCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAFAVQDL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YBLQXYJBDRNMGBX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQSWUXINSFCRRE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDHYVWJOVWHBPYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYRWPFPJHKWXFS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSQUPXLMELMVQQF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQGRKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUPXLNFMMVRQFOB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYRHRLJLYBGUT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUTXKAOKIYWNMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAFMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDTOCJD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXJJHPBIMADOQLJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLBPLJXOANPKDHI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTFMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ASWRYNOBGNOXSSH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HQNIXRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULKNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGLDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJDWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWJNJHXVMLOJCFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLBHPHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CHVUHPGYQMHXQBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOJIOKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RVQXMNAFMNWRRGP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRHSLJMYCHVUG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GLQDAPXOCDYUPCY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPPWLKLHFMHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IJGPBHMADOPLJLB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IXYVEFQWNLPKSGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNBBCXCTOBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVJKFDGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BLYUCXNRWDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSXEFCLDIWWKLGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CFVRSAONHQXIEPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEYUPDKFJXGSYOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUSVGLQDAPXP\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 540 set thread context of 4728	540	service.exe	340

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4176	reg.exe
1960	reg.exe
4240	reg.exe
1112	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	4728	service.exe
Token: SeCreateTokenPrivilege	4728	service.exe
Token: SeAssignPrimaryTokenPrivilege	4728	service.exe
Token: SeLockMemoryPrivilege	4728	service.exe
Token: SeIncreaseQuotaPrivilege	4728	service.exe
Token: SeMachineAccountPrivilege	4728	service.exe
Token: SeTcbPrivilege	4728	service.exe
Token: SeSecurityPrivilege	4728	service.exe
Token: SeTakeOwnershipPrivilege	4728	service.exe
Token: SeLoadDriverPrivilege	4728	service.exe
Token: SeSystemProfilePrivilege	4728	service.exe
Token: SeSystemtimePrivilege	4728	service.exe
Token: SeProfSingleProcessPrivilege	4728	service.exe
Token: SeIncBasePriorityPrivilege	4728	service.exe
Token: SeCreatePagefilePrivilege	4728	service.exe
Token: SeCreatePermanentPrivilege	4728	service.exe
Token: SeBackupPrivilege	4728	service.exe
Token: SeRestorePrivilege	4728	service.exe
Token: SeShutdownPrivilege	4728	service.exe
Token: SeDebugPrivilege	4728	service.exe
Token: SeAuditPrivilege	4728	service.exe
Token: SeSystemEnvironmentPrivilege	4728	service.exe
Token: SeChangeNotifyPrivilege	4728	service.exe
Token: SeRemoteShutdownPrivilege	4728	service.exe
Token: SeUndockPrivilege	4728	service.exe
Token: SeSyncAgentPrivilege	4728	service.exe
Token: SeEnableDelegationPrivilege	4728	service.exe
Token: SeManageVolumePrivilege	4728	service.exe
Token: SeImpersonatePrivilege	4728	service.exe
Token: SeCreateGlobalPrivilege	4728	service.exe
Token: 31	4728	service.exe
Token: 32	4728	service.exe
Token: 33	4728	service.exe
Token: 34	4728	service.exe
Token: 35	4728	service.exe

Suspicious use of SetWindowsHookEx 63 IoCs

pid	Process
4176	502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe
4008	service.exe
5004	service.exe
2060	service.exe
2352	service.exe
2724	service.exe
1860	service.exe
4420	service.exe
5052	service.exe
4408	service.exe
3472	service.exe
4828	service.exe
4992	service.exe
2400	service.exe
988	service.exe
4268	service.exe
840	service.exe
2204	service.exe
2980	service.exe
1364	service.exe
5064	service.exe
2628	service.exe
3716	service.exe
800	service.exe
4180	service.exe
5072	service.exe
2204	service.exe
3956	service.exe
404	service.exe
3872	service.exe
4944	service.exe
2916	service.exe
1684	service.exe
2348	service.exe
4276	service.exe
2264	service.exe
3872	service.exe
3776	service.exe
3640	service.exe
1976	service.exe
4140	service.exe
3576	service.exe
4848	service.exe
848	service.exe
752	service.exe
3528	service.exe
3404	service.exe
3112	service.exe
4016	service.exe
512	service.exe
844	service.exe
2256	service.exe
3936	service.exe
920	service.exe
1172	service.exe
2748	service.exe
2836	service.exe
1860	service.exe
4988	service.exe
540	service.exe
4728	service.exe
4728	service.exe
4728	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 64	4176	502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe	87
PID 4176 wrote to memory of 64	4176	502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe	87
PID 4176 wrote to memory of 64	4176	502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe	87
PID 64 wrote to memory of 3308	64	cmd.exe	89
PID 64 wrote to memory of 3308	64	cmd.exe	89
PID 64 wrote to memory of 3308	64	cmd.exe	89
PID 4176 wrote to memory of 4008	4176	502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe	90
PID 4176 wrote to memory of 4008	4176	502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe	90
PID 4176 wrote to memory of 4008	4176	502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe	90
PID 4008 wrote to memory of 2052	4008	service.exe	91
PID 4008 wrote to memory of 2052	4008	service.exe	91
PID 4008 wrote to memory of 2052	4008	service.exe	91
PID 2052 wrote to memory of 4680	2052	cmd.exe	93
PID 2052 wrote to memory of 4680	2052	cmd.exe	93
PID 2052 wrote to memory of 4680	2052	cmd.exe	93
PID 4008 wrote to memory of 5004	4008	service.exe	96
PID 4008 wrote to memory of 5004	4008	service.exe	96
PID 4008 wrote to memory of 5004	4008	service.exe	96
PID 5004 wrote to memory of 3640	5004	service.exe	99
PID 5004 wrote to memory of 3640	5004	service.exe	99
PID 5004 wrote to memory of 3640	5004	service.exe	99
PID 3640 wrote to memory of 3944	3640	cmd.exe	101
PID 3640 wrote to memory of 3944	3640	cmd.exe	101
PID 3640 wrote to memory of 3944	3640	cmd.exe	101
PID 5004 wrote to memory of 2060	5004	service.exe	102
PID 5004 wrote to memory of 2060	5004	service.exe	102
PID 5004 wrote to memory of 2060	5004	service.exe	102
PID 2060 wrote to memory of 5000	2060	service.exe	103
PID 2060 wrote to memory of 5000	2060	service.exe	103
PID 2060 wrote to memory of 5000	2060	service.exe	103
PID 5000 wrote to memory of 4356	5000	cmd.exe	105
PID 5000 wrote to memory of 4356	5000	cmd.exe	105
PID 5000 wrote to memory of 4356	5000	cmd.exe	105
PID 2060 wrote to memory of 2352	2060	service.exe	107
PID 2060 wrote to memory of 2352	2060	service.exe	107
PID 2060 wrote to memory of 2352	2060	service.exe	107
PID 2352 wrote to memory of 4276	2352	service.exe	108
PID 2352 wrote to memory of 4276	2352	service.exe	108
PID 2352 wrote to memory of 4276	2352	service.exe	108
PID 4276 wrote to memory of 4308	4276	cmd.exe	110
PID 4276 wrote to memory of 4308	4276	cmd.exe	110
PID 4276 wrote to memory of 4308	4276	cmd.exe	110
PID 2352 wrote to memory of 2724	2352	service.exe	111
PID 2352 wrote to memory of 2724	2352	service.exe	111
PID 2352 wrote to memory of 2724	2352	service.exe	111
PID 2724 wrote to memory of 3264	2724	service.exe	113
PID 2724 wrote to memory of 3264	2724	service.exe	113
PID 2724 wrote to memory of 3264	2724	service.exe	113
PID 3264 wrote to memory of 3232	3264	cmd.exe	116
PID 3264 wrote to memory of 3232	3264	cmd.exe	116
PID 3264 wrote to memory of 3232	3264	cmd.exe	116
PID 2724 wrote to memory of 1860	2724	service.exe	117
PID 2724 wrote to memory of 1860	2724	service.exe	117
PID 2724 wrote to memory of 1860	2724	service.exe	117
PID 1860 wrote to memory of 4820	1860	service.exe	118
PID 1860 wrote to memory of 4820	1860	service.exe	118
PID 1860 wrote to memory of 4820	1860	service.exe	118
PID 4820 wrote to memory of 5044	4820	cmd.exe	120
PID 4820 wrote to memory of 5044	4820	cmd.exe	120
PID 4820 wrote to memory of 5044	4820	cmd.exe	120
PID 1860 wrote to memory of 4420	1860	service.exe	121
PID 1860 wrote to memory of 4420	1860	service.exe	121
PID 1860 wrote to memory of 4420	1860	service.exe	121
PID 4420 wrote to memory of 1684	4420	service.exe	122

C:\Users\Admin\AppData\Local\Temp\502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe
"C:\Users\Admin\AppData\Local\Temp\502a3e3251a272032a9046ce2879cfbdaeb5406805e108f31e29ba9d2f733650.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAFMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3308
- C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe
  "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCOAXCVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:4680
- - C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
    "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDBGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe
      "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHCIWE.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RFGCACXSFNHMJUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:4308
      - C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempELGLY.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UWIMRFCQQEFABWR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRNAMU.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLBPLJXOANPKDHI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMR\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMR\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMEYBN.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKWAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOCNWN.bat" "
        10⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MDQMKYPBPRMFIJS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJPUFD.bat" "
        11⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWQBQAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
        13⤵
        
        PID:244
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBEYTHOJNKW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        14⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBQRPX.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHPGYQMHXQCR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCNWNH.bat" "
        16⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDQMKPBPRMFIJTO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCYXBO.bat" "
        17⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVQXMNAFMNWRRGP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYJHLG.bat" "
        18⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKUFVAEUVSBNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMNWSF.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEYDQGUQNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKEJXG.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLQDAPXOCDYUPCY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQDXCP.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ASWRYNOBGNOXSSH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHOTE.bat" "
        22⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVOAPPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        23⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTTNG.bat" "
        24⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNOBHOOXTSHQDYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJKTWX.bat" "
        25⤵
        
        PID:636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFWSSAONIRYJFAQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSGGHCAHDYTGN\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\TLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TLKSGGHCAHDYTGN\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        26⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAKXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNOYU.bat" "
        27⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLAJUS.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QWNLPKRGHYGHQLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXNOLT.bat" "
        29⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWESRDLDUMIDTNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHPHE.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXIGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
        32⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEGPL.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVTRVJNIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHXQT.bat" "
        34⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ADTPQLLYFOXVGCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVHDN.bat" "
        35⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLQXYJBDRNMGBX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQSWUXINSFCRRE\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWFQV.bat" "
        36⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IJGPBHMADOPLJLB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAHHQ.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUGMR.bat" "
        38⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMDVNJEUNOXNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHQHF.bat" "
        39⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSPKEETURAA\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSPKEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSPKEETURAA\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBXWA.bat" "
        40⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSQUPXLMELMVQQF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJXEUN.bat" "
        41⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDHYVWJOVWHBPYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHEID.bat" "
        42⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HQNIXRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        43⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONIRYJFAQJKTWXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQALR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHWUKUOMPAEKXWJ\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUHNS.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSECGYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGDHCKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "
        49⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKIYWNMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
        50⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULKNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLBPWF.bat" "
        51⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXJJHPBIMADOQLJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXWAOR.bat" "
        52⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUPXLNFMMVRQFOB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe" /f
        53⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQLTHI.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYUPDKFJXGSYOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe" /f
        54⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPLYKS.bat" "
        54⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWJNJHXVMLOJCFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSCSTQ.bat" "
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LOEJXWIQIRNIYRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe" /f
        56⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBQROX.bat" "
        56⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVUHPGYQMHXQBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe" /f
        57⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTIQDY.bat" "
        57⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVASWROPBHOPXAT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHXKRB.bat" "
        58⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OSXEFCLDIWWKLGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "
        59⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f
        60⤵
        Adds Run key to start application
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSVXI.bat" "
        60⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CFVRSAONHQXIEPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
        61⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        62⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        63⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe:*:Enabled:Windows Messanger" /f
        62⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe:*:Enabled:Windows Messanger" /f
        63⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        62⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        63⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        62⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        63⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBEGPL.txt

Filesize
163B

MD5
a3dc6bb9588e7d0fd1446e3891e681d9

SHA1
97b5e45288de7ba54aeff29a62064eee3272dc3f

SHA256
b825ebddd7fb6896528e70918d24dacae6afb3389a2e5707ba158148687204c2

SHA512
723e4a229cb68e9d27aa38daf8fcc8f253a730a6b3d0e33fc5c0bec57d96761045a840f6f699ae1c337bb0f6635a1498c29cf84afb25b7adf2694f8b3e482ddc

Download Submit
C:\Users\Admin\AppData\Local\TempBQROX.txt

Filesize
163B

MD5
75a1e3d20b69ba4c68b28156ead0afb9

SHA1
ae08fb863b718be1dac1c28160d39fe72f45a379

SHA256
20440200e404a1a6352933697140871206d2d5a768a0ec8d90d20e4e6e2a7187

SHA512
5f12fc7f7ed6568ea8bd71e0399a4cd37245d684163e3c38c5af732cb703f6a53225456564f60bd4dbcfe8544ea2e623a480e698d348e0a1eab20fad7cb1de5c

Download Submit
C:\Users\Admin\AppData\Local\TempBQRPX.txt

Filesize
163B

MD5
637c6c5988f73cefd9170a832a88135d

SHA1
dec182879ea3a71ea4cadfbbf2288a9aaba0be38

SHA256
93c549fa673c50fcf281ba3df1b3b8e926ad0fd74e9f6c642da84f4594ace047

SHA512
d43daf1468a4921cd2a8e251cf68e0f396ddec2565eb0f17302ddb50ad7ecc5d6f53e8020c59f72bb884dccdb929d856b7f6b95c80cad67081f5bcbc1a56c258

Download Submit
C:\Users\Admin\AppData\Local\TempCGHQM.txt

Filesize
163B

MD5
65becba90ec3c2268f08c642b299af1b

SHA1
2516e80885adbd1dbeca15e478b8c60b47676f28

SHA256
cd1902e1548181d4faedb54a7929a04e262fa779d8ade5413697bce636e25e3b

SHA512
4777926a9c50b958813fdf3ef2c77d083f2817e9ab12700f994a61a7c639c3ca1dbf777d65a87a8239f5362f8cb02252362f416621dd1f5ceff898a5894e5d45

Download Submit
C:\Users\Admin\AppData\Local\TempCNWNH.txt

Filesize
163B

MD5
7e6abca3140ef136b89ccf67437d3f98

SHA1
723a10842cbd9a57a8b651eab64015b28254b46e

SHA256
2d057d1f6a65026658504adfdd2f3af0e3e759c028e4165f133d906dc46020fd

SHA512
eb06050e5b407f3e53b1a338b577a381d3fc45eabe7187ac31086d0cbb9eab0ceb3f1d9a454ba8ab0d61fcd06b03ffec897feca8a393525ad94754733c0bdf79

Download Submit
C:\Users\Admin\AppData\Local\TempCYXBO.txt

Filesize
163B

MD5
15d472fbee567eb58bbfe7df82015c6f

SHA1
171444518691ca7ba8a31764ebb2c6ea6222922d

SHA256
ba642f3a51833d8b665fee741df3755b388a99a000776db0bd451c4b258731c5

SHA512
40cd916cd6fa4b6078a85ff67758d6dfbc4ba3bc92b7d3d837cdb350488950e1bc0f3b39f801373e3302e7319c020dca6f3a92550d0f8ab457902634d9acbfb5

Download Submit
C:\Users\Admin\AppData\Local\TempEFOKY.txt

Filesize
163B

MD5
8960ceb0ef08479b59c50fcc23ca918c

SHA1
612ba9e7f7164a0cef4c3ecece208314043e2227

SHA256
e05147f640ec22eeac45f62b5bf63850b795ef82db932886796ff3b486a9b978

SHA512
7aec155be1f37f296ac20eb0d9fbb5dc45b82703116c60951b0e9308941d754151dc61dfd563cb1002f07d48bbc4c69a5b68a5f5fdd291f953d8f34ded257fe5

Download Submit
C:\Users\Admin\AppData\Local\TempELGLY.txt

Filesize
163B

MD5
2ff3daf2637c99f4ff2080f0a5d34189

SHA1
56690c7913cbd10e287e5b5f0fdb11a7bd0467df

SHA256
09d285e9a94fa0a7f360ae4d6649de240c96c21dd6229d9eb5f396bae015cb06

SHA512
fb2e0a32b631c189f2815c6118239cbc94484ff058ff669d11611fa21d6c43430b1ae4fdddf7b298aa1a308fc9aeb05a7d32b226a8df8764235b17c817ffe382

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.txt

Filesize
163B

MD5
71a02623d6bb198327cc885c1f577fdd

SHA1
089215311479b85de33d46f39dc8b65d7e0138f3

SHA256
2774532ef6c76597c97e2c3bb5e5cb214863454e6de6473b590bcaf3b9f63a28

SHA512
f0704949ab0fe9ccf470b4728361a7a013868a732c9887ee0c12ad7c3723de958814c6382a6ceddc0d056baa07b9a4c3f1bf9ccd7e79f0a79a4fa59e5d8a2469

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.txt

Filesize
163B

MD5
ea99077dd8758310f19ad9172122a78c

SHA1
6ba9d95ba98422497ebd4f9176cf41c2acc010ae

SHA256
b972f9aa8c477325951d9ac58a5428980c44ec8d1ece77d28755dd2850009fed

SHA512
9a6906eee4d9c3cbc69fbb9f0c0466a4639ba6a5628e0bf43b2d47bb70b75c84be13a321821c2d46bbf73d29b6523146bb8a9d461123b1d30f803b041185e046

Download Submit
C:\Users\Admin\AppData\Local\TempGHXQT.txt

Filesize
163B

MD5
c0137811f842783bf9d697e98e0b01ad

SHA1
2d6eebca5ae6980da777eb841529b379a2e8a3a9

SHA256
270a0e3066038cb07881ae3b6640d761ea40e39de9ae16a792e7682876a4e148

SHA512
62f275e25d2b5feae2bf98832bbf941396beee76b26bcaa733268c5332f7fc71a3733e31a7e16d9cd24f9ae438cd5e5a71b51a9ea45089c62efe5f48bf8e9afe

Download Submit
C:\Users\Admin\AppData\Local\TempHCIWE.txt

Filesize
163B

MD5
9d8a73676ceac800fa001ece1f4e52f3

SHA1
789fff73252bda26653a511337e96d9121f836b7

SHA256
aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51

SHA512
b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
89a228a9368b2cefe3bd87ae6e74edb2

SHA1
9d4b713126d7eb6e1dfaf7c1314ef5f9f5e5eb85

SHA256
0a3adfa9e8b602e22b8ec28b5bb955dfca990278d91681b54edcb5750123057f

SHA512
555b5222bf512fc64d43d4c00c75359433e67a3d25f9c6bd02fe466b8861235798c996d8ca7a7c08f3b70078d08a9ccc9ca95df492a567d811225e5dae64cf4e

Download Submit
C:\Users\Admin\AppData\Local\TempHXKRB.txt

Filesize
163B

MD5
a20ae22df5a4b075ff8310a38fa3c811

SHA1
4e07f8cb9a1e7c8cca2dac760660d9e87fdd0b97

SHA256
68622832dbc44c9f72a92017bf8defd5eecf168dff6c024dd763db583458a378

SHA512
c6793775a5c09186fd161b2451fc4f8ffa11e297f3024326cafa9465c27e09ae0b15641b06cf005a6bb2cfdcd82d7217008008f7997f2911a99ef1e0efc05176

Download Submit
C:\Users\Admin\AppData\Local\TempIRDJO.txt

Filesize
163B

MD5
15fe8dc9fdaf62936702c978ad63666f

SHA1
6f8f1de9698ecd27fdeafcf4bdb0c4347ec2258e

SHA256
7b4f7290013dc316640feec7348a12c6938c888a2614936293e564d692ba810f

SHA512
6f483071541b2515428d2c8c0e085fe23f430f66ba1021d340ed369861b310a7e1ca394f619628c636573d5a6d44f5fe9bcbf3596fa264678f79ebcc9f2f95e0

Download Submit
C:\Users\Admin\AppData\Local\TempJKTWX.txt

Filesize
163B

MD5
4f73680747add851fe95d8f00b762277

SHA1
ee2199999ef57c12003ede18c376114859e5ff31

SHA256
d8c4ce9c60ba235e99a3e4d4e37774117a18ccb0d186381cf93d32961d347c92

SHA512
46474272ade91a260a85f8d9a74b9718f473355e2313d751e8a94f453d8f6b0da42be34c49a60b9420fa6f923d3102bb121e7d7a0c5698f498e77c30f2d7fb32

Download Submit
C:\Users\Admin\AppData\Local\TempJPUFD.txt

Filesize
163B

MD5
784a5098d84059764c71be0f253fcd67

SHA1
a2798ebf53f4b0e163bee7cde37a17e3a53fd9f2

SHA256
ab5aecabdf1ed8d35319c4da21727a26fa53da3a7fb12149385947a7c1e13194

SHA512
1fd5a3615cdba9028b13ca7d3ea0f4287a9adbeec3d6e7f599e3cb873909468043cb2fe2026baef78249a78d906d785dbb90e5d431d5a5ac23e733fab2d5b498

Download Submit
C:\Users\Admin\AppData\Local\TempJSVXI.txt

Filesize
163B

MD5
234f5d17aec58aae12af94f4a9f18ebf

SHA1
b248c21a5984ffa431bcd099bcdce9e73548ecef

SHA256
e0fd8ff32c8385d6337514c80887e32e2d84c8c5137af21a8262438113ce75aa

SHA512
230a92770e73872bec40731254cda5fe3375bb95caf0215cf359239f0ea8c3b97501f529b461e8fbab664e9e770156d91c10728f870ab0d7b2f84b905659140b

Download Submit
C:\Users\Admin\AppData\Local\TempJXEUN.txt

Filesize
163B

MD5
fcef9f0d5d8a7952a14ebba7cb630a56

SHA1
3ed72a6a8c30d19ef3f23bca665f3f13912d8511

SHA256
bbe0927a901838091e09457d9af9edcded1bff2cc601ab99adfca3abf27e9b94

SHA512
86966485295e0f67e93775eccc71faaec16a4d7e94c49a2c5cc93449480bcef026289017f2d04d594e18dd8a467802c1647c6ccf18f83ec9d13d57503325b233

Download Submit
C:\Users\Admin\AppData\Local\TempKEJXG.txt

Filesize
163B

MD5
9c9f0869757561faaf01b07503390eb8

SHA1
285ba101f9c2377c5c6debfc0b51a168d2889227

SHA256
77f0184832ff29b269ad4758c118b3a9f81ab65a199d4a1c036a20e312b75414

SHA512
8eabeb8bd1340b03e7fdf406f34cb75af121cd79162603478171cbdb2da38c04a5468700664386d5071f5a8572256d2f30e7719ef7d6fcd4d3d6e9050540e9b8

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.txt

Filesize
163B

MD5
c2892a62dae2e334d742aae0252fc46c

SHA1
48be623003d4d3a01f8a86a6ada1b25fa3cc537a

SHA256
c364f94b6bfb2f67e0b220b87a884a01382faa065c2ad6135c61dc097991de7e

SHA512
6cbf066215377c1503de0cafece6602c6d61a0c9ceb70133a763cbdd09591424070c5bf1d95da484c30e39771c17ef9438a5cd3e902124ef5adc26dd227132e2

Download Submit
C:\Users\Admin\AppData\Local\TempKNOYU.txt

Filesize
163B

MD5
b490ceb1c9ed80da4420a0572f2d08cc

SHA1
02542024ba315933d84ae56b9869221e0241a3ce

SHA256
817118b6f78df6e38e22cb9ab9ca4a284754a195ad1f5637917d749a9c5b518f

SHA512
3c7d82c354c115a0be5a555e50e54a0689f2982b1c34338fbd9bb34823705a507b14b37d8c822937c455119d60c7cb5eb26239c15c79201ee6c119b2e946cd5b

Download Submit
C:\Users\Admin\AppData\Local\TempLAJUS.txt

Filesize
163B

MD5
600c8454084337b4e5e9be7a2e502e24

SHA1
c0f5aad0efabc598974b6e5d1eeddc9bb18e1f84

SHA256
8c40d7189acaee8acd887f9d2c951d6081f97fda4b5956d1ced584c9ed6d53a6

SHA512
f83971d4da0756b7c6942d3600b81ccf621e189061ae85410d8995bc5c0654b9bfea85c58d3f16440dc52794bf448c77c77170f4122734a5c6813ba5010988c6

Download Submit
C:\Users\Admin\AppData\Local\TempLBPWF.txt

Filesize
163B

MD5
c9e859c9db7fff68b61abe28cfb5b95e

SHA1
9837cd9141c929d35ac09f0078a075b286af8f75

SHA256
120a6404b6b43af146197f66f25858043807bb1749735b0ee899a5cacff86511

SHA512
b5a4a73349f4e8ac7305dd33041d56cb101ca8e83f455406a94e618d54ef5717207780d65411492a774696c1cd899658e0d076defe8f422e43416f271d262819

Download Submit
C:\Users\Admin\AppData\Local\TempLHPHE.txt

Filesize
163B

MD5
27ada5927cebdf11d58a6d6e45396f3b

SHA1
f69fe81f956b2ba10f44f5fe5f5575eb71cff50a

SHA256
e54667878569a6202244bac8af6ce17e65a92b6027208fd5da260e1bcb846e2b

SHA512
04faa012ef549f66d77c611669918827662c4b3b1c3204ee7ab117bc3f6f83b1a3fbb0170e4b4316d1920bd052c8f96b8a5ba25ce000f977b454e4176cff2763

Download Submit
C:\Users\Admin\AppData\Local\TempLHQHF.txt

Filesize
163B

MD5
01361e448fb9a41a1e49254e9437ee17

SHA1
be909cb5aa1abff3737c7b45608c382975fd0764

SHA256
9b03d07fe07dae6a2e681b223f2863a3c24865c6c1f04502723b2a50f0051009

SHA512
60f5c7af41f2c8519f1499f0d0952362236c0d1372201994cf3675ca16524a0daa5f15f30ddfe8e10ecfa11a2fd1d6ba8736851a66a8be4143f6bbcb68f08346

Download Submit
C:\Users\Admin\AppData\Local\TempMEYBN.txt

Filesize
163B

MD5
603cf994ae696788d0fc577e52971d2f

SHA1
96330b38b46bca48bf7ba3c2d90a2a7bcffa51ae

SHA256
45bf3cc9caad9ca287b58b2683c1bacf4d0241684aa972bc99eca13990a09568

SHA512
e2e5b5501621a47ce48d063bfd436f2a6ed847e7c01f8188f17dfee444ab6fb31ebe8ad69f3a802128fcc14fd7531f678e7f0b9130cf6001d6a449103bfd3d6d

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSF.txt

Filesize
163B

MD5
c92d52208d21fe7e04960e70dfd54d32

SHA1
64ebfca26c1432fb578afe99f00ca825ddbef098

SHA256
2f63775e3d3b0274d703718b502775b7297c37e41c4d8391c7c1e89ed36c3ac8

SHA512
945c4d447801dd96e7f3b768a110127e3e8cf21d8914f193efb43968daaf0ac2d59c746f50c82f30967b7750bc4c06cb29e7edd1f26b94ededf76b860c8835a0

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.txt

Filesize
163B

MD5
e1db282d3e4d4223082eb6593e165a2a

SHA1
d6d79b084a1b06c940932ec39b10834918363af7

SHA256
8a415e2906e36d4e25177fc359d9e8464b29a65bf3bae4427eec85c7114f253a

SHA512
cb2512ff0101738482b800d75c80a8babcad2b0c872712832fbd23e6ad1cdb908fcf22cfae2a94d78b7d2949a011e12439e09e9107781753ffb727429f818762

Download Submit
C:\Users\Admin\AppData\Local\TempMUGMR.txt

Filesize
163B

MD5
739447080a3e22332add31b3d6b14dd4

SHA1
88b1f4b2bb3b85dfc58ccc3dfb90ece8627e3969

SHA256
626b142072fad964a4323fcf63a1baa0088373953747789ef2afe3b33643564b

SHA512
7f2e99cf7b787cac0bb7396a704f826fad3c36066a527e51f55fe6c8c2c6e88e5c7ae4e4ce45f1f4598bc11afec60934f2c453f1c72524e213c67ef67918950d

Download Submit
C:\Users\Admin\AppData\Local\TempMUHNS.txt

Filesize
163B

MD5
d4aa8b386bb83f4d6d01503c671da973

SHA1
5b2e569c24444e758ab1a61c5fb7ab566c1e4f93

SHA256
3439a5c3bb5b7b90e697877fbcb9aff63ec15c7f5436fdeead0388855daf4a04

SHA512
74ad241c98f8899dd7d91cd07435e0b0eb1e3599d0222d728a3517e4d0449a6c9063204622b2e369976ba7accdc9c42b14d5259277e39eb5fa2ab1519390e6bb

Download Submit
C:\Users\Admin\AppData\Local\TempNWIOT.txt

Filesize
163B

MD5
3fa377d490e135358ff8715b7130b57c

SHA1
90826df37fef897b8d9b2a225d23b581e87e5e71

SHA256
07652d1b9830b4d5d201dd0a67c88e979c0a47fa940c7cb638286e51b638b7f0

SHA512
cb99c54fc5345e204f70433c41f232e80d8893ee4447f152781f9b7a07b24319ccc47805fc35669ed599fbdce7c0c58ddd70bd6b3b0878716368f0bee0c1b61d

Download Submit
C:\Users\Admin\AppData\Local\TempOBXWA.txt

Filesize
163B

MD5
69e4a5f6817a0c9a7241cb8a5f0bba12

SHA1
f7e8624fcfa558b75cdd007bc59827b32df231c1

SHA256
fd11f3db03b12236c0abe5a52b96610d3531771e58a5e9441d73cef67d94327f

SHA512
3f54d1f80905ba32369ff4991216abc5d2e10e3c2f8e57fdbec4e3a202a925d5e6d55afc7567c1e5a3695ba750a79775d526cb35b7ff37c17ae3094b35fdcf2c

Download Submit
C:\Users\Admin\AppData\Local\TempOCNWN.txt

Filesize
163B

MD5
4d03b37e7cb1e00cebec000ea683d5a7

SHA1
f6d567d29df2e809aa0f22fc272187849cfb6935

SHA256
a70c8f371b25899e1e5c6a5d5b96ce645aabd41f961a47a3d8fdf15d6941b69a

SHA512
1d752028c1e609a0a65d97148f0140229c9b0d2d19b7a5439ff40d30129c2b7cce038b5526bb243f6886a745abeaf3bcdc1aab40081e7bfd1447320d97007ea4

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.txt

Filesize
163B

MD5
ef5edc187dd574db15bc13db15c29730

SHA1
f3b596b9657f17c374bf27f16fc9a6df8f4c44c9

SHA256
71487f836772b1b39fe00590cd2d3670db8827008d6032759d213851ae7848cf

SHA512
00077c646294c3abfd99c621bb844c02c9fb37f1dd17c740cb5258ed2f877cdd00d25f641ccb2c022182a79cc9013080024945a6c86dcb6e4dc114ca87708bde

Download Submit
C:\Users\Admin\AppData\Local\TempOWFQV.txt

Filesize
163B

MD5
2a6728f9008c6c789a4f4ecb90f13942

SHA1
50fe79b0195ed5a889fa6084e99dabca2ee201cd

SHA256
26c2ea80be669eaab02d6f5835d0da1dabe0f6cc16e98164989fa6dc0a380ea0

SHA512
095ac8d855e71266f0daeb6db27cfd7fccb0d9587b8ed99650d2c9e79d9c8db0c64a392f242dfc2db14e17bdd3c5bcc2db117ccfb8c65ae1d91ecf5d0da58edd

Download Submit
C:\Users\Admin\AppData\Local\TempPLYKS.txt

Filesize
163B

MD5
5fafb30d1595ead015cacf3887842e2c

SHA1
d5ae0666f6203d128ba9abba40bdc375e1d79882

SHA256
0708f831f58ac44600e618ca70b8a46f03457bc0cb5a4b34edc7bcdab461d905

SHA512
bea8a6050344a54aa52ae7a8fdcd52a2a3fde089e6da4dcfbd815fe22fee109d9351f1aae266aed4aaf31356fee633991c418decc39002016cd322a64c0460a6

Download Submit
C:\Users\Admin\AppData\Local\TempPTOWK.bat

Filesize
163B

MD5
bbfe5e0fa29d496527990f6054a9f6ce

SHA1
331b14fdca2d0989c66f353caf8db8a79aeeae01

SHA256
6671b78420dd8302a3374be3edc0d5fc3e2d6543a43020aabb750a56047e4018

SHA512
df24a3c031c13d802baed7f360f6b1de4ffe6d76c5d9a9e75bc3bfe34836d8825e26d3bce0a00c8fbec8cf81586f6170a602a6b870141f5e498e73848a8788df

Download Submit
C:\Users\Admin\AppData\Local\TempPTTNG.txt

Filesize
163B

MD5
99eccf51a63b6ef56d16cfc44541daab

SHA1
757872d0d444b73bcca95c5b393981242ed44b74

SHA256
24388b75efe75307cb33e4ab21b0172c94bee343e4f8da444fe13f343f5d0f21

SHA512
128d8ab7d8a4834087b1fb10cfefde71a0c9d504e1749efd96d6eb24214228211b57d8c13190e0c665567a51f1c99a949df6cdc6cd5d3d0a0ee5d2b135c316da

Download Submit
C:\Users\Admin\AppData\Local\TempPVHDN.txt

Filesize
163B

MD5
0b7f36598f8fb234c2600e9cdc896680

SHA1
0bc52b991e7786897cad334f3b3644c2b50a4f06

SHA256
bac90672f619a31379a0ec138daf919c4e934a8b05cf2a512678d3dab172a5b7

SHA512
7bac78a9693b025590f2683f17abc4346c43198d8d63e27adc70feeba975797d459724f89ba3fb7aef27de57dd9795cc4c0ba3b4f872987cc63ef5338706de9e

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.txt

Filesize
163B

MD5
0bc5d2a03eb0e150f6c2e1c71a4b6ca4

SHA1
6517bcd5e3d3b9331e07c0f6007fec1a8e79f0fb

SHA256
c706566be3feba2adba77cba96e6fc5e2ddb1bd3cb1d46ad4603cde39d3d0eac

SHA512
cc27807ebf474e2cb006231aa877249298c8db378f5157fa0c5981275f85ca7c9bfe7229501ac11b616960c1ded92448a60b410de44c986ed1455e611ef70032

Download Submit
C:\Users\Admin\AppData\Local\TempQDXCP.txt

Filesize
163B

MD5
707b3c91d34246ebb2ae5b3f152b0640

SHA1
d002457c64bb0565b1d12e278416b105c3208abb

SHA256
7fbed19339507a4e179e08bd45df0a10e3ac88625711e96115a032044ce63aa8

SHA512
ebeeaafdbd33557b36bd9254ff8f5e9dbabff6b2581a718746324565a29a660ebc3dc9cd9210e09fb7404dcf71503fbccc32ff3c7a9aed4193b43f8cd56c9a0d

Download Submit
C:\Users\Admin\AppData\Local\TempQLTHI.txt

Filesize
163B

MD5
6e85fbc144897c7616d0669158d00370

SHA1
b30f3301126b79f535072fa8290fb5cfbc231d7d

SHA256
b98c2e9dbf9c3dc40042e14c547b672a32ce6a8c7426623945a770bb96f723bf

SHA512
e2c039c4f2c95a6910767685894b57928877ec125198169c43852af2f4977effe71fb94b11b739a1c476e2a5ea5964bde77a1954d7dbcffc2b42200e74061d29

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.txt

Filesize
163B

MD5
6e3815379c8f480ba4bf4314d9c8ae36

SHA1
d38d3f6a9c42f75504efdfd7e29b6854707c35e5

SHA256
050f9da0d56aa7132b7b3085d091415b9e80bc02528b3bcf2312220b928b2869

SHA512
3cee7e22d0d114305306070bd9af41383904d1d8a8bf2d290d86cf191a6bf08277ac930f47d59187a78c6545ff26c0e251501508fba62e76b89b9097d08b624a

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVK.txt

Filesize
163B

MD5
53bfce173bee6cb46bf72cff1923b2ca

SHA1
ec898f8bc5e8dbffd4378b590d222a2628d3848f

SHA256
d8e5e08175f4b556c54390ec568b84be889cf08086594967bdc7b2072264286e

SHA512
89c5f8bc1de97c7bd6c1dea6830a11b7c7ce6d1a62ec991282ecfa2a57745b268d8df63b7256c94bd4065c0b25fc45e4d592760d6a82c235049466a164855739

Download Submit
C:\Users\Admin\AppData\Local\TempRNAMU.txt

Filesize
163B

MD5
de7b10275978a004edba37a9aeaa1aa0

SHA1
9bf57c8657d085e80ac41cb752a292a784e8eef8

SHA256
a84d011229c89854a1728886852d62adeeb3aeae64587bce733c6a1adde2f367

SHA512
0ad753f05d7e4ab795c5cb237918afdf96b816a5e9ffe4fa3fbead93e433fe964c452797ce7cafbf3872d94c0a156c67ff22f6587d9010b9340db3958c5d0a00

Download Submit
C:\Users\Admin\AppData\Local\TempSCSTQ.txt

Filesize
163B

MD5
572affed4759d64e8791c3e224fbcdc3

SHA1
da5b2148034cd50ea69a3f6f3ab2ca928e5321a7

SHA256
51ff6524923b82a67d72943cdfa255f30efa9ed62245c3deebea828f1d46382e

SHA512
8cb8a25bd5340d23c8f5543cf30a74645d045e574067672a2a5d40b4ef27eb8433459a1fc9ffce0fa69cb8aa2ca55363782a2c88e5dad84cb93324fb5941b48e

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.txt

Filesize
163B

MD5
afe7400510b05eb5e1218f576970ca51

SHA1
7f68522a557d74965cc7b702dc9f75552bb7836d

SHA256
876788acc80f4eb2d94953ecc02989b10bd30076722a2133946185b3b3964ce3

SHA512
b148234553a73d6c54bed4f776f0d060ff1ded68508e7cfed47a869e8c29cb444b1a78c894541aaccd07acab7b7c1a2a9557bb1685fd779e4ef1439be66bf60f

Download Submit
C:\Users\Admin\AppData\Local\TempTIQDY.txt

Filesize
163B

MD5
855d56a84a4e8cbe828b6d7a334e3fc3

SHA1
82c5e3675ddce23163f968347aba90cfeeb33b50

SHA256
16d8f18c81aeddee18ccb134d77e6c3c61a934cb15a3322c480c94e91e4ad21a

SHA512
22223ad7ad9282be9a273e7d617692936cd866fb544aa00e20b0d93b5b9c392569ad62f432b1237a4be7743b9e64f16d65756036a2d4e04c189c3af4f74ed2a4

Download Submit
C:\Users\Admin\AppData\Local\TempUFYYN.bat

Filesize
163B

MD5
d82390ebd537ad07a6ba088fcb388320

SHA1
5d6b5638547ace22c2be834d9e917fbfc3a1c627

SHA256
2db89b5e5829c21efb8b1c55fcd1064264606529b394b4779d0f6694e0ab36d2

SHA512
19c57d7e5a1f9a07da39d12124b40bc7fb706854e7c8edaa0d7956af99279020148a6e971094578284ad57a88b96750ebe63539d4f9943c08228c499d1857bd2

Download Submit
C:\Users\Admin\AppData\Local\TempVHEID.txt

Filesize
163B

MD5
7b1033abb5d806fb89e02b7cd724b990

SHA1
bef3a137dcd7143d26301b69b10d3b3ce3be110d

SHA256
7a71ef61184b2ac785384ecb220bd29caf42158154dffdd1e3da456adf309782

SHA512
79d9b78e793585a48a5fe4d551e56b4b2c86d72f9f6c3447629c28f0ddb6d0d7ddfd35a662debefdd7cdf5dbcd399518abdfffe37e32872303d9a34dfde6f541

Download Submit
C:\Users\Admin\AppData\Local\TempVHOTE.txt

Filesize
163B

MD5
473401de9b026907ad056b6e434f87ed

SHA1
82049a8f2eddd5e6e6d729e31c852d2a2d84c4bd

SHA256
93963cab3337a7cb0fc4c1bb87cb8a4b769edd9a12eb8b5224525ff9e692134b

SHA512
bbdbcfc4098edbaad6876bf6bc59c376836e3162cda38f9f38ba27d6d7f5d9d866736912d33558d27be3effc379b7a9cd6006a36ea4ee281503edbc3c760a593

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
3bf93bada10f7b1459daa409a0c00a59

SHA1
b04cb4b72c3cf4eb0c5edb918fd133c16a3ab24a

SHA256
97688773dcce368c29e3428036f0cce60ede5b40e67739557c30f77c14e1ec17

SHA512
1a55135178d559eeaecd83337285cd3cc6e0d061f04c5191935d76a0a7a9a4fe9dfee670c0b6432f961c6d8001c8b42d35472f936078bdae689cc0d84c25d245

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.txt

Filesize
163B

MD5
b186ea00128b653bd13e7d6523e12a6e

SHA1
0e2f758b09f64029a7115b12f7e62489fe04cd3d

SHA256
64114b9c12c7058a31532e4cf7f1d0570e5954d7345fd3028e1d1dd55e64c58e

SHA512
f6cd43a75e6467cbd2b76b7fb5cf8fa03a49e4d595247cf17b6aba7b3bd3b30fda53cdb71dec3d954a2a57ecda226fc2b0acd38c20c9bf8cfd4bfb353b63aa00

Download Submit
C:\Users\Admin\AppData\Local\TempXNOLT.txt

Filesize
163B

MD5
06b0316e29cd28deb9ecbdccd2d80786

SHA1
5380f0bd4f1d23da5f6379778ba1bd791b41650b

SHA256
eaf963b263405d74497ba6dfcc9e219cc163c3dbbeb851dc68d0d12f77318e56

SHA512
9bee799e82e09ec6da370cff288ecf3399d303d965105a1eeaf7623d293bea1efc81cac8870867ac6c3554b5bf80417de784744dfe2c71590f0b3a2775bea02e

Download Submit
C:\Users\Admin\AppData\Local\TempXWAOR.txt

Filesize
163B

MD5
06f6f3b664b1ef6eb8b5ce87ca4ebda5

SHA1
670f5d1bef387cda1fabc85e5cb860ff9eb2c930

SHA256
932756b381e57e5a86c89f29f28af02c53563cd58fd8b8a7eb011c9248801f50

SHA512
396ab271d8ec59592c6464fb41edf9748269ea7fba15cc51d1897d08a37db9c512f74c33908c3264b28e13e7c5bf900e65178fce01ca6dd51952cf2176048971

Download Submit
C:\Users\Admin\AppData\Local\TempYAHHQ.txt

Filesize
163B

MD5
559765df6500051fcb7b05a531784948

SHA1
a352c5b0ae4650404989944559c6aac131744d3b

SHA256
7218951015fbfda41d6abd84c116eaf053514c2ada6978fc0e50f17fe2ed8179

SHA512
4b5cd8bc9a3792d6a216d5dc71d18177f325038bf513b6415be74f9dcafd5707aa46e276c7b682bfacb74681cbbba554f02ec84289699a410aae25937acb1c01

Download Submit
C:\Users\Admin\AppData\Local\TempYJHLG.txt

Filesize
163B

MD5
568547456952f6f5c201bb393e12621b

SHA1
c1d0419c928d364002a9209abf951ca7c120cb76

SHA256
e6cae876b3cc0c8b5d9a3dbbe4775150ca2631b9d1e07d996c56d3ed7cee02ef

SHA512
c1850384cee550b284db91e0d82081b94f7b6ff4627a716df9e5cc1a1ffdbebc75ebb8fccf80f342f41fc5abbd5485ce521958267a99b89a37ee80eaab3f1e73

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
8d838174ee8ed3220ee3100477da63b9

SHA1
2cc94e920b38437218cc484daf44a3a0cb3a00db

SHA256
e66207d4093fd122c4413c37f7591fcb16b877ac283757947547a7f0a1a0a398

SHA512
e6374bec6072403fe490e4770fdd106182fd3941a2689e63c7d7e2cda67125303d7b133235b8990e458b63c55deb6726bacbea8948714592183321bfc8b0eb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

Filesize
520KB

MD5
944818e55738178325d61e29c0ca4ed6

SHA1
f5b93b91d899ea700de155f670a83f94a93fc84e

SHA256
f499968c67d290747527875931464cd0667d703225748d4b5b7b11617e33152d

SHA512
5c261ad2cbdf935cd85cecbc3becc997aef93741c3a41766e51dec61d9959d730f15587f2dacf30b889166afe00edb34a9cb8dd53f2b6165e66bbf97efe6e0bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTFMR\service.exe

Filesize
520KB

MD5
f5e8be483503af4dc3f0f3810bc6006f

SHA1
9022c0af7aa3669e80c147b52a2c751914a471ab

SHA256
6f1a3821f128b7d05329100fb2af60782bc790c77dcd650c538c7e7e6bfa13b3

SHA512
981d7edc26bf8e8467f6d9bb6d5b4c7c054138b04ef2bea45dce3c5ceca7d40f5144ef29ca594495fc0a5f443ba0fa1c6ee5fcdf5bfe830f1747b7872a7fe5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe

Filesize
520KB

MD5
bad6f25b63b785c62d57748653f19e80

SHA1
12f96419258737335c7f537b2c050e0eb60ed0f8

SHA256
04d2e960b2e0bd5b0a87be3627b23ce441a567489d37d7a5e3ec28aa9413fabd

SHA512
b13a823c214e438c10c2d481bb3ed6cec3ad685c5738eb2d5e706ebf10f55e6c0d8471d39d0b0f8f70b798395bd6ef51a7c8e2b6d9f7933f44045256bcb75a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

Filesize
520KB

MD5
05c88b8534ec75f09a49e19ee35bb814

SHA1
6f44fe532d4a816c48da424a31c0352b38a7ab64

SHA256
d6e83b4faf04fec4ff7aa3f8197f6c17eb59527a3d68938a974b7f79e8abaf0d

SHA512
a85b5743e25d08717b423f828ae1a48b11580f896a68adb585b097a9e0e703d4cc4140ee0ae1212c67c62d5ad0148e57eb2542bebba644287c1ceaeb91a3ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe

Filesize
520KB

MD5
f63ec9bd2d32858cae650817ba207447

SHA1
ed416db45d9efb4198b2fc7cef6501bc7eb775e0

SHA256
046e419ffed1553a034b28530c79b6fe98c6eb9018ae1c78cc1973536bb9424b

SHA512
35a1bc2e206d76e40aed65fbb21c9e56657c38ad9215715ebeda74c5948b71dc45a8318c16659db5ade32c606f16197d42e3cd8fcc584f130126c541b6992910

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROXJP\service.exe

Filesize
520KB

MD5
c61ff1b60c6da750e696997a69470b14

SHA1
7ea0d7de4747e18e316982f282d72a8e994abb98

SHA256
0e2c4ad6461ad0523df3f64a7156bd606dc0537b4d33a474bb6e2ee35c0b2a84

SHA512
61abb159f4aa8c89ac99ca8aeed511f5139817c1fcb11018be46b7d697d44717f04717d7bbe2a98e0100b43fd128f5951849cd4d6d7808b42ff6a4153050e069

Download Submit
C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe

Filesize
520KB

MD5
5f3d243cc5d42e4d697f876f1455117a

SHA1
aae8fecce2617c708b87a2f50bcb897c55f97fe4

SHA256
25b968f4ec7e71370189ce2bc334f3c8f8f43827ec37118728d1980a7f1d0a04

SHA512
c2c793e151f1382c3419de8180cdf881403fa1954459534d1f6334aadc91740222ce7b3a46d2b95bc41812a02cdd76268cc798d63e740ada34acf3fe3ae47d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe

Filesize
520KB

MD5
dc681d6234f28bc1b8377549d8545281

SHA1
010238a37d1a0e0bad5574a813e9b884fddab671

SHA256
e5875baa96f44633d68a634080f53b5f17dcb6e8647d23b5dc2da57a75b4c1de

SHA512
6936117f54a202516924fbf86711857ba0d8d968952b7b51a78d61ddcf537a3c349f560c5cd2f7f7d68a59106a10e34517d594fccef1554843957175672c4728

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe

Filesize
520KB

MD5
885d7e43da6dee7d151672e0f034baa4

SHA1
ebc4541bfe64a6e0d2f8c0a9aafb0eaaf071b623

SHA256
a804077f300d25287f77a76f6923b9756a55ea214fec50ee0405ae3f80e161cd

SHA512
be988894a27d7e665d37a0893ff89eaacacd8062246910515cb459a61f62d63301d6d0326ac8ebab0100ef893781beb56208fdfb4f94a56871a9a81d19255a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe

Filesize
520KB

MD5
ff8b8599c8ad582ad19bd280b520c7dc

SHA1
07adb17aa054deba1b0873f5da03cf3ac5e99b79

SHA256
07969fb7c4ebbf66d4aed3d4210770f349031046751c53f2cb8dcca31736d2aa

SHA512
d2de6310415a3e8dff66ade46b2f3f10df7d79b9a0f0c1c2f27957ef686897c7cc586622b48fe22761b8806725d0d982fd995b490e9fa1b3f1e8873aa41d456f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe

Filesize
520KB

MD5
bee01434cbaa80de3dfd07603dba8519

SHA1
dffa54eb6b553ae761be7514da75ef6c8229bdda

SHA256
6a1a4cc4651e63737615e1c0db01552d23fc9464912f8e7b7fdec4f6493bba27

SHA512
9618fe55f244ec101d4671e3874d14b2abde71dfdc783f864d3f33d93bcdd1fbc91c45685c40aaf413a3a0ce061afcbde9bd3708a39b7ba391562c36a7e888c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

Filesize
520KB

MD5
2e5ac50ca2c4d756752e7f677e02cb8d

SHA1
3258b7ad7093e3176006256fdd81a835288fbaaf

SHA256
310c016ed7498974e029a75c3d72997db2f57760751dc6a32659076a3cb46477

SHA512
927a093dec8106db075dbbb999df837890372c529693e71ccee02563c6b342857706a67ead2e27688f0e2a307e7b283a64bdc20efe58afa00a849ca9a5f0da65

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe

Filesize
520KB

MD5
35a6ae4e6ef701fc65b0a1be9e5a9559

SHA1
57e250239a2c84b4ac8693e78d583e2d61754b59

SHA256
d9ce7da2451f475273b25fa8ca0124a3540f02de7d51a48161e8eceb042781de

SHA512
cdd9f5aa6c6f5be4ea5432514c85dee64523b906c39b54e7506e49981017b80847d8d3725912e8f793ad69bfe60050136c94e015b54a4d6ebe1984577fbc7f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.txt

Filesize
520KB

MD5
380c808dfbb532f8d3e253fd89c057ad

SHA1
b40f05cee59e7c8bd40cae5afb6b90a08013dd60

SHA256
097aba1bf152ed2fd074ef1d429c57d1f108436633347261d4301f93c48237bd

SHA512
31b1ccccca251155ef38f80dda4a2194f6ac00b786402e25584fa553aabf7d0d688f65ca102f8d60b5c453a8fdb621103357fc9756a2ab50284fbbc256f57cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe

Filesize
520KB

MD5
2a48ce6f4b244795244ff45eacdc2e77

SHA1
49e50c2af854eb6cefe63c2abe65f96aff274cb0

SHA256
450604c44c785f522fb0e757c6be7516aaa3285c94da17c9b65a949acfc742b7

SHA512
d648856bb265118277e3da98f999dbfbd83c7f807f970268b8ea9f03992ad8162a5031be3f2b687fc082fa7b35607b5a5f577c3ea64329376bafb5d49b3a6ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe

Filesize
520KB

MD5
0339910f9b560bcbfb4a35d82568996e

SHA1
f84852f90af5df0796c952bce8da43e2fa19fd9b

SHA256
9957b65202920e7642675726e13e54b195bdac7b6b4c2bdcc31356cfd10fa1f9

SHA512
754ae3002ebec694745f74ec8e777712644001d8a3fc5ce8547388bcf249630577b4fc8f19986949b1d99b37e18911c72aefabd39a54a041b52c60eacfb26086

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

Filesize
520KB

MD5
6e665a3eb27e307a917b2778886ea71b

SHA1
24e44309ea2e8d1107e4d8f6bc8b8df096c27b65

SHA256
d27535f55f7ef974d7498c6882987787eaa165947c4c1447310b824da82da006

SHA512
8d94edd87a05394f9bdac5c932f2fa8501af15f7775e7ae84e2865f81bb5f4ed29301e106f0b7f7e02787dcba94d6867a47c0006b984a6272fb1bb9689cf84f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe

Filesize
520KB

MD5
f8dbde8e6426fdb28a77a66f7f01a9df

SHA1
73a1c78ac68253eb35d96584c2f54f78a1cbb552

SHA256
6f53f4619dd4e6f45abc403e219f6141b9d8675ae3099c22d7a4db22c88d29ed

SHA512
b1bff7f8f30dfefd5d4a3c2bd95227d85db2e4f4df06addbb28b654c1de6ea9d58d4b05ecbc55fdc8486bcaeb7aacfa0fb2c2a8b387d7ca0c50fc04b3559c910

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe

Filesize
520KB

MD5
5ee3b8ffde012b80cc0590efc9695130

SHA1
1c6cece870d612a42f4959aa40ee2faec3e0aea5

SHA256
877878dea91022597f32bb294a22898692aefe3500c251c6d6086ff77d35cbe3

SHA512
0e9c3c49e5aaadc784aa15043722b2a0f0385fb5cb0c72ebc95b1b2228f247e9f20c32ec1a43279c668010549d8052260bacb0e2df94c72e651e1a4926b619bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe

Filesize
520KB

MD5
f5f328700e0671a363d4ecaa3c0ce966

SHA1
f671901b582e7e694ddc95a8592595c502df9a80

SHA256
f835d0b5a119a2b57a0376eb25ccd9547e6ce331a0cf06f729e2781a945b0a9b

SHA512
870e7ed259dacc66889b2a67a8ca7faaa9ff3bf8996919a0c76102844b1a63dc21ac9036539d8b8e3e7e0e4517ff287b2ac3e56fbf0248c5244f6f3529c65b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

Filesize
520KB

MD5
0022351d4c8cc3bded5cb4d64b4889a8

SHA1
0038a5f4e7d062a8fe4a46782026e156be4669da

SHA256
3da52e30014c908bdb8fff5bc9bc1616f120a148c2c7b2baa22fb598359e795f

SHA512
7a70380afccd4f3e3f39aeee2b00213d6ea2057d453d3305c03ba4dfda4901ad8aa7435af27b8c0a07c5a3010bdbe3ec572d652dc3a32a4d4905a9fb542fc6ce

Download Submit
memory/4728-1482-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4728-1483-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4728-1488-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4728-1489-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4728-1491-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4728-1492-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads