blackshades | 5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe
Size

520KB
MD5

082c12d9b62b59ebf91b854ef22e777e
SHA1

77a416f7fd53218ab103af2f9416d07675e98ddb
SHA256

5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5
SHA512

5d737de555a60ef851c9899ed3bf9a2fa8735e9f1b8d0306b454afa85c08596383c034ca39fb6eb20f3bdeca61f9b5cf873656573911d0f9b40f3e2af58b285f
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX9:zW6ncoyqOp6IsTl/mX9

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 2 IoCs

resource	yara_rule
behavioral2/memory/3188-1890-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3188-1891-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 64 IoCs

pid	Process
1996	service.exe
3536	service.exe
2312	service.exe
3360	service.exe
2540	service.exe
624	service.exe
4288	service.exe
1632	service.exe
880	service.exe
1112	service.exe
3480	service.exe
3496	service.exe
1324	service.exe
4236	service.exe
2956	service.exe
2948	service.exe
3120	service.exe
3400	service.exe
1004	service.exe
5072	service.exe
1592	service.exe
2032	service.exe
640	service.exe
1016	service.exe
1352	service.exe
4816	service.exe
3968	service.exe
456	service.exe
1972	service.exe
3488	service.exe
5056	service.exe
1552	service.exe
4152	service.exe
1412	service.exe
4344	service.exe
1160	service.exe
1644	service.exe
3444	service.exe
4768	service.exe
3480	service.exe
4576	service.exe
4704	service.exe
3768	service.exe
1592	service.exe
3100	service.exe
4528	service.exe
4380	service.exe
4024	service.exe
4888	service.exe
2476	service.exe
3076	service.exe
528	service.exe
2952	service.exe
448	service.exe
2856	service.exe
1396	service.exe
2864	service.exe
3484	service.exe
1836	service.exe
800	service.exe
440	service.exe
404	service.exe
3712	service.exe
5048	service.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONIRYIFAPJKTWXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSKBLEYDFVSSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGDMEJYAXLMIGIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHNEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YARKQXIJCWBDTQQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECGBJVWRPSHVDLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVIOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNFXOLGVPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUUHJECEUIPKOLW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWXLQVCDAIB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QNMQDHDBRXPGFID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLYBGPGF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYITQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUWIMRFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYITQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUXIMSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YXBOESOMRDQTOHK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSEERXPXLVMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQHUQOTFTVAQJMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROJDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TUPNQFTBKBVKWIG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IECSYQHHJEABKYG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXFCQUGHENFKYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAEAOUMDDFAGUCQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKXTBWYMQVCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHPHYQMHXRCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYHTQNS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSVUWIMRFCQQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCGCAQWOFFHCIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVDAYOSXEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDBGYXTUHMU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKIPLAOVF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPFTPNSERTOHLMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCMRYKAACESAONH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRTXVYJOTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HYQMHXQCRBRSPXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSITMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVOAPPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDYDQGUPNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJCHOXAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMGPXHDOHISVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJKDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QYMOAGNNWSRGPCY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FJOCOWNBCXTOBXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVQPVRHUCLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDOLKOBFBPVNEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBPFSOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOHAGNWMSJRGQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YAWVMCQMKYPBORM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JPUGEIDKWAXSQAT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMHGIYLTCNSCPAX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPTFGDMEJYX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IXYWEFQWNLPKSGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNCBCXDTOBJD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXTHUFDIVWJOVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMKRNCQXH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIWXJPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSODRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAIUVQORGUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKEYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNIHNJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQMAMYVATXSOPCH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJJKFDKGWJQA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YAWVMCQMKYPBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFDLUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPKTFUEUVSBMTXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBPYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AFVWTCCNUYKIMHP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKYAFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UYTPQDJQQBUUJSF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMLTKUQLUGVAFUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDWGSRSOMTOERIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NWNBCXTOBXIYDIX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKTQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXENWUFBMFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQIOVHHAUBSOYPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVFMBABWCSNAIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVWKWHGKYBLRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSUPNUQFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QOSGKFDUSIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GBXQVOEOIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMREBQYQDFAAVQE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RNOBHOOXSSHQDYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTGIDBEYTHOJNKW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCHAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNPFTAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNLTFMQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AFTTHIDBEUHOJOK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWUDXMDIARIGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVMCQMKYPBPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJTKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EJXWIQHRNIYRDSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MJJURPTOWKLELLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKXAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QWNLPKRGHXGHQLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RMLGPYWHDOHIYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQFEFBGBWREMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWDMWTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOK\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4544 set thread context of 3188	4544	service.exe	414

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4888	reg.exe
3492	reg.exe
2044	reg.exe
1848	reg.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1160	5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe
1996	service.exe
3536	service.exe
2312	service.exe
3360	service.exe
2540	service.exe
624	service.exe
4288	service.exe
1632	service.exe
880	service.exe
1112	service.exe
3480	service.exe
3496	service.exe
1324	service.exe
4236	service.exe
2956	service.exe
2948	service.exe
3120	service.exe
3400	service.exe
1004	service.exe
5072	service.exe
1592	service.exe
2032	service.exe
640	service.exe
1016	service.exe
1352	service.exe
4816	service.exe
3968	service.exe
456	service.exe
1972	service.exe
3488	service.exe
5056	service.exe
1552	service.exe
4152	service.exe
1412	service.exe
4344	service.exe
1160	service.exe
1644	service.exe
3444	service.exe
4768	service.exe
3480	service.exe
4576	service.exe
4704	service.exe
3768	service.exe
1592	service.exe
3100	service.exe
4528	service.exe
4380	service.exe
4024	service.exe
4888	service.exe
2476	service.exe
3076	service.exe
528	service.exe
2952	service.exe
448	service.exe
2856	service.exe
1396	service.exe
2864	service.exe
3484	service.exe
1836	service.exe
800	service.exe
440	service.exe
404	service.exe
3712	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1308	1160	5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe	88
PID 1160 wrote to memory of 1308	1160	5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe	88
PID 1160 wrote to memory of 1308	1160	5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe	88
PID 1308 wrote to memory of 4544	1308	cmd.exe	90
PID 1308 wrote to memory of 4544	1308	cmd.exe	90
PID 1308 wrote to memory of 4544	1308	cmd.exe	90
PID 1160 wrote to memory of 1996	1160	5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe	91
PID 1160 wrote to memory of 1996	1160	5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe	91
PID 1160 wrote to memory of 1996	1160	5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe	91
PID 1996 wrote to memory of 4396	1996	service.exe	94
PID 1996 wrote to memory of 4396	1996	service.exe	94
PID 1996 wrote to memory of 4396	1996	service.exe	94
PID 4396 wrote to memory of 676	4396	cmd.exe	96
PID 4396 wrote to memory of 676	4396	cmd.exe	96
PID 4396 wrote to memory of 676	4396	cmd.exe	96
PID 1996 wrote to memory of 3536	1996	service.exe	99
PID 1996 wrote to memory of 3536	1996	service.exe	99
PID 1996 wrote to memory of 3536	1996	service.exe	99
PID 3536 wrote to memory of 3660	3536	service.exe	100
PID 3536 wrote to memory of 3660	3536	service.exe	100
PID 3536 wrote to memory of 3660	3536	service.exe	100
PID 3660 wrote to memory of 2732	3660	cmd.exe	102
PID 3660 wrote to memory of 2732	3660	cmd.exe	102
PID 3660 wrote to memory of 2732	3660	cmd.exe	102
PID 3536 wrote to memory of 2312	3536	service.exe	103
PID 3536 wrote to memory of 2312	3536	service.exe	103
PID 3536 wrote to memory of 2312	3536	service.exe	103
PID 2312 wrote to memory of 2952	2312	service.exe	105
PID 2312 wrote to memory of 2952	2312	service.exe	105
PID 2312 wrote to memory of 2952	2312	service.exe	105
PID 2952 wrote to memory of 3104	2952	cmd.exe	107
PID 2952 wrote to memory of 3104	2952	cmd.exe	107
PID 2952 wrote to memory of 3104	2952	cmd.exe	107
PID 2312 wrote to memory of 3360	2312	service.exe	108
PID 2312 wrote to memory of 3360	2312	service.exe	108
PID 2312 wrote to memory of 3360	2312	service.exe	108
PID 3360 wrote to memory of 4920	3360	service.exe	109
PID 3360 wrote to memory of 4920	3360	service.exe	109
PID 3360 wrote to memory of 4920	3360	service.exe	109
PID 4920 wrote to memory of 4508	4920	cmd.exe	111
PID 4920 wrote to memory of 4508	4920	cmd.exe	111
PID 4920 wrote to memory of 4508	4920	cmd.exe	111
PID 3360 wrote to memory of 2540	3360	service.exe	114
PID 3360 wrote to memory of 2540	3360	service.exe	114
PID 3360 wrote to memory of 2540	3360	service.exe	114
PID 2540 wrote to memory of 2424	2540	service.exe	115
PID 2540 wrote to memory of 2424	2540	service.exe	115
PID 2540 wrote to memory of 2424	2540	service.exe	115
PID 2424 wrote to memory of 4676	2424	cmd.exe	117
PID 2424 wrote to memory of 4676	2424	cmd.exe	117
PID 2424 wrote to memory of 4676	2424	cmd.exe	117
PID 2540 wrote to memory of 624	2540	service.exe	118
PID 2540 wrote to memory of 624	2540	service.exe	118
PID 2540 wrote to memory of 624	2540	service.exe	118
PID 624 wrote to memory of 640	624	service.exe	119
PID 624 wrote to memory of 640	624	service.exe	119
PID 624 wrote to memory of 640	624	service.exe	119
PID 640 wrote to memory of 2732	640	cmd.exe	121
PID 640 wrote to memory of 2732	640	cmd.exe	121
PID 640 wrote to memory of 2732	640	cmd.exe	121
PID 624 wrote to memory of 4288	624	service.exe	122
PID 624 wrote to memory of 4288	624	service.exe	122
PID 624 wrote to memory of 4288	624	service.exe	122
PID 4288 wrote to memory of 4576	4288	service.exe	123

C:\Users\Admin\AppData\Local\Temp\5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe
"C:\Users\Admin\AppData\Local\Temp\5b0579f5a6fb0270abf855c04f2c0b2b3377b7ec60921de33f67dbf94bccc2e5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVEQW.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NWNBCXTOBXIYDIX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4544
- C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe
  "C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVJKK.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:676
- - C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
    "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLUQDB.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YXBOESOMRDQTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVMH\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVMH\service.exe
      "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVMH\service.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSOCN.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVMCQMKYPBPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDEXVE.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AFVWTCCNUYKIMHP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMXUAS.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CGVVIKFDFVJQKPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
        8⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLAJUS.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QWNLPKRGHXGHQLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempERVVP.bat" "
        9⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYTPQDJQQBUUJSF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        10⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSERUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSQYK.bat" "
        11⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJXWIQHRNIYRDSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSRDMD.bat" "
        12⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGCAQWOFFHCIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVDAYOSXEFCLDI\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\DMVDAYOSXEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMVDAYOSXEFCLDI\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUGEI.bat" "
        13⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXQCRBRSPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVHHAUBSOYPK\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\WQIOVHHAUBSOYPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQIOVHHAUBSOYPK\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUJXFN.bat" "
        16⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVGEIDLAXBYTRAA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe" /f
        17⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYAT.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMAMYVATXSOPCH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
        18⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMKYPBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFDLUKPHYPDOE\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\TWLFDLUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFDLUKPHYPDOE\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "
        20⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
        21⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFDIVWJOVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONIRYIFAPJKTWXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBEYTHOJNKW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVKKL.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXRFMHMIUROS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe" /f
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACQYL.bat" "
        25⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIWXJPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSAGD.bat" "
        26⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQHUQOTFTVAQJMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROJDDSTQLR\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTTNF.bat" "
        28⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNOBHOOXSSHQDYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
        29⤵
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFXOLGVPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYBCY.bat" "
        30⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TUPNQFTBKBVKWIG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHOTE.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVOAPPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWHIFO.bat" "
        32⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RMLGPYWHDOHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYPEN.bat" "
        33⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MJJURPTOWKLELLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
        34⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDBGYXTUHMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSTYEF.bat" "
        35⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLVQE.bat" "
        36⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBPFSOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFIJSO.bat" "
        37⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMKYPBORM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLNWSF.bat" "
        38⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDYDQGUPNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJWENE.bat" "
        39⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JPUGEIDKWAXSQAT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUTFOF.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IECSYQHHJEABKYG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDVUQR.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMHGIYLTCNSCPAX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYX\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENWFBPTFGDMEJYX\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYUABH.bat" "
        43⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWRPAUHAUWBRKNP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe" /f
        44⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "
        44⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBKBF.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NAEAOUMDDFAGUCQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVFMBABWCSNAIC\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\NFVFMBABWCSNAIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVFMBABWCSNAIC\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGOAHL.bat" "
        47⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPXHDOHISVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTCNS.bat" "
        48⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGDMEJYAXLMIGIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe" /f
        49⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe" /f
        50⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOFDPM.bat" "
        50⤵
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FJEMAXCUSBBVKYG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe" /f
        51⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBRSPX.bat" "
        51⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHPHYQMHXRCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "
        52⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYHTQNS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACESN.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVWKWHGKYBLRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUQFTBJ\service.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTCNUY.bat" "
        55⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMLTKUQLUGVAFUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOERIT\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOERIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOERIT\service.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
        56⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHJECEUIPKOLW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe" /f
        57⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXBPSS.bat" "
        57⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QYMOAGNNWSRGPCY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUHP\service.exe" /f
        58⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUHP\service.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLXJH.bat" "
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAIUVQORGUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEWNKEYOPMVHNS\service.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAHHQ.bat" "
        59⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYWEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe" /f
        60⤵
        Adds Run key to start application
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe" /f
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYDIXY.bat" "
        61⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FJOCOWNBCXTOBXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVQPVRHUCLC\service.exe" /f
        62⤵
        Adds Run key to start application
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\GYJVUVQPVRHUCLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GYJVUVQPVRHUCLC\service.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWEMDY.bat" "
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IPTFDHCKVAXSQTI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe" /f
        63⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "
        63⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QNMQDHDBRXPGFID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f
        64⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBHVDR.bat" "
        64⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOBFBPVNEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
        65⤵
        Adds Run key to start application
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
        65⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe" /f
        66⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
        66⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPFTPNSERTOHLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe" /f
        67⤵
        Adds Run key to start application
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe"
        66⤵
        Checks computer location settings
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXAMYJ.bat" "
        67⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBJVWRPSHVDLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe" /f
        68⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe"
        67⤵
        Checks computer location settings
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        68⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f
        69⤵
        Adds Run key to start application
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"
        68⤵
        Checks computer location settings
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDPVMJ.bat" "
        69⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABVSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe" /f
        70⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe"
        69⤵
        Checks computer location settings
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVJKK.bat" "
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUWIMRFCRQE\service.exe" /f
        71⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\GTPSWUWIMRFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GTPSWUWIMRFCRQE\service.exe"
        70⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        71⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOSGKFDUSIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe" /f
        72⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe"
        71⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCXQWI.bat" "
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCMRYKAACESAONH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe" /f
        73⤵
        Adds Run key to start application
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRTXVYJOTAGDSR\service.exe"
        72⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLGKYH.bat" "
        73⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMREBQYQDFAAVQE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe" /f
        74⤵
        Adds Run key to start application
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe"
        73⤵
        Checks computer location settings
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGVWUD.bat" "
        74⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DINAMULAVRMVHWB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe" /f
        75⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe"
        74⤵
        Checks computer location settings
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHLGOC.bat" "
        75⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPKTFUEUVSBMTXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f
        76⤵
        Adds Run key to start application
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"
        75⤵
        Checks computer location settings
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWTRVQ.bat" "
        76⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AFTTHIDBEUHOJOK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe" /f
        77⤵
        Adds Run key to start application
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe"
        76⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIFOAG.bat" "
        77⤵
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LGPYWHDOHIYRUVH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /f
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        78⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        80⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe:*:Enabled:Windows Messanger" /f
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe:*:Enabled:Windows Messanger" /f
        80⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        79⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        80⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        79⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        80⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESN.txt

Filesize
163B

MD5
915411ea3b638ddf1d828bd4c04944f8

SHA1
26b7805b6a57738bd36639977bfac05bea89e5b2

SHA256
088c11b99afda07e23db8406da7cd07afb70c60b0eed370e0ac7475740003e11

SHA512
e93a22941dad3c13ca1d872b0cb35f793449664ac75af15a4c4c7a1f982dd8254bbb5fdd9646c746e44e7ea4f49bc68b6aff7a2584a59250299ac318405562d2

Download Submit
C:\Users\Admin\AppData\Local\TempACQYL.txt

Filesize
163B

MD5
bb2cd2e9164167a78bf1f65fcd8a8d26

SHA1
389282f0c53768d552e74d996e732141286f0f50

SHA256
411150876db9d19119eef0574f41aff8d2e5cdd5bdd5b4bf9532c511b066d6e0

SHA512
9f9008a4141c78767223cd561eddea8dcce26d8f67f189c49a04ec816c0e38240bb5ca3c5f2275b2eed0b17f71426f2b585646653bde4192a8653fef76d55318

Download Submit
C:\Users\Admin\AppData\Local\TempAJXFT.txt

Filesize
163B

MD5
1db25d57fc385a1afe51e067477b679b

SHA1
06f33c2779e7c0ebe6030910d473aa23876eb782

SHA256
fb02617fa4d17e862fdf2d2ccfb8b6f415589da56850a2e8ce462cb6f3df0abb

SHA512
5e8576dfc86645f4ef174c4c3b83ddddee9ee93176f3e514395a581fd8a76b519846597e528cdd382f255ca22c9a80f85e6c685fa542be24215ca473d2edba2d

Download Submit
C:\Users\Admin\AppData\Local\TempBHVDR.txt

Filesize
163B

MD5
b8382e28e36c2f79e4c6aabc88e01934

SHA1
4e0d6b24e341d2c38e2043978ff08d6a962a765f

SHA256
4aaf2c1c77ad5f3e02e53ac5a383d88f2a933e530dee51dc72c7d0a18f321129

SHA512
d5179a9bbd4a238041217dc5a41a28420026424357e30f9e5c553e90ca230a29779185d9679224d8919a6b59edaa181b2f10ac582323f9f5e6aae9583a5dbb65

Download Submit
C:\Users\Admin\AppData\Local\TempBPYLK.txt

Filesize
163B

MD5
c6ef1b3fb8c3e8b19548ba6f36de46fe

SHA1
7ddb93e34ba258e3b08e581408b07efd0610c698

SHA256
36d3da4dc091e92a95c3dbbca09615618b596ff067ee9b63ef5d74da15640483

SHA512
a0162db8c1d93867ee11339e17914b11a0061b3608b692b3523fcc98438f2e262b446557449c11b4412c3873f2a7d3b07f4c672987187e903e3ce78752a31e2b

Download Submit
C:\Users\Admin\AppData\Local\TempBRSPX.txt

Filesize
163B

MD5
d3213841806caceea777ff87e0167695

SHA1
31bd92efa6ab0d27ad6cb690b425db8e167528b5

SHA256
e1ff61f68aaf669aedce7ec0f607bf6755ff98f3f7f0369a5dfe40b415281a2f

SHA512
f49b894249b54b486d1a90402e5415621eb0a7c8eeff2c4d3bdc43166cbc2ddad0bbd969ebd6d67ddd9a33f38bff7d2ea997ecaa907e3e4e31a98571071127bf

Download Submit
C:\Users\Admin\AppData\Local\TempCXQWI.txt

Filesize
163B

MD5
bca616241e70e0108d44c2ad29822f1f

SHA1
fb2714f7b5b3bd1445be29527f520be102ddbbaa

SHA256
3fc4e7c89692c5e30440081ea03a12104ce91e031917c3c2d377249dd4ecb4e4

SHA512
1a7998fe3fecdfa6af6cf653338cafde28d962181b821101d98ca71a02cbc08d35eab1a0128454c500ab302d554a99301afe441b6f3f02e779711c6f17ec866e

Download Submit
C:\Users\Admin\AppData\Local\TempDEXVE.txt

Filesize
163B

MD5
381389fc7b113fb28415aee8cb757088

SHA1
b08583e24168b8f0b4912affa2770bf4fcf570ac

SHA256
2de793372b3eea871b03281fb6c06fe1f8bd289159f8a80f77b93f8b0658e868

SHA512
a3f84a422224443316bf6a336fcfc06f36b5dc779186da857e37b8b068428b7c2f3653569a146631a3d3b01ebc81bafa175c1a27d106fe468afb617e9f66c3c8

Download Submit
C:\Users\Admin\AppData\Local\TempDPVMJ.txt

Filesize
163B

MD5
ed9689e07fdf60cab6c2bca4ade0a238

SHA1
68b7b1813ea1e258adadfa1703feb2535fb94988

SHA256
908bbf857152b33eeffb703091070e2fdc14df83a892787e1a618962face28b3

SHA512
55eaf7d70572cd9d28ea9debf315a6bdae049672db74a7a5f6baf0a80aecb4e03b430131279e440cdd32b15f1c2fc7c05d0a265e8f94269a72f10ea18d6dd581

Download Submit
C:\Users\Admin\AppData\Local\TempDVUQR.txt

Filesize
163B

MD5
0e0745e2c1e8fa721b0e7da1066ebb21

SHA1
b178db429a15f244d1c4b1072960b90afc183263

SHA256
66212740d4f9aa8d1d39c7b474cc5c5c334756dd02f826e470c7fa0a079d4d53

SHA512
cb2d48cb32fe37a7156f04144bb7a1f5120d61585bb2c5e97932a3e94774125a70ca2e78bdb57d7f76651f64fd0bbc706468ecda5e8ed0f9c2acf0261792243b

Download Submit
C:\Users\Admin\AppData\Local\TempDXBMK.txt

Filesize
163B

MD5
f2cddf9b4c6dc1c004b21edafc8229cd

SHA1
29cdd639f4c179567cb348866c5f6e3dba09d708

SHA256
8f24551e222b7f71fe5abde2e4f575e531c22c7b9d65a5493adba78b9ac040db

SHA512
e2bf4e1ecd1e3ea9c31b09da90f2c7fc0c3b0f826f5ff4ed820c793f892fae68af1e6bca0a8418322ac629f765cc873c5ff81fbb59628e3bdb06d93fdd59b0b0

Download Submit
C:\Users\Admin\AppData\Local\TempEFOKY.txt

Filesize
163B

MD5
eb1981947d081f28fe8eefe71ba83464

SHA1
518f6efa878b2ceffc45965cee66ebc1358beeca

SHA256
ea0eefd90e9492d19be6d6a5b40601452f3c18cb5febc5f74c6a6ab2dd8081be

SHA512
27932aaf3523fae850e9b71981d1a573b86f6e838de12508ad3c3410fdb6cc66f3f0dc79394d9e803c73dba22f28eb5afe32c3d65fe00651ca55f38d7fa6f93e

Download Submit
C:\Users\Admin\AppData\Local\TempEIJSO.txt

Filesize
163B

MD5
c21f62c9072664216c4e774f0c8dfc6b

SHA1
b78421318bed894b0e253a67c49d339293366e7d

SHA256
02cd050a3128024e9a3fb1d05f407874238ca1ead1391227ea3d06075e14b6dd

SHA512
902b75958ef5ed5480db92a7624fdfed6e8369f01950cf48c2ea5b9773d7ab369b6beaae13142b90e1c83dca17bddbee5032b7b1f49cbc9ed0039d77bb9a3184

Download Submit
C:\Users\Admin\AppData\Local\TempERVVP.txt

Filesize
163B

MD5
cc011729c7a215855f7ae47ef2dd24b1

SHA1
1051ce9fa3bd460ccf5a4e4da373c4b120474dc4

SHA256
ac571e4d96c068ebfc7933bc4fdc57782c38a96bc8d440f0ed5587bc4f3b432b

SHA512
6756901b9e45566e2870b6b712df0d9c36df51e8a150d07691a292723ce2d02745b0d91ded85dc79da1363746faee2460f213d38cb6313eea513abd9c8e87025

Download Submit
C:\Users\Admin\AppData\Local\TempFGDME.txt

Filesize
163B

MD5
3c4e268302b77bbdd5d1fdf71a3ba861

SHA1
6e3c6f7b2f0114c2d0c1750d6bd734f412218ed3

SHA256
08b668ede400d18e2a94c7d632b5fcb03711e0bb93a76421c00ad71996768e06

SHA512
a2c366a60f3ecfde26d0f14f981f81eef82de3ab814609d28ef0da982105293b04762eb0f80c792a2a9486273bce353a60609a1239684c50945740f6e38db5fa

Download Submit
C:\Users\Admin\AppData\Local\TempFIJSO.txt

Filesize
163B

MD5
ee19066392ded06d2e599441df4aa533

SHA1
0167918a3804e2ef8c472d2842dfce1c22f59bf4

SHA256
657289aacb6b6386e5956521049da58952ad5d5344cadb60348f9c23aaaa44cd

SHA512
2be795756dfdbada22ac3a51256dd156e96bca2f93f9311b314f7a6dd90e8dbf55c71b47d521aff6d8fd2eb7c3db17cbef6eecd86e3173c23ba2e7c16fe186fe

Download Submit
C:\Users\Admin\AppData\Local\TempGOAHL.txt

Filesize
163B

MD5
cede3b292d41bf8a369f562bc6705671

SHA1
e9fdd99b4c7f66d903a3b5c4823a6ceff1050e3d

SHA256
02a5e83471b748f3ce372e077248d90a766db20eb896a4820d9edf79ade71827

SHA512
2838756c346d33de0845435fbcc63f1c582cee9f46c2fe1b88a30549d5e5b3b106235da5157ba18aa238c8eb3ed9f9c2d079808a9529a9f7344ed7108f3cc2ea

Download Submit
C:\Users\Admin\AppData\Local\TempGVWUD.txt

Filesize
163B

MD5
1a3f7569ba66931aada13656a5a47299

SHA1
aa71dd3fc347da7c53252616a651303679de5971

SHA256
5a68af35bda0155c84d04046b790ebc3253f4991c048b8be73355209d920f330

SHA512
630c8759521e2b6ff3511e945a56ff85c4afc3499965754dda5e3e3bcfa854da6e69b886f3ad775e3496015d5f163d811f5132978fb744699781d547ca10b89d

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
65051c70fb370f0677d286ed2bb6bbc2

SHA1
fd7d7addbb9b886bb624ed5943299ac1b5736fee

SHA256
c057dd885e2c0d5fcc08c30e83f212943a4ed1ad4f301dfab2d9ccf2dc6e6aa9

SHA512
fb891f6c8f8ff0921c96a17fa47f43136c5d4f384d954d0ad325c903f54990d96c1efee4f69b79fc267a96e87157b7dca4d805799d9f05a0584b1f020014e145

Download Submit
C:\Users\Admin\AppData\Local\TempHLGOC.txt

Filesize
163B

MD5
5c5e170675199d6ac92c3047abc15c62

SHA1
059ce3e2f08fc47d4e4bab9f936141b3ba8dbf72

SHA256
90be633a86d4a9a616f9b291d41903c38fa2a4d6dbfc390a5db25d7aafa5de80

SHA512
189fd443400779025935ed09efd910cd706e160415b388f57d2af60f142fd1ccb4a4e234b6822809b883c77c4af864d805db939b6b81291953e9b12ba9c0d7f3

Download Submit
C:\Users\Admin\AppData\Local\TempIFOAG.txt

Filesize
163B

MD5
94688eb7ba1d21ac800df62ba2bf945f

SHA1
a649c72a7b0b80fbc645f6f31dea629588a237b8

SHA256
359eda7a1b70a67fcd171921b3df51987b047297b9637740ce57f6b653fcd810

SHA512
925e6d446eefe0c53b2288943d84d7dd728f36cf64ba92461aa9ac058927f400955ce97faa142b3b08aaeb0e3e9fae9b92bba4c8a6af8acb691a39de2b94b761

Download Submit
C:\Users\Admin\AppData\Local\TempJSOCN.txt

Filesize
163B

MD5
56a3a2181e38d9b6f566f2ad2a4e19e6

SHA1
9a2acdb3cb4bc7993f979ac7aa9816a769a316c1

SHA256
3cc35895b0033c576f42e894b22b32842c1fe7717b8d761ca63b422670f6e288

SHA512
97c8e61dd54f3d0f930e28c5cff54329c0b06df027ab3234702931b2419dd721c8ffc209bd2dae9db6d063fa7b8c32b2e10bc13b02f55051a24b6bc5d19ab694

Download Submit
C:\Users\Admin\AppData\Local\TempJWENE.txt

Filesize
163B

MD5
cfc3444bf7b28f9cca95fbcdeb8a6439

SHA1
6756db3a868982bff6b8a9ae8d0556a768e0f470

SHA256
0bb614e1b4e4bff83f45fa1d4fbef9ac0898cfa7b53850dca75b9250bdb79cb9

SHA512
06af2b8bb90a1f35c1dd3368686582bfecfba4785ea22f3e8c0ecbf14ce52db4ddc154c59ca9446fd0d9e6d7897cc6ef66b28e9c5ca08e528520b1014fb92a3e

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.txt

Filesize
163B

MD5
fbc4b49a0ca6319cf07d242e6dd5da0a

SHA1
362a51b8a2ed20540df4a82b5a5ebbfd874f538b

SHA256
c11db5d2fc36767635cbe857670454b2e211d89fa29930f93768485aaba6ca57

SHA512
dd7c6a2878694597a342e2196f955710655b89c1aeb1e69d671b338023a33ad9b0447013c902863604bf8db640a5728c8bb60d7312261726632bacf1f2e8a065

Download Submit
C:\Users\Admin\AppData\Local\TempKLVQE.txt

Filesize
163B

MD5
48f305858e08e144c3f5dca8a157d345

SHA1
17d9277acdc7217cd0c1a168179d0417f58795eb

SHA256
ee427e0ebf2ab2f7781827e950a318eab8b8539919b84d5d442bc288be6b2ee1

SHA512
7055def9b03d4efd9e85951edf03654a71d2a8d8066066a2823d7c0c76d70924088b9680fdf76477546e11a5177d82a76cc7b4b7df14bf6017a670e318f88b18

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.txt

Filesize
163B

MD5
fa074727a376b3aec168cfe25b0c2c7f

SHA1
905f5b3145d08e0fab6b1b16b08062da86076b0d

SHA256
080e5c7179a5b9719abb2563e60340d052f37ee2f98483a9fef1429f31a31f81

SHA512
0204154457d0330044c472421646a0898d3f5444757d14556846a5766b8af9ea7df711b564b72fb223210265278d192ce5383c3c0d9d5338d2e959bb79599c2b

Download Submit
C:\Users\Admin\AppData\Local\TempKYBCY.txt

Filesize
163B

MD5
3d3aae1d55f4def8cc7a8b5a1b6d62cd

SHA1
b1957650c052dbfa3c9cb32c647aacac3897b5c2

SHA256
12be0132252301451072ff2b0f9d6b446670f12ab5d94fb828541b32029787b3

SHA512
039b25f493537cd294bbaef859806ddf2247f73cbb196c7ee1c24190e931297f45cc1a3d3044a759de950bd2d111dbb2d93f2f24f161aacebf3554936c9c7dc3

Download Submit
C:\Users\Admin\AppData\Local\TempLAJUS.txt

Filesize
163B

MD5
be2938303288f499d9b849576d7a46c1

SHA1
dca9d306a8076eaa7217f2843a5a2adc79788f08

SHA256
857a4de6cb745b4a5a1f5fdb8e8a3afe56e7f1cfaed81a8c17ae75eff6d6aa95

SHA512
bd753ed02065b9b078728fc10b854ce6afa1c195c4f791e37a281cac8c35cb16ab3667a4c5747e52cc581a34eae68311230c671778614bd9d1c8faa6617f15e3

Download Submit
C:\Users\Admin\AppData\Local\TempLGKYH.txt

Filesize
163B

MD5
bbc0e56f03df17848002210d87ee459a

SHA1
71d61c0bf1251597a87b76793442617cbf104a29

SHA256
1857829d287d4a654a0e5f179622e1746ed11aeebb4322577f7a072d854dc6c5

SHA512
93aeffb8849776ad996ecedd684d223c4026f6383dd56afac5e8f61a5d558b2b72984d6358b9efc59c62954074a9fcd820d4337b4eef84564e8ee5b95391b7c4

Download Submit
C:\Users\Admin\AppData\Local\TempLIQDJ.txt

Filesize
163B

MD5
fd2e1ac873abdcf75d414027ffc438af

SHA1
031fc7c7a45c88e0122241cbb6d2d8f5be1a12be

SHA256
397ccbb85835159e8a38e447cc96082365901a66ed882919641a6c6f114c60cb

SHA512
9565732efe62cca6179aa42fd6c403ca1b333a63c2cda04478a9589fa67b48efd2369961ab01fc7fc8710f078a52f402d621772650e1eb185816adbfc327d4b9

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
b99a301236f50f2d0c72dcd9e52d6e17

SHA1
e58c463173a9d6c33b5194266f446bfd6abaf428

SHA256
58ba9c92d951b80e926d4339f3589be900b98d34e25c23154c4ceb5364b7cabb

SHA512
51777be3f83e18af9d3663b241200c5893b4beb6e950df565deff231b87b56db4264639efa61d53f1e50265df9b36ee7d75e609053a32aaaf8d9e95df90e244e

Download Submit
C:\Users\Admin\AppData\Local\TempLNWSF.txt

Filesize
163B

MD5
84c2d8383f144db37fcf310586df6583

SHA1
67859e2b3efb3ca251e9891e5b711e6cdaf8323f

SHA256
aba32919743741bd6c41ab2fb15fd63dff719eaca314ae0ba6caf78f6ead1532

SHA512
d7734f86c834abae464b32b3eea0909d22a15860ef685d33a5769e25ab244159e56389fa8e4dc4a671876d285fe881a4ca88d25f204d568b8c10fa41819f0daa

Download Submit
C:\Users\Admin\AppData\Local\TempLTCNS.txt

Filesize
163B

MD5
a45bf38b05ab5914a0237cd603a5e658

SHA1
05e4e9d6bc03ec11ec866d01ba29bcfa6b272bd9

SHA256
b86b95c1a84e99e5959bd4cefb3e8953b3ed787c91d31caab07c024f396dfee9

SHA512
3b0700f90b735f61a6671b992f2b7e2ec5f122240af8d3cb7d2a6769ba7a1d81c1a3b9495b2c19524ce52d06c95d192c3e94527b7544035e6b32a7f73e471c9f

Download Submit
C:\Users\Admin\AppData\Local\TempLUQDB.txt

Filesize
163B

MD5
8e8e493f9ab34efc26da63eb3af38a17

SHA1
f8c756530f08a96f250500befc50ce6c475ae0a0

SHA256
c2928667422007fc9e467673fddf95f13056616904ad1a964e887656551f5257

SHA512
d1fd27441f5bdfd5b2a852ffa1250c089d09ef9e00fc7c851cec9a88196e027949bbd782cf972fe6c449fb788222236e8b8f7ebece6f2dbaa2acf275bfe209e3

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.txt

Filesize
163B

MD5
3c95614d46738258e0480e1e01913088

SHA1
9b37177d9581e57c2c54a8dcadfd977210b2215f

SHA256
f7a0cec4ad5034063faeb523f4a2ba69b3ff7d08cb1a1f99a0e1de53ae30aee1

SHA512
8e2d16c23c9d390f730a7310d5a2b0ceb5f18d51d16c3abbdc8f4c210a5a8cc29b4c6ecb6623eff499c87839b79646b0e602842c5d4399ad1e3d6496ce149f7c

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
e718673750c62d017a4d2691afc8ec18

SHA1
035ee1c5a7e5bffaa6a9d72933de9e7c7759b09f

SHA256
13e6ba790af9702f517fa066b2fa0a5c597cca164e3846c4f52e743dff701c6a

SHA512
6f9b869f92597f22e7f43d4868e6cd275a5bafdb59eea068adb5655502fe2fc943b7f9e22cae7963141627d87d626f710713d0cbfa7f1322aa6bfc9eabaf6297

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.txt

Filesize
163B

MD5
cfcab4ce7b33fe47d4a2fbd0db1cf6bf

SHA1
e6184239342f634b181e0ec242c106cc24d2ebbf

SHA256
10cb6c5370b11b8ecb9648dba6bcc01798433f19c98c4853e2397b6ecbbe8261

SHA512
0f926cfef3df33006e03ad58ba3c94395de2a20ddbb0fe49ac04a02ecd18ea10081efb480d883f587a02cedcf3bed0817a0fa6008361a87eb1ce4cde9f0a5574

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.txt

Filesize
163B

MD5
6edac9d3462022d02e120279da89ddaf

SHA1
f278c52733191d69d88dbe1df8b6a02a93ba3fea

SHA256
22ab5108adb550ada184626694ebf822a31cb5f87674570ffb6ae03af94fa1bc

SHA512
ac9a38118f86ff136674e058c047c65089df3f0029a4226e3031a41b31a8ed17b1b82bb1abf51abfe993eca6ad044ce249016b435891c4674d1e924517ed110b

Download Submit
C:\Users\Admin\AppData\Local\TempMXUAS.txt

Filesize
163B

MD5
f51639c3da392a140fd91a7f9aca36ad

SHA1
4465c2b529aa2939c838c014c316579a800e55d0

SHA256
1c285fa5544a3e010a3c63a237abe4dd6b2e0f728a457c4caac5737c3981ef03

SHA512
9657924e44c226a69c12b02076c13a356354ab315a376fa287c6b3d1180ae7cd1a40a390f00ce8808f7c50385bd4296833c6e54e428c7a79bb500fda1c42489b

Download Submit
C:\Users\Admin\AppData\Local\TempNUJJK.txt

Filesize
163B

MD5
408103db4ad9374528e4599b6139e839

SHA1
d978ef5d7ca78c78ba70647e9e4948d7b62a82cd

SHA256
d8a8526ae5fb68c815226e1671330a8f579af0970b766652981ef7e8c144af68

SHA512
5b79f24248eed96faf5237dbceb8341c8b52f9a53eb9de978f7782dcca5322b23103de153890712c33f651dbf80ad54c11ce8c55b3432fe7c7494ec6d6b663cb

Download Submit
C:\Users\Admin\AppData\Local\TempNVJKK.txt

Filesize
163B

MD5
32ceb45d45f9be3032e74e763ca427bc

SHA1
fd681049ea381fe794cc34f227d4b297424faaa2

SHA256
6f75e75476420ab90e20676e6d4175e2b47e8452a8fab54162164b5b7699ed3d

SHA512
41678b597844dc5b0c1766401082852378e5f2ec37da79e1548142cdac350e9109dc548e5f5a4dbcf1b74ca269f821350e39e39c6a6ddf2a09533a642aaf6782

Download Submit
C:\Users\Admin\AppData\Local\TempNVJKK.txt

Filesize
163B

MD5
89007f253845713ff9aa044500cb18ea

SHA1
278d7a2fa17687aa07a465600f912d4995d9c015

SHA256
71b8efc7a118c1469e71393c7b79a2a34ad7154b744e809196d2bcb95febbd1c

SHA512
13ef599c6e4291032940a66fe42444e77c2327adb980340b332eb9c16046c0362a9bdc4bb2a519721079f953f9ea831c52592b5adc2c0eceb816b6b5dcf94f3e

Download Submit
C:\Users\Admin\AppData\Local\TempNVKKL.txt

Filesize
163B

MD5
325222794cbf30d7f991f417718647eb

SHA1
d1c28ffdca281acb02354cf1966d003197debc18

SHA256
05a8aebf3d87321dce211468bac119022c0d8dec9633b95b9c86a74b23d71008

SHA512
3dcd87e82e145b8a718fb3a919053837bca9b2c838fa43ed96ddff6e6763321e1d7ea8a8619f8facbdcaf663fb525ee04a6a6017b0607fe8679a306fb3dcd2cd

Download Submit
C:\Users\Admin\AppData\Local\TempNWIOT.txt

Filesize
163B

MD5
33a26b61c58238cba285178b1486bf0f

SHA1
2d3b7a32f2a42cee421e21f3de45b3a03cc39ed0

SHA256
3efeafa7f4646e7d578508b083347d25526ff443c2dc47d8f426a0963da4d7be

SHA512
a9070731533573c35a3639d595f72153dab4b59d3dfffafb455784c25f502962f945686ec728451412fe826bfe4f3ee37a5edab9d1688e58736354b7d4aa300c

Download Submit
C:\Users\Admin\AppData\Local\TempOFDPM.txt

Filesize
163B

MD5
d97f50112cc1d3af630058ca4f24c866

SHA1
484c169d145c3f03e448b342568c8520a54838ea

SHA256
04d19e937c2eb0275e87a9ac2eba14e16a1e5402e5fd60659ca9dc161ef5468f

SHA512
7fca28f89647e806b86ea79b994bb7e0ab115c32bbea782245d2f84862adfe75d9c24760a0a0b44cf5fa82927414dcb24f778a14d00814cdf3ae205514b3cdc2

Download Submit
C:\Users\Admin\AppData\Local\TempOPYAT.txt

Filesize
163B

MD5
2b4ffd7ea29a7d291f88a002a00b2924

SHA1
cae342ccf738dc45ca7669b83afe01887893360f

SHA256
7037aa8423c57a149854cce2ff715fdf48d974122f62798ec6a94b0e978dc3d4

SHA512
33ffdf6ff441bf3e0f13cb1762a698b3fa4d450399a96eeebbd576ef9885fdae4c956c6dca7eccf04c7ed8b003e9e1d3657fc1dea86d7202828c932424624dcc

Download Submit
C:\Users\Admin\AppData\Local\TempPBKBF.txt

Filesize
163B

MD5
e6c33cf727aab21a65e9d17537f49138

SHA1
3a0df4960cbba1f389af4da180a20de24a3d3ed6

SHA256
0060f135b2e8d8f7cda456b2d928bdadd6f7ec8bccb478d00cd45b28d494bb37

SHA512
a88345b6309541b9e492f8d8c39bdb71bc82870448ce8b7c80c2de480382a7a7720832cb09cdf8dabfbda427cf448b1f404fefb7a42dbbf4aefde0b3ca867a05

Download Submit
C:\Users\Admin\AppData\Local\TempPTTNF.bat

Filesize
163B

MD5
212ffe3401009ab8dbbb58eb12dd1593

SHA1
e1e9afe41d73b05a698b647b59c58e9e59e693a1

SHA256
7b959c288333bfd87580ffadb8bc630492dd844f08b2d316f18a96129e01c19b

SHA512
ce6159cff22045689278c4265306573cac737406762f7f5d613b57131ede5c7c829d9f493b74aec6c39322df1936f3fde6c2ad86c1c15443ab82cf6081f807d3

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.txt

Filesize
163B

MD5
399144d0d3a6d0f86c20c98472449bb8

SHA1
db3f75b699d804bd4da6af8f3d36be54b68090cd

SHA256
586be19c1067fe244d6b4a0a80ac96cdf8625cfb4dc92effca04e6c920c730ad

SHA512
014daa8cc281dc6d655c2e51c498876ae541817fbbb5c6136f3ff6ef3407e2718a9e43d9624dc82a3a2f9eb1126fc7a6a2f155e6639c5914aac9e2d1b9302532

Download Submit
C:\Users\Admin\AppData\Local\TempQUGEI.txt

Filesize
163B

MD5
762176b93392d3fa185d87beae5d603a

SHA1
661f80428f4c1d317155659a2063b5454e059ea7

SHA256
d90e1600d1aca150e396b865ba705281910a05f294ec56037f762927bced96ef

SHA512
7570c290aae23c81bcec7ede20e85811e4dd31168dc4f5eb992aff042d4a3ec7ea4687680003cdece0d53c142f6cdeac50f89d29cf28d1c82099be6c50277f97

Download Submit
C:\Users\Admin\AppData\Local\TempQYPEN.txt

Filesize
163B

MD5
38ae4247b8ce1f6c48a227f553a5f848

SHA1
a4e6510eec6631850b93c25c83682488bda5f890

SHA256
98aa913240b71d6d2eb946bdc4da07fa5e178f4c41c12679327a7dc68881d8be

SHA512
3af422af9c3fc40d71eb97d80336b7db3f6a5324adb805dcb11bbd09b11afd7d107bbff78a4b0a587b8151e445503130e1166ce1f123afdbf754184f278771aa

Download Submit
C:\Users\Admin\AppData\Local\TempREBQY.txt

Filesize
163B

MD5
5d3f8c9f7ed635f4e6fdebdae32e64d6

SHA1
463326b0e09f78fdcfe26e29ad3e802cf55a4f8f

SHA256
83e84c2e1c5aa7c04c1f9ddfc80399035abffb68ac7700ba12d18aacf7f89359

SHA512
ad44dad082d299f9b3bedc2006dfdc70445a8b3d460d68c0a9a8c2964d33d2d9419912c27e72b3d2a191eef1de6e1d7dc9681b1b5d9a3dbe756b288f50cde882

Download Submit
C:\Users\Admin\AppData\Local\TempRSQYK.txt

Filesize
163B

MD5
414c0ed88ae7d4627826a7f49fb3ea35

SHA1
6d22d9076321ed11d172e8973fa85a34b9c0d169

SHA256
5d7a363575ddf6ecb0daad3ca747f73bc43cae6369f765d87ac11a18dff349cd

SHA512
ea34c0533ad61fec6a4c1e6f1db768ddeb9e1a83cfe70b830acaf8852395abac46bbabed7914bfc621d5b68df58ad1349ec843d4a26b55b8549261643189f2fe

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.txt

Filesize
163B

MD5
f16c1205b7c8cd72877428f0b354cb86

SHA1
84a0cb14be7cb50b297871f4f955eec063c295ef

SHA256
9c38ec8952b4a829487fa54366720be3295c805cc78973c4a89d51dcddeccc5e

SHA512
5ef4b9f9a9df86623d30932f85948a6318bddd7620ea86f91a39fef1e5ba30355b7efee4adebecc157eec77fdce2855b8ffd5332df76915d6cbca45326cd446b

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.txt

Filesize
163B

MD5
afe7400510b05eb5e1218f576970ca51

SHA1
7f68522a557d74965cc7b702dc9f75552bb7836d

SHA256
876788acc80f4eb2d94953ecc02989b10bd30076722a2133946185b3b3964ce3

SHA512
b148234553a73d6c54bed4f776f0d060ff1ded68508e7cfed47a869e8c29cb444b1a78c894541aaccd07acab7b7c1a2a9557bb1685fd779e4ef1439be66bf60f

Download Submit
C:\Users\Admin\AppData\Local\TempSRDMD.txt

Filesize
163B

MD5
e5307fe4278c7d6befd3537674e58809

SHA1
f6c5f776af8f95d74ecf00c32d7a5e988d2cdcd1

SHA256
34feb0e4f97995ec6a007a49689d8f0e054ead10a7b7785e847e6c40735c8830

SHA512
0f4c12407a3f5cf4b9d7274f64650487042484a71e5b35e05fe30668b32b90ed8b8f3dee85dbab3ce9d09053da0a71434833cbf1e394911f769bd6876640f9aa

Download Submit
C:\Users\Admin\AppData\Local\TempSTYEF.txt

Filesize
163B

MD5
4573a21f42451a14faf5facf42ffd274

SHA1
6718528373c249e9c14b48ab6e3555e13af5f24e

SHA256
13a8907d5761782606d4b373d7cdf80b9d094c200b8d173e1a294397d525cbbf

SHA512
c7f37c87295e9da90d37ea893f9bd7f34477d1bb835659037e82688145bbfb78385171890662d0f64b443a3ae9ea149eae87d64701d2b55ae1701f61f057484a

Download Submit
C:\Users\Admin\AppData\Local\TempTCNUY.txt

Filesize
163B

MD5
2fb3c678890e3b4a260e8fd9180c6a3b

SHA1
23da7dfebb1c8754429c27de762fc807d9495285

SHA256
225577abdeace193c445ca4344401d7c9cbfeff32fed4630b6ec37eb6dea3fbe

SHA512
2f1ffd9f0cc238ffdd9dd02ea8c2e5fc90cbe60ea7af1c69101ad1791b1169a63286dfb9513e21f8a17bc6d4a6a3e16ad2265f28bc8314fa74aa65b2341fe6f4

Download Submit
C:\Users\Admin\AppData\Local\TempTRVQY.txt

Filesize
163B

MD5
904bdc6daa5b355bb7e707ac95b31aa1

SHA1
d9410872cd05128cf42b1123a381d5f562df355c

SHA256
46d7c88c67d6db6d36de667c459a53b5009070737308c13d49733fa33f921ce3

SHA512
bdd5c071e6888341b0c501952d980a8ae2fa5fbe8ecbb4f6b2be11864d6452edfd6c1d2bcf7bb8a5d3483e6ebc6502e22e4cab49cf7482730cc8bebf87b7c663

Download Submit
C:\Users\Admin\AppData\Local\TempUFYYN.txt

Filesize
163B

MD5
35a1ab43d0d9daa94f8a90d1fd49b4a3

SHA1
75695acca8167e2c70acefd9c9a8a5b5fe6d66b5

SHA256
a1f6789a3bf9d6d15633e5efddc4250dbb70d98eedb06d6315eecf38462ad2ea

SHA512
6a4e61c922a124146450bab7c7cb22a1f11e8fc77cb4ae069a52e163d30d9f7fcb9a22d43148da55c4b73b94018a5588c4d98a5e1f602542ea4526649423e3f9

Download Submit
C:\Users\Admin\AppData\Local\TempUJXFN.txt

Filesize
163B

MD5
cff321942fceaed03d05c2b275a765f6

SHA1
84fa3a545b36a0cf57a0d704943dcb69840607e7

SHA256
a34fc6b8195fa457a09680e8efe2838950c3a428186944a2d887a7f68c64ed8a

SHA512
566a1495cd989e2b2b97e95f7704a539369dd67b53cb66bb9680d5a83248452a3948fb2621b5f6bdaabdea4c790fa5a3a6fb4c2fe4fdd5bbaaa90093eba25047

Download Submit
C:\Users\Admin\AppData\Local\TempUTFOF.txt

Filesize
163B

MD5
b2edf71ddf851dfa763d5c7d9c06904b

SHA1
8a3402d7afd07aa96a07f3eae69347807c80163d

SHA256
698427db4cf271d3664676a3b3b04ebaab6d8008395614e87965292bd9f3ffa7

SHA512
3b87cb844a4567d3e5f7790416cfd49f98bb147f181f821afe5cbd22c9caa254de9eed652cb51d2d6b8e625500250997c2232cc6ad824d3357c34447b24ebe31

Download Submit
C:\Users\Admin\AppData\Local\TempVHOTE.txt

Filesize
163B

MD5
473401de9b026907ad056b6e434f87ed

SHA1
82049a8f2eddd5e6e6d729e31c852d2a2d84c4bd

SHA256
93963cab3337a7cb0fc4c1bb87cb8a4b769edd9a12eb8b5224525ff9e692134b

SHA512
bbdbcfc4098edbaad6876bf6bc59c376836e3162cda38f9f38ba27d6d7f5d9d866736912d33558d27be3effc379b7a9cd6006a36ea4ee281503edbc3c760a593

Download Submit
C:\Users\Admin\AppData\Local\TempWEMDY.txt

Filesize
163B

MD5
557658f9e62459091e03e1a4a051071e

SHA1
da48c35ce76b1cf182f03fa058b06b5436eb7e34

SHA256
60f8025e25c64dc8a37d12068383d51b30977da061b4ea706194e2fe7303fcb0

SHA512
1642c65e82114fdbcc2741b3522f86772413f2d5757d2e8f326fa7b534ae49ecb2d55cf710e57c92a0ac391d8f0ca9fc15b3be3843a17675d48bb34c1123fd15

Download Submit
C:\Users\Admin\AppData\Local\TempWHIFO.txt

Filesize
163B

MD5
372f1fd8e1f15880db2d094c958b3ae0

SHA1
7c0f7c4453a9169d7be6e206bb23e1936916fb57

SHA256
b949dfc92398f6764400bbfd041d84a6068d5aed9810e854621e129db4b2c688

SHA512
2a592937cc6b29d9f49694f5f5b7aebd83fd57ea3ce8d89f57fd8c085fa2442ef47ef2874f08583baf3895d540eea26750704bded2df23262a81d79ff4353ae9

Download Submit
C:\Users\Admin\AppData\Local\TempWIOTF.txt

Filesize
163B

MD5
652f407aec6e62db91f8dceaeb49bb33

SHA1
0eeded2abdfe0fb8c0eeab654b062b4bf3030bfe

SHA256
9a073162fd314d1076ec3bd0432a678aa65b00df5414ade34a9f5fb716951e5e

SHA512
7ccb3fc2c29cc1257bb2eb0d163e07204c476d0c26a2208a38bef33ad45781d50738b8c356d29f478bc467efd4d767cc406ea26035dc010e6672de293d228960

Download Submit
C:\Users\Admin\AppData\Local\TempWLXJH.txt

Filesize
163B

MD5
9bb0f2ce91879538dd2badfacca8fd57

SHA1
bc18ce520a84537078db960eea0e193210739365

SHA256
2234df9453fdddbac802b37a85b779b43c7fc97461131041099bfa0a94ea60ce

SHA512
601bb23fed004550d72cfbefdb509db5246da66b0d2c4dc5241633b013a501a248f5579c62b1553eee958ee3b21d362ca871b2a4a7338349abe64f8c072357ec

Download Submit
C:\Users\Admin\AppData\Local\TempWSAGD.txt

Filesize
163B

MD5
0743b5612c589d6ff2a494ec5a13a584

SHA1
91dce639e372c79b5fb6f642dd30672ba4d2868b

SHA256
d63402edec4a2beee0d33ab575ae7f36093ed1a78a2ad9835dcfc8f1dd086997

SHA512
2318b3fb0df2d2ce954c8989b10dffdd955d76d4fa38339dae75b6791c3e638b7d93f13760e01f52fe3a651dc43d7d4b531be311b726ddf0e5fda6255c7b2874

Download Submit
C:\Users\Admin\AppData\Local\TempWTRVQ.txt

Filesize
163B

MD5
ffadd0fb714cbcd289f33fae492f4e9a

SHA1
3ce76f54fa4d76c58ec4101142415c94308d1d3b

SHA256
c34f7d454b2727ab2ea397ab61ad55525c97e099db976639cc00b0571977d687

SHA512
fc0d3a35af7c65eb73e531d2cdff27f5dc07ff37a2ed48bde686b29c49e055bfdfd4b65dfcbce6280852c7bd419ea1ac843aba9397e90434c4fbac97e7a3a733

Download Submit
C:\Users\Admin\AppData\Local\TempXAMYJ.txt

Filesize
163B

MD5
f3f77dc9b777f7ca443c64fa436bff1f

SHA1
f8032873c162f50559c4ae0623d2dd513ce98fa4

SHA256
beb57876b5d2488a0c3dc1813b20f44de4fd6978a8dd0b2e9b685296d32294fa

SHA512
28c949fe42a935e467a8573f7b551a798b4f10218a2ce0beea243c5500f23515caa5f4a834da9ef202a1c617e755cfd025ffb2753c38c308ff11effe3ae95f1c

Download Submit
C:\Users\Admin\AppData\Local\TempXBPSS.txt

Filesize
163B

MD5
7e3ead2c0b32447c20b8cbcadd9771c7

SHA1
a20dfbc364e4a79d41aaedc519e234cbad1a3873

SHA256
19690e5ac2fb4a4a9479faf21a8fb5e8b6ace3dba9e1f7f0097b6cd8b2a0ef86

SHA512
b0160c9e54b60fe92db7c2a032fa0be1f32eb137a228e4fa860f811e3712cd77c5492860ca8210a845170dd10525a5e00172e2b28d82041797ef8319b476413c

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.txt

Filesize
163B

MD5
d86f35bc200c894c32894165bf53dceb

SHA1
0ea57614584f15a1e1d06bf08c226261c58cdd9b

SHA256
6c50acecff7be17f13a3001ad3ed39dd3dba7fbfb4f850d6ff9ce671e00e428a

SHA512
cd586e161fbcdfbe68f96bcdb4db8a742b9b0f0ff678049b917dedfec29097589c2a1c7ecfe4b7f3ae5dca27161d635b2dc47f407e7c44aaf32149f0f4ce6577

Download Submit
C:\Users\Admin\AppData\Local\TempYAHHQ.txt

Filesize
163B

MD5
6d8fa1495ee77d9ac0797fbdbecdc57e

SHA1
ebcc0b0c580b3d910365da283835a9ff3ae800be

SHA256
efadcc69b1740387bdba8f669720bd8a72bc7a9ab1b7cb51979941a6551a9f6e

SHA512
d007f96d4bb3e35116688badb6b83676ca50499baee0b4918b18bac68007ecacd0c83ba6606143b011423b8a8274d968fa5fd8711f9dac62c0383f562b3cb21f

Download Submit
C:\Users\Admin\AppData\Local\TempYDIXY.txt

Filesize
163B

MD5
7917ee7efd7682a8b5d9af6b82f62ea7

SHA1
f3f91b4647dcd4bd4a769500bb228077278e4352

SHA256
f83b7c758c612004b7d51333eb7a32787bb352aa86d65b1a6078dff102dee24f

SHA512
2784026173224796b4966b39c88e0059c0c76627f0cd936206dcb764d2069d6f7d247373b67c31193ae6facdd3d276aebb9b03e969264cd0ad9c2f652fc588e8

Download Submit
C:\Users\Admin\AppData\Local\TempYUABH.txt

Filesize
163B

MD5
33ecec2c4ad36bb32fc4f4b9015b90cc

SHA1
6f36af65b229f693641fab0fd68fb8a79f9489a6

SHA256
1001f3532dfc8aef870458fdf6dfb040163f0d9af8e65f49663b55a336011981

SHA512
f7b1758df419ed834788cb20d94fab7c210c97211f4b30a0332691f6311575b07933824b10b8ec2a3c1a74a475cfd75ae87b43eff4e66ca153c2aa34d8093840

Download Submit
C:\Users\Admin\AppData\Local\TempYVEQW.txt

Filesize
163B

MD5
c7f72852892628ac84d8a994f0738e9d

SHA1
134a65e9fa0e76f3ee9615e35e7d176e0f298812

SHA256
ec1ee9fff0640ff5b0c6102421e7e7c35e91531beb6bf3614f378e12b589aea9

SHA512
38d420f99d44bae1ac91ec3d8c104423138de5f641f9f490eef4aa0d66307d5f80bdffc5bf72d2a2478202bbaf4ca26adbe4b7d9a3cd2e73d698a6f6e92983e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe

Filesize
520KB

MD5
8bc4af22299b19ed52d886a0305adfd4

SHA1
c921c23239f8a02c2f6a967e2cee8dc02a8241e5

SHA256
247d01eeb2a283bec5ac70d6a1ff68aaf46beb0984486f29f0c9d3652103c46a

SHA512
135430662457f317ac9795da80a4efba434fbb0de2da28b0602dada7aa385c5bb65365c2b667b67307c61f4aa48e397e65e9f303781c891ecf120f760260d1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMVDAYOSXEFCLDI\service.exe

Filesize
520KB

MD5
a1b4c5b1ec8934306226d85306c55128

SHA1
e7c48c5268320189fa9b96fd4a09ae602024bd76

SHA256
04daf93f15d69a1662779e7694967a2a9bd03612f2ec7724e2fefe7ea6599d62

SHA512
d77d58743662f5c0e1c7d14dc7ff7ff0a35f29c525747d6e5e68e52b612cb415339aeffe4ca370e1fd58dd0ccbea2e88c94b47359285124efb94a0985722c584

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

Filesize
520KB

MD5
c3ff16e76a4c3f2165c36ab6de72cbde

SHA1
b458af6c9d692dce200210e41c3d4a0f130707d9

SHA256
1ae0c687108ac48520d5de0e13438170f09c85c80543686a020327fe454efd9b

SHA512
b66bb706c5e56ffd3507fc2e975954961b2b641be4ae9a9454ffc6129f7f091d1db178e474c0a075d7b2827f854cf9927493031e79a9441f624fd1f7eba3c68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe

Filesize
520KB

MD5
f2a23ec8f98b7b5543d8b9bf2f3f2555

SHA1
acdbe5dfdec2cc5510d74c5948aa7f05556a2fb3

SHA256
a17176d3a188d551330415deb4505b242ec4c9b421de8d4588cb9e57098a8817

SHA512
c378749cf9dc636955536f3676eda0cd68d15e555bdf865b051e96190beb87051a09ef466a9b9c0f40f3b0a5f853558f2c44b27af954c1358fe34a13b08b399e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe

Filesize
520KB

MD5
47741c91eedf433ba4e18c14c5112b82

SHA1
f5672f8ef36ead3639d2959ecb4bbeda05314bd6

SHA256
682ed5eecf0bb13ffdf6c1862046059c7c9f423b06e2e65c6c42b02cecdcb879

SHA512
ec47eec606da1f23f007f1a7bf033377d46f37414c53240b6d912cfdae588c4fd66f7fa3b286319c14fcfb38df006ed97a6ed1ac3136165aa436903ea03b5bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

Filesize
520KB

MD5
6a87a5e7a0cec73af36dbef9fcef45ca

SHA1
5a6005501c55bc99ab14028fe131f79f439eb752

SHA256
026ebc61a19fc1560071a6a656d475a70f0204517c21cd7919dc4da19e1f9ae6

SHA512
a8bd4e0eda8eb832eaed2d38a2f2618fab20eca20884e05cf3ddb2895e02b1f9bd027bc97555060ebd19b6c10d9a6c4a06a8302aeefb17daad213451a64909d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe

Filesize
520KB

MD5
993ec5acb2d079df75714c945fca1a93

SHA1
21e926d9d4e75a2a2687a2e5d998bd37586b7a7b

SHA256
33f91e83b8b08c49540fbb8fcd1ffa1a8a8bd7738ceb79debc93bb30418eeed5

SHA512
7763319ac80b3ac9236ae7f5ce24699e4e2b1f5997023dc5d071131da6dbbd3e1646c185d4fb6e8a50e944c433fa051c22c55d4f466e9689accc86bdad112141

Download Submit
C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.txt

Filesize
520KB

MD5
f40dc41c233b39c361557604a42577b8

SHA1
ba0cb7a27dff97aa743b9361e5230aa5319d5031

SHA256
ec7a74013fb097ad0c9cb4239a99e599bdc70a64d53e7bca253706ceaf35802f

SHA512
e1b0e56fe06033e738b71ac6e42b6901bdf242b05c914b1175e30e45869ba0a0aaa40697d44e4cf73900eee6ddc20588b86473e153809616edf7e038f44c1aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe

Filesize
520KB

MD5
98a339085370909d3ad34315ebb5d190

SHA1
d94c29cc0cbd5d512ff8edaff829a74fe5a51153

SHA256
f7f66e0bdc67b5293271e145fb0c68e8e1616e7df4b09acb1f7b490c594623e3

SHA512
cf835cec815378537cb024c809caa75fa7f017cb12b98493959717564155d8f478367073c89f2e42cbdacaedd046a0864c6b314f6d016f954b0782328698e5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe

Filesize
520KB

MD5
9cc68650128b9c0e2ea34c5431c45df9

SHA1
aa229984ce846bfc1c0e724e04190138c2221ee3

SHA256
14201b1418f1f4f5e4c1a905342004fb5a148e78686bb0048ef410b28ffe359d

SHA512
2b251b195da1c327cd8b2413572105a1c85e8666aac1a443e0adb92ca817f41cae40418083bc2a2fa1d9cfca656b2c6bb7902fa30e436f30861311ca8ec8eef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

Filesize
520KB

MD5
73f47bd42e68672558184be5bd418003

SHA1
29e17868c4c1c32b388ea9b7b1575a4b8891b7e8

SHA256
78d400bb49ea0fc24802e8e30c838ebbbe6f60565e86082f771d9ecca3f247a3

SHA512
df30e7e2d17df2ac4e8dd13f94879d0b4f80124783af0391c9b4dc5ddffc98bda6293b74b4a0d7a480ee194cd6d51cb12d014bdf4d735001575ee41b11cf1492

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe

Filesize
520KB

MD5
1ab04f9b0e3123d903f8bef9271d57ff

SHA1
91a1dc55f1fe7f7d252a876b303df6854414ca42

SHA256
d536cb0183d7b6e81784ad41cb7ce6d02810f98feb32af2cebd2298f589702e9

SHA512
bfe41e185ca18079933ce74846217c0560ce09a4a37fe9d3a9ee2b970c86322df7b2958ba8fa8fd527cf6fa67cddded9161060a566792bef18dbc4daab5599b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe

Filesize
520KB

MD5
54212e06fe3f95d81a7ad0acc352a77d

SHA1
095e5ed3d41a1be0b65d255b1cc06a7101c640dc

SHA256
f50262f0f4c3e2690121b58a5bcf67911b562f920d064699c42f2c471227ac32

SHA512
238d06a748281010351c1860ccde270704bc1b4ce9d4cc2bdbe42b6fa24ee69f7b5f5de6ee5d3aad8f21b700bbf38194708e0b458691d4efcd78fa502328fd23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe

Filesize
520KB

MD5
ecc36aacffb46b3c8a899a7d6c3b8442

SHA1
5f532ba0c8f944d39e0281697d973e9d940854ba

SHA256
5fba9261e31524293f9706b050f7ab29010e680f5735ce9d8ff4f8103397e5b1

SHA512
36db2684f573613be9db5e69019e9448fd47c71e0610525f65840087ee827544fb703255b87c9b547dcdd9de42bfa88a3267e56c1ab04fdc27a38fdbb4de212f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe

Filesize
520KB

MD5
c6bae7fc854bf202206878b9546d46bb

SHA1
119bd1dcc78728450a2df95efe5f80c81d257fdc

SHA256
c8697e0f6d17336d459d3c275f95ddb5d275688a8c0a6cec6618ebd757490059

SHA512
e67f3331d00b021b0eda113cdb69640675d40b207c3c57f5e27fbf62ba9fd0839ad52228731924f995d440717da0aeb8d0709c0855ea54e174a71d9dd85bf7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVMH\service.exe

Filesize
520KB

MD5
314a678e4f08793c0d60aa78561d0478

SHA1
3809be504b9384d80d227323798613b7dac473a5

SHA256
9e06451ff30c0515c52fc0f22970379f7643601f16b5981f9135acfb89d94296

SHA512
f2fc1faa6169cf1da91babbc624efcf563a559cd60152f1ee711ba372e30a4c283abecaa4ac312638cf9b4bee7389f448ac1ccd8f2a2b7cd3c6e80a7c0c01bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TWLFDLUKPHYPDOE\service.exe

Filesize
520KB

MD5
ec4b4ad88535843ef289d7f9e93348ef

SHA1
f7647c9aec9167a944207733e669b061217fc155

SHA256
68a9d08e82d74978b333b54b5ba1336e2f6fdeaa70baa66eec35ad52b2e09033

SHA512
5573ebea28f51223fa0e3f9185832c5d0214563b75811485f948d8f664a12d76b9797f99f0af55f44c2bbdf646f0d1854d122394ef055fed58bdef7cf6d4ebc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe

Filesize
520KB

MD5
19c55527ff809b7eefc05095aade0f1b

SHA1
7fa9a2afce90f068fa95c9ca3afe54cade92a5b2

SHA256
675b558c5bd0c1f7a2b9dc033a993c23ada22ad9441fb81ed0587e803f40ea58

SHA512
afc93053934c0d31665d34bb99be61bece60d9a6586c16e65244084a353533140f3bdc0f2d98697ab805dd6e639891dbd000500550cff2c306b5e875d080595e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe

Filesize
520KB

MD5
2a74140b77e55d6a52583aff7471ac71

SHA1
532296ea952c1408d1eced528d7ceb1649fd9492

SHA256
df127f7664ef0cf7acb2e7cc71019b552d8c5ebf27fced33faea357860b32d6f

SHA512
ab358102b05b53e60f8470ce3ea97ff3c609d627528b81f0c4832b9c8823936c11f5060b35eb1d62b426ff8a70c6545c556cdbc39c0695763ab6ecdb7751c10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

Filesize
520KB

MD5
22f1f8b0e3d8eec3eaf103c5c797d0ee

SHA1
72cbb15e4e5a90ffb40561c05d4768f90ff8c972

SHA256
a7e7ca1082f5bfe6e45c6bb8ec019f69775e26393fb9f04755a639b6408c48af

SHA512
f828ad718b7e2c7f347580ed038d0570a52ca33d766ee6283b96d8fc0056e28a9420439d106d42cb56eae8d99e226e09077bccae99c83d2bdc51992d1419db6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIOVHHAUBSOYPK\service.exe

Filesize
520KB

MD5
9358daeb4a3a3d5e13d5c3bc3d095da9

SHA1
9e3a861446ad35ecb4865f084036c228e6eaff0e

SHA256
6fea86ecd1ba718a914bfaae7fe72295bd881e0c73997960d6655b13dbf8df8e

SHA512
95c84bac1b173ce4609ea83cface5a313bbbfd47f6b79b82183a9320fbcfb809719e07430167aef5b26071bab03d0c78205590c80c23b8276530abe2b1931933

Download Submit
memory/3188-1890-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3188-1891-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads