blackshades | 7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
Size

520KB
MD5

45215ec7f8b8c4970d04c8aa7fe60c6d
SHA1

18c3f4806fe113ad86a062fb7bbb264c7faa6bed
SHA256

7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76
SHA512

b85585ee0a0fda99228e6b6fbd5cf9542182645ad20b9d71a0f9f507e6e279c3ca2d2f67dba0d0e43a2b4e9e9e04c518a126f8f0b4463aad28e0ba73f1d8e4cb
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXq:zW6ncoyqOp6IsTl/mXq

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral2/memory/1064-1123-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1064-1122-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1064-1128-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1064-1129-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1064-1131-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1064-1132-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1064-1133-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1064-1135-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/1064-1136-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPFB\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 44 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 45 IoCs

pid	Process
3544	service.exe
1932	service.exe
4392	service.exe
2828	service.exe
3320	service.exe
1128	service.exe
768	service.exe
3136	service.exe
3644	service.exe
1456	service.exe
984	service.exe
1640	service.exe
736	service.exe
2644	service.exe
1936	service.exe
1656	service.exe
1364	service.exe
4244	service.exe
1764	service.exe
1544	service.exe
1432	service.exe
4024	service.exe
2740	service.exe
208	service.exe
3132	service.exe
3420	service.exe
4296	service.exe
4932	service.exe
856	service.exe
3556	service.exe
208	service.exe
3404	service.exe
3456	service.exe
5060	service.exe
2008	service.exe
4640	service.exe
3428	service.exe
4268	service.exe
2524	service.exe
3456	service.exe
4208	service.exe
3792	service.exe
3368	service.exe
484	service.exe
1064	service.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IHLYCMSKBACESAO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOKHYWMMOJCGHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPBINAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJKDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEFBGBWRFMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXBYTRAAUJXFNFC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPDAOXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UUCQPBKBTLHCSLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPCKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBGPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OWNBCXTOBXJYDIX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYPMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJBSKGBRKLUYLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUDXNRXDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVVIJFDFVJQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDBJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDMVTEAYLEYFVOR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGTARNXOJI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DPQLJMBPWGRWGSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSIWSPAUHAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJTKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MXUASWRNOBHOOXT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYGQGLDULKAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ABWSNAWIXCHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBPYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CHWVJKGEGWJRALQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EVOTMCMGEHXTUCQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FXOLFVPAQPQNWIO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UFDHCKVAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JVSPTPWLMELMUQQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LYHITQOSNVJKDKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQEEFAFBWREMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDSTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FOFXPLGWPAQAPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYRHRKJLYBGUT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHWCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXJKHPBIMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWXAKPWXIACQMLY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XJSJSPKTEUETURA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAQHRNICCRSPYKQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKSKTPKTFUAEUVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UASWRNOBHOOXTSH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKKIQCJN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UTXLBOKIYXNNPKD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GYQMHXQCRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFUSISMKNCIVVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITVQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAJASKGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUVJWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWGSSTONTPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HQNHXRCSBRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JEDRHVQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKDIPYBBPUMUIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWAOERNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESOMRDQTOHKLUQD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LGVTJTNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVJKFDGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUCXNRWDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GLYKSKTQKUFVAFU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVFQ\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 484 set thread context of 1064	484	service.exe	286

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
984	reg.exe
968	reg.exe
3380	reg.exe
4344	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1064	service.exe
Token: SeCreateTokenPrivilege	1064	service.exe
Token: SeAssignPrimaryTokenPrivilege	1064	service.exe
Token: SeLockMemoryPrivilege	1064	service.exe
Token: SeIncreaseQuotaPrivilege	1064	service.exe
Token: SeMachineAccountPrivilege	1064	service.exe
Token: SeTcbPrivilege	1064	service.exe
Token: SeSecurityPrivilege	1064	service.exe
Token: SeTakeOwnershipPrivilege	1064	service.exe
Token: SeLoadDriverPrivilege	1064	service.exe
Token: SeSystemProfilePrivilege	1064	service.exe
Token: SeSystemtimePrivilege	1064	service.exe
Token: SeProfSingleProcessPrivilege	1064	service.exe
Token: SeIncBasePriorityPrivilege	1064	service.exe
Token: SeCreatePagefilePrivilege	1064	service.exe
Token: SeCreatePermanentPrivilege	1064	service.exe
Token: SeBackupPrivilege	1064	service.exe
Token: SeRestorePrivilege	1064	service.exe
Token: SeShutdownPrivilege	1064	service.exe
Token: SeDebugPrivilege	1064	service.exe
Token: SeAuditPrivilege	1064	service.exe
Token: SeSystemEnvironmentPrivilege	1064	service.exe
Token: SeChangeNotifyPrivilege	1064	service.exe
Token: SeRemoteShutdownPrivilege	1064	service.exe
Token: SeUndockPrivilege	1064	service.exe
Token: SeSyncAgentPrivilege	1064	service.exe
Token: SeEnableDelegationPrivilege	1064	service.exe
Token: SeManageVolumePrivilege	1064	service.exe
Token: SeImpersonatePrivilege	1064	service.exe
Token: SeCreateGlobalPrivilege	1064	service.exe
Token: 31	1064	service.exe
Token: 32	1064	service.exe
Token: 33	1064	service.exe
Token: 34	1064	service.exe
Token: 35	1064	service.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
548	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
3544	service.exe
1932	service.exe
4392	service.exe
2828	service.exe
3320	service.exe
1128	service.exe
768	service.exe
3136	service.exe
3644	service.exe
1456	service.exe
984	service.exe
1640	service.exe
736	service.exe
2644	service.exe
1936	service.exe
1656	service.exe
1364	service.exe
4244	service.exe
1764	service.exe
1544	service.exe
1432	service.exe
4024	service.exe
2740	service.exe
208	service.exe
3132	service.exe
3420	service.exe
4296	service.exe
4932	service.exe
856	service.exe
3556	service.exe
208	service.exe
3404	service.exe
3456	service.exe
5060	service.exe
2008	service.exe
4640	service.exe
3428	service.exe
4268	service.exe
2524	service.exe
3456	service.exe
4208	service.exe
3792	service.exe
3368	service.exe
484	service.exe
1064	service.exe
1064	service.exe
1064	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1800	548	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	90
PID 548 wrote to memory of 1800	548	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	90
PID 548 wrote to memory of 1800	548	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	90
PID 1800 wrote to memory of 2392	1800	cmd.exe	92
PID 1800 wrote to memory of 2392	1800	cmd.exe	92
PID 1800 wrote to memory of 2392	1800	cmd.exe	92
PID 548 wrote to memory of 3544	548	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	93
PID 548 wrote to memory of 3544	548	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	93
PID 548 wrote to memory of 3544	548	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	93
PID 3544 wrote to memory of 4912	3544	service.exe	94
PID 3544 wrote to memory of 4912	3544	service.exe	94
PID 3544 wrote to memory of 4912	3544	service.exe	94
PID 4912 wrote to memory of 2444	4912	cmd.exe	96
PID 4912 wrote to memory of 2444	4912	cmd.exe	96
PID 4912 wrote to memory of 2444	4912	cmd.exe	96
PID 3544 wrote to memory of 1932	3544	service.exe	98
PID 3544 wrote to memory of 1932	3544	service.exe	98
PID 3544 wrote to memory of 1932	3544	service.exe	98
PID 1932 wrote to memory of 3556	1932	service.exe	100
PID 1932 wrote to memory of 3556	1932	service.exe	100
PID 1932 wrote to memory of 3556	1932	service.exe	100
PID 3556 wrote to memory of 736	3556	cmd.exe	102
PID 3556 wrote to memory of 736	3556	cmd.exe	102
PID 3556 wrote to memory of 736	3556	cmd.exe	102
PID 1932 wrote to memory of 4392	1932	service.exe	105
PID 1932 wrote to memory of 4392	1932	service.exe	105
PID 1932 wrote to memory of 4392	1932	service.exe	105
PID 4392 wrote to memory of 3836	4392	service.exe	106
PID 4392 wrote to memory of 3836	4392	service.exe	106
PID 4392 wrote to memory of 3836	4392	service.exe	106
PID 3836 wrote to memory of 4368	3836	cmd.exe	108
PID 3836 wrote to memory of 4368	3836	cmd.exe	108
PID 3836 wrote to memory of 4368	3836	cmd.exe	108
PID 4392 wrote to memory of 2828	4392	service.exe	111
PID 4392 wrote to memory of 2828	4392	service.exe	111
PID 4392 wrote to memory of 2828	4392	service.exe	111
PID 2828 wrote to memory of 1484	2828	service.exe	112
PID 2828 wrote to memory of 1484	2828	service.exe	112
PID 2828 wrote to memory of 1484	2828	service.exe	112
PID 1484 wrote to memory of 3568	1484	cmd.exe	114
PID 1484 wrote to memory of 3568	1484	cmd.exe	114
PID 1484 wrote to memory of 3568	1484	cmd.exe	114
PID 2828 wrote to memory of 3320	2828	service.exe	115
PID 2828 wrote to memory of 3320	2828	service.exe	115
PID 2828 wrote to memory of 3320	2828	service.exe	115
PID 3320 wrote to memory of 3872	3320	service.exe	117
PID 3320 wrote to memory of 3872	3320	service.exe	117
PID 3320 wrote to memory of 3872	3320	service.exe	117
PID 3872 wrote to memory of 3620	3872	cmd.exe	119
PID 3872 wrote to memory of 3620	3872	cmd.exe	119
PID 3872 wrote to memory of 3620	3872	cmd.exe	119
PID 3320 wrote to memory of 1128	3320	service.exe	120
PID 3320 wrote to memory of 1128	3320	service.exe	120
PID 3320 wrote to memory of 1128	3320	service.exe	120
PID 1128 wrote to memory of 3720	1128	service.exe	121
PID 1128 wrote to memory of 3720	1128	service.exe	121
PID 1128 wrote to memory of 3720	1128	service.exe	121
PID 3720 wrote to memory of 1912	3720	cmd.exe	123
PID 3720 wrote to memory of 1912	3720	cmd.exe	123
PID 3720 wrote to memory of 1912	3720	cmd.exe	123
PID 1128 wrote to memory of 768	1128	service.exe	126
PID 1128 wrote to memory of 768	1128	service.exe	126
PID 1128 wrote to memory of 768	1128	service.exe	126
PID 768 wrote to memory of 2420	768	service.exe	127

C:\Users\Admin\AppData\Local\Temp\7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
"C:\Users\Admin\AppData\Local\Temp\7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFOAXV.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JVSPTPWLMELMUQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
  "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCGYUU.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLJMBPWGRWGSE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2444
- - C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe
    "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASKGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:736
  - - C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
      "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBMTYJ.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKSKTPKTFUAEUVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4368
    - - C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBPXPJ.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ESOMRDQTOHKLUQD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3568
      - C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNPYUA.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSPAUHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJXFTS.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNHCYQ.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IHLYCMSKBACESAO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
        10⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTLFA.bat" "
        11⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOKHYWMMOJCGHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSHQDY.bat" "
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MXUASWRNOBHOOXT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYGQGLDULKAU\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYGQGLDULKAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYGQGLDULKAU\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYWFQX.bat" "
        13⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OWNBCXTOBXJYDIX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQDYCP.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UASWRNOBHOOXTSH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "
        15⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPWMKO.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ABWSNAWIXCHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRDKO.bat" "
        17⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJBSKGBRKLUYLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        19⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGEID.bat" "
        21⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HQNHXRCSBRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        22⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJKDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVSBNT.bat" "
        23⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYKSKTQKUFVAFU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFAVOU.bat" "
        24⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWXAKPWXIACQMLY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMKOC.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXBYTRAAUJXFNFC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOXO\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOXO\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempANYVB.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHWVJKGEGWJRALQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSYEFC.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMVTEAYLEYFVOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
        28⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIJFDFVJQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVYLMJ.bat" "
        29⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UUCQPBKBTLHCSLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTECGB.bat" "
        30⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FXOLFVPAQPQNWIO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        31⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPCKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHRMA.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTXLBOKIYXNNPKD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMDYBN.bat" "
        33⤵
        
        PID:484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKVAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOXOD.bat" "
        34⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYHITQOSNVJKDKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWREMG\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWREMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWREMG\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQCRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFUSISMKNCIVVHP\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMSXJG.bat" "
        36⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XJSJSPKTEUETURA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAQHRNICCRSPYKQ\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        37⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        38⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "
        39⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FOFXPLGWPAQAPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        40⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
        41⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVHOS.bat" "
        42⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        43⤵
        
        PID:248
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMOXTA.bat" "
        44⤵
        
        PID:2108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JEDRHVQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe" /f
        45⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQKDIPYBBPUMUIS\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKUQDA.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOERNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        47⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        48⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe:*:Enabled:Windows Messanger" /f
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPFB\service.exe:*:Enabled:Windows Messanger" /f
        48⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        47⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        48⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        48⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempANYVB.txt

Filesize
163B

MD5
4539237e0c40d09481306be5c13e248a

SHA1
4484b39391af648e06199e8768e98c2220b712f4

SHA256
73f893e8cc696993395c9b31746764c7fbf10af19ad189e8ac80f7782eeafdd4

SHA512
f85790c0e23ed49ecd7a2509cb06c3eb1a2a348d11be7e99c34f811305fd69663ec768f4eee8e6797467affa9413628893acaecb0b66ea4691f22afccd766fc1

Download Submit
C:\Users\Admin\AppData\Local\TempBMTYJ.txt

Filesize
163B

MD5
baa6e714ec8dbd5db1525061ac7ea576

SHA1
5785200e2eb3db03968c70169231d139d13cae44

SHA256
45daf1d9c7085f5e6e0ec27570577472504da0895a7e3323db39d088bbed7f52

SHA512
67afc75c02785e921a69b996f0fa07336abec86a3651a7d42fda4e05747418f933557f31ff3e31b598734478110b6e5f1d1a745f8d6539998ddb01832df60db2

Download Submit
C:\Users\Admin\AppData\Local\TempBPXPJ.txt

Filesize
163B

MD5
92d9cd1326c6c17162208f72260578fa

SHA1
a8938fa2a6d896a84e8a6d8ba28a5ab309344a93

SHA256
bd7800d4242927a85e37a57012e190d579f4e596b239dad29239c54c7b265004

SHA512
602eca4ab3835531cdd527ef7493ee7ff825adc8daeca013392b6b106540689fe46eda68042f2beed74787cedf8b3d9895f1707428170e141f31d20f2e159599

Download Submit
C:\Users\Admin\AppData\Local\TempCGYUU.txt

Filesize
163B

MD5
f4ccb0e3bac0d30194050f6571eb103e

SHA1
66eaceacfb5811c9ebed14fe28bb9210be0fa64f

SHA256
03c0786d9557634af63ee7e8ac9ee208fb3ef184d3c0614f7fb1958e298f04b9

SHA512
0f671ce3765455c0cb8a3370ca667019be0e5dd12b2660f700d7d4681f6154e995c76bc69651084dd92f6692043294b2408308856b02884bf17670ca39bed85d

Download Submit
C:\Users\Admin\AppData\Local\TempFAVOU.txt

Filesize
163B

MD5
d99ad787c09f03e5b94da092b15fe494

SHA1
2659ba25b1487c102fd590ffd193e059ea8dd705

SHA256
7fabe9b05c5093d30fd238c1d7a0d429df063e881955b8380e5880b9fb3c2857

SHA512
bbef11fb5557a913590540938af852806b286f03d45d9581a1f2b6c0e41e540528eed945bd4c6a8f71db6d16ae5bf8c79d01a68addaa17a499170280424bce65

Download Submit
C:\Users\Admin\AppData\Local\TempFOAXV.txt

Filesize
163B

MD5
7b0cee9da4bed826b203e796f8af7ff9

SHA1
c26aad8a9a1db4d0f07a3518731b50dd5be3712d

SHA256
99b2b8de93eb48ff669b671fa989f2e8f0be29f2cf80e554c0c46fdcf04e4d82

SHA512
d52959be5915d09739f38808de0418f39d4b8bdddd2384fae3a53a8b22ffab29db235402fb4920ccc6740ea2f80baf1d4cb1e3592de91d1f1e8b59000b3702bb

Download Submit
C:\Users\Admin\AppData\Local\TempGHRMA.txt

Filesize
163B

MD5
2dd69db95f4689558af95e2e2bce88a4

SHA1
b7791a7d82ac368f1cf9cb29abec0606f29e8e73

SHA256
ee787e5fcf55f718a8641b0e56767c334af21dc0e7b0f5f1786169bd8e0b0611

SHA512
67818053365ca0807a528bac9f50b5952d672499172693b3fc47b3bc96073fd995bd82da6a696aa0e1cdeeae4cf0f0ad8eb1622afc47c2abf1ff3651eaf21527

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.txt

Filesize
163B

MD5
077975505ee313d4d0f5595fc6eb7155

SHA1
4744ed31f9d8fd37b77625e24c415c98e78676bc

SHA256
21b75430c8b79e9ff7d13b3fa09f99870a5c47655d6a627624ef09cfe94a269a

SHA512
f4f3f1a0fb493a99b27fadcc00201ff92311563f272eb7ddc1455b7293004feb2f14d9db9cf140e42b473ff136bd725ae952866a07bc9ce899eb98cff0fe7f8e

Download Submit
C:\Users\Admin\AppData\Local\TempJBDRN.txt

Filesize
163B

MD5
53ff217ca9bac7426324c2e3c1c5066f

SHA1
26742a018325a024dfece3d6aad559cdb8c22f46

SHA256
9035ffbe0052c088e6d543ad88bcfb3f1619a79285ca9d70ac241527af3480c0

SHA512
5322560bd0b5f7516885db39c96c06aeab13f12f1be459b1ee63e5f91c2d3067d41d1da6b4f5c6deeaa3ce5ff33826d46ecb917c74842396d7e3d41cdad9b4a1

Download Submit
C:\Users\Admin\AppData\Local\TempJRDKO.txt

Filesize
163B

MD5
77879365f9bcb479a9a49328de5f8e86

SHA1
cbec7b0e689b483481681527c924b2c580e8040b

SHA256
05dc61b4e89230b160e3794d418cc1f545286c1f3542035de8f5ca69d77a8634

SHA512
9668be9416615f8f873b623043b752ed8a6e3cb7b2018ce06e9903d6289dc0976ca78dcdf35735e466c13e02eb39332ed14eb533fc874f62a045011a59614154

Download Submit
C:\Users\Admin\AppData\Local\TempJXFTS.txt

Filesize
163B

MD5
59244cea30ce61a3b75560e13419d6c2

SHA1
5160ba673f1c1bd604d5a0739b27c3c316407e22

SHA256
b6d2ad89e01b46ab8ffeee74e6fc5dc75060342cf421f5daffd6fec5c4e834f8

SHA512
e3ec1fea3b3f1bf96304cbf464aeddb2670cefa870fb7e5f04415e24dbf063537315ae1b5eb8429df6235102c6b30eb471bb8075f0d9dd1958853422f464f271

Download Submit
C:\Users\Admin\AppData\Local\TempKUQDA.txt

Filesize
163B

MD5
eb5cdd00bfbf93622377234bece1af38

SHA1
4b6a7b2ddb57e56c33b9f162e73101024b77a29a

SHA256
5573dd3ae1a12044a4f5b5660fbd1bd3b743690dee18d78354a29e5fd0901c59

SHA512
76740b731461b66808a570f4c9bdb091fe0d9afb88ee836eb2ce1290541063e140982e88cde5b8ab97ba56946cb9c209be67f3205d49d03ead8a6a3fb986b166

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
f50d622165c5e044de7001526409c185

SHA1
f640945f004b21b80b36c9be3a4d14c5c0affd77

SHA256
8a5a75efa2bf8e36f91a25d61bb500a974b6e3c3bf93e00397f8812e56a2ac7e

SHA512
208feaec03e41981bb65e8fd34a307ef0b863e3080417c8000d7a9e28f16e6c08aee3bdb29c3288270a7d768168c65c0b2a6c55f0044f01d3f79fdd494ccfcd8

Download Submit
C:\Users\Admin\AppData\Local\TempLTLFA.txt

Filesize
163B

MD5
6be479443a4e2dee43714eab6e14d5ad

SHA1
4d0ad9ca8bc4c464550154356cf0c0b4bc3e46e7

SHA256
1ae5f1928c5b8447a9d7abb0f042b5648f4274ac099b55a49d541151fcdfb1f7

SHA512
9ba56b023da029a1b26422742f978657af88a43dcdf88f6788f5c409e2f088c2a4f84fbdae05e2cce96b6542972da56cf7cddbdfa57620b449ee9cef176f9d95

Download Submit
C:\Users\Admin\AppData\Local\TempMDYBN.txt

Filesize
163B

MD5
56e62a5261bbb9ce37e157e5fceec40e

SHA1
4103106c6409939c1fd12cf35abe3ed28da06548

SHA256
448934e2951d7cc4e4444d9209fb88d131faf2c1755a0cce3e9577107e46b2fc

SHA512
860aef0aa30a9db4958069deb123e78e9893041b09bc260c0d833d28c5768cf1bbc39298448baff55a88fec9bf63e4a28b0f68b4d2d02e13c92a749cc49654ba

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.txt

Filesize
163B

MD5
1fb1de7f08d19eb546f006bc99945a17

SHA1
54e4e017cca6cfc2726e1186cb467ebd6a020d1a

SHA256
2edb2a1b80236c6dff48d12e5e4b6663fc1e28bfdb69a6c74197762f1ec4d624

SHA512
13a5befc18b000ba4ab1cdd93e4e921f73905a5e01d24aa9150c8ef2ce277d9a44f8ccb166116cd50a36912a6b4d4fe8208e2d8ab4253ca9007b11c34a12f94e

Download Submit
C:\Users\Admin\AppData\Local\TempMOXTA.txt

Filesize
163B

MD5
f923f9a874c558471f95291c85bdffd1

SHA1
5d9d4180276ab572dbfb8778cd374af8c40aefd3

SHA256
b79c4503f56fd3510f51d8f71e5da7efb64906de3de3f2b831faf37446c6e65c

SHA512
3fe23517954add4d4ba04b09feb547a275d85e116df3bf9d2a19ed60cae56253f20923e98f60d633d755980cb99080be3e08f64596527feab9787d319c67a31e

Download Submit
C:\Users\Admin\AppData\Local\TempMSXJG.txt

Filesize
163B

MD5
85ebb4a4220cdfaf939629c5d20da082

SHA1
45ba2913a9a96023d6a82a8e577f68fc3ef43aca

SHA256
aa6eb1ff535bfa93106334d912580b8a77d1fe232b605e9994e24268f30150f2

SHA512
d8fdeaef1eeb786e45ae07d7072f0fbaac07d692971ec650a53d308028217baeb14ec80ae6b79cfb20a8fd1e158bb7188dfa1de52efd4c812f4adf1b4f46e6d0

Download Submit
C:\Users\Admin\AppData\Local\TempNHCYQ.txt

Filesize
163B

MD5
7261532d533c229006b308b9f37540a9

SHA1
8a34b551644d9e99488bd6edb159574a160eaebf

SHA256
ad2c582de7e17e9e6998d89646c2a95457ce91d361799369484c40b737ab7c9f

SHA512
bccf9592553ba8c71d3c3c9f6ecac34e76e958cc7f72e830e212cb5a4f39c1f17cb8686737ea2086b45636f8725d7359bb21cef8babd06e0544855c54d77a11f

Download Submit
C:\Users\Admin\AppData\Local\TempNPYUA.txt

Filesize
163B

MD5
eacca4b3e8a0f963130e9f6d6aa45875

SHA1
05c06938e96c74d4c90d34a2344e35a3679e697d

SHA256
947ccf8bddfa7cdfffc462ad632e24bb2168be86b7521ef63beccdb5346924ef

SHA512
72729ed3002b50471c8723d2dc3de248e4e78bade0826fa97a84f83cc8e54e9152e1e9643472efbbdf01fd8dc8993e04b42b0303b03e733342826f579630a4fe

Download Submit
C:\Users\Admin\AppData\Local\TempNVHOS.txt

Filesize
163B

MD5
65dcb1450b3de3f67453f9bcef548793

SHA1
47dab7dc089379d0f3878167729b72aa27ff5a4a

SHA256
bf72ebd2daaa96247946358ff30ad4bad7264ca4d2ec2e8a87b976d3b0aafa76

SHA512
d6b8ba80f3653bbc51064150367174681632e6411aa42f819bcfd8cb3d291748364d1eeafd7ae15cd70c327f4595a4f7775aff277afebf8b80539fcca26560bc

Download Submit
C:\Users\Admin\AppData\Local\TempOMKOC.txt

Filesize
163B

MD5
fa0afee179c8740da0ab4020fee03cd7

SHA1
c8cc0e8cb3b8994f814b8a6ae5c372118b4095be

SHA256
89a266b035cb0781e6046ce11ac912d498de7a4ce474a66d7ad4d6b95a875711

SHA512
1fbf7527b53b71264b80bad3220ba45698e8fe3c5220d6b869d72a2dc1dbf9d53ab307aa86a287b6dfb516045f086237e70e7c49a407a762f63c3f76ead7b1d1

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.txt

Filesize
163B

MD5
0d2615ed4bd9003ee0929afc21dcca18

SHA1
919020c644672b87b8989aa884a2dab33b961eea

SHA256
b996a7f6d47650c21d9eb020fd005b807e3cc7521a974257d914d4e969daf04b

SHA512
55b63f341681d1c414af61e5ab9ee48485322f534eeafa7180eaf539a3bc401ed52efbbd1550112e5890ba07606c3cd7dc9a29f1c8427ba5ff452cc32c20666d

Download Submit
C:\Users\Admin\AppData\Local\TempPVLJN.txt

Filesize
163B

MD5
f3931ccf4bdf284ee5fb347c6e43bbf9

SHA1
f538a7c05c86b67b4989635505496f06645b6758

SHA256
aae5447814b780af09a0f1a0e4bb253dc6dec2fb60f5bdb4e9bc7b27c21f77b4

SHA512
64cc45490c27133d4599cf71ecb148c129b33e83229572c6da074334a7016f51c1fba50ecf66b401fc2933c08b8a0a07a7292bd86bab251655555b34f8471514

Download Submit
C:\Users\Admin\AppData\Local\TempPWMKO.txt

Filesize
163B

MD5
790b5af1cea921a4dc77dae9acf9ea60

SHA1
dfe5e094f7dba829aa8bffe0b53c2abb63ea25a8

SHA256
b3f67305a83bbf1085ad3b32b4092f286a074b366474b6629cb173155b19f850

SHA512
ca133f61fb9294cd33a6f0f13bb76d2d84caab7dc3bb8257af6c3ef23c3d837149522943997b7d2507a4b396c4afad26fd81b0b50c33d442eb3c0dff1284917a

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.txt

Filesize
163B

MD5
473dc30ed03f9d3c35194a3ec215d3d3

SHA1
66c1d2e60445720577b60f40c1c85cfcb79e5852

SHA256
5584ab2bd7a45c9a98c32c9d7b295d49a5f38ab4915509858e8d385bdf0ab030

SHA512
473732fd7d5893e6d619b64e41f3f203758b4f6f1355e2488ab0517546dc1acaa08ed3d0cda540bd53312ec3c0052c0bbc6dc7696ac5b951e08a0afe8345df01

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.txt

Filesize
163B

MD5
e15ce9ba45689d817fb96275879803e8

SHA1
74cc2996ac7dde0c1811f7c74f3798e12f7b2a16

SHA256
5b6e60df17f289c0c2bb7577a797be852c776fe2d20b5e02f433e99b0ce3c533

SHA512
ba2e73459c52c4c584ae95d07cd6e1c607fb850554490fa41cf1fc94533ea570c3b661cb1a74637d491971d8d20b3e34cd83e5965e5fa8e0a5784e878fae89ba

Download Submit
C:\Users\Admin\AppData\Local\TempQDYCP.txt

Filesize
163B

MD5
995ddd87f3433b7aa9aaaa7059e3d944

SHA1
901b3d3b2d410088d9a729bf864481c0b7157d4b

SHA256
80392ea78b1be7a41553da37cd7f68c0fc6f85545d649f13956bf1c1d34345b6

SHA512
15f6f89124a22bfdb9d7dbeea1e92adeee9b7135d5ddbb088964bd048ef7487d63a62a407418f8ccc7398e0eff39cc92b4e489863a7f72511235a6b3d958482c

Download Submit
C:\Users\Admin\AppData\Local\TempSHQDY.txt

Filesize
163B

MD5
594912ccb6397141c59895d41153ae62

SHA1
b4e3549fde5dcfa3c51de8212e5727c6152be77b

SHA256
32e2c069f8d497ea1b9de99bb487a85985958671d24cd39ec3aa3dbf4bea2010

SHA512
115529f1fde1a973db79255a1bead918568f2c0c6ed1928bf97a0bb961a2427e29cedf21486888f9ee039f855f71647ac7e5bd6aec4a31efa448a5d74a07e509

Download Submit
C:\Users\Admin\AppData\Local\TempSYEFC.txt

Filesize
163B

MD5
28c24a343f70d490fc8f69dbc2484456

SHA1
f68463620b1fd8d538c92ae77aeb8551ddf321a4

SHA256
1f0da84ecad4d62c31518eca826c46fec9900f135c059c5e69f7573ba4fa1fae

SHA512
1781ea0c79a8510c2ed3af903c73455f3499f8ccf8a9ceff262ecb1f016d2035f8738419c4938cbdefffe5b59b9d0ac9d37b927fae4773a19537144eac321a5b

Download Submit
C:\Users\Admin\AppData\Local\TempTECGB.txt

Filesize
163B

MD5
1eb4352889514d5aad8e409a13904f46

SHA1
93bd4f33afd5239e5690542277b94934d5f7a523

SHA256
f021f65b6fab7a8a5080398147f7544dda53186fc6701d0b88f796bf1c53be42

SHA512
9572770fef9e09d6546e5789607c507426f3d77705e4eacfcd981e587d407a2d6fe5eb11c1750b1ae241a4efc1a6d7939ef20b0ca5011a8e58cc9cba263bfa87

Download Submit
C:\Users\Admin\AppData\Local\TempTOXOD.txt

Filesize
163B

MD5
5c1498e0ab630b7d65f95827cef3170a

SHA1
cc7995f2771379c186856dd3c3778e5871d80b69

SHA256
a770f87bc4ffcc6449c2d8ae7e78823926c68df02b5e629639e93913166a333a

SHA512
95ff1feb2e091469a336b4b4501175f1d88cf9d5774a39163c0a2ea922240c27171a54cb36a62a92a66bc00a4b82f9e40994a22caa523fa452efb0b2df2d33ba

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.txt

Filesize
163B

MD5
ba65ad51a6ea0d752a264e010d91bb07

SHA1
cc0125350670bbe8a445cc9619e733aab97f0ca9

SHA256
b98c4714bbef3d1764e48098bb3063bb4d3724831fef2571451bce68bf40c169

SHA512
935618892f9f6d1696b43493ce5005266f8f11c931e2305c01957e1f22c91b6508996d82fa24f1d27ef702bebf6138359b879aac81dfeb34335d2c19deedcc2b

Download Submit
C:\Users\Admin\AppData\Local\TempVGEID.txt

Filesize
163B

MD5
544ea437cd0d9ea6723d78a6053b8df1

SHA1
ff3cf28f2289dda4f486bd0087bd37dc58748458

SHA256
a168808f799128b67a718ce0a0610c3b3027ae8a96588e96b30bc3bd0dfc13ba

SHA512
66409d88d6f4da083e615053241220cd55c24233c8b57e76cc14938d14a03cb6fa4465c7ba18982b792b7e6363debf33a8ba25af9317cf6c42926231969d5fde

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFN.txt

Filesize
163B

MD5
bd032580b7effbda479aa5f35e128787

SHA1
50508bb841bfd66058e19d4d0d971214fe972095

SHA256
a9692075f56f7d52e431da2ac5574b7c74a01dde78bd823e0c4796483c39fad8

SHA512
3530dcd2586f93cf7061be08b75951e8350e9df9153c0619f9f7b06f7448ca59893777576a5c0fee503a22d83147a6e4a56614d549b9c685c1f4730c2032944c

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.txt

Filesize
163B

MD5
ad036588186932a92b9e3a74f852fc52

SHA1
4b6aaa51da69c0998215485b7e43e803931bd51e

SHA256
cdc48285816d80f11ffeac3b973797f74a3f06e4f7cc4a45130f9fa986e956ec

SHA512
f6c7748d3ea493aa6fdb130d1028ae7437e31a926ec194866c3bba624fdeba2d948df588c63d3bd1268ba4525b488415ca3a9a755e591f9efb24a296409e5394

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.txt

Filesize
163B

MD5
95e7cbd9f0857e740eb2751d73327176

SHA1
9d2955be571ef189f25b04d8a33b47a18b7d36e1

SHA256
1bfba4b36f75b9b97232d5cf942bd5f9ca6ef8c492c01caa55af1945b3046548

SHA512
8a091850e2f7bd5e46cfa9e27ad0be09382d44887b2021d3e91d1566d841793b50cb63aeb90fd4e612ada1fb18ba3807420455e10e995fde1f8c424dde3bae6a

Download Submit
C:\Users\Admin\AppData\Local\TempVSBNT.txt

Filesize
163B

MD5
6b9a7e8d9a22eb906aa54d9f318e137d

SHA1
3f43c09b424726d832140d7134993074fde0fcff

SHA256
3cfd7d0669ef4414c5827c3f4ebc17486be107f3edb8a4cf29270d9731d6e9dc

SHA512
d0f4a9e17a8cc0c5b1a1316db329630801ceb74744c161daf8b53bdc85b29131800cd09ab8953ebe49e13aed8c254893711e3c21edfb678b6ce68cd044f2848b

Download Submit
C:\Users\Admin\AppData\Local\TempVYLMJ.txt

Filesize
163B

MD5
d7306a8e665e4d9123db4630d85d5482

SHA1
93997b417ab3be1278cd1959e0db9f53777f780a

SHA256
31ffcd0648c7098b07e79e3b9b3cc19fdf1f425d73440aa08900d645d15aef95

SHA512
59be3575176bee4e8a0d65a67d0b8149cab5591280fbad7b16383bd2412723777f51f0a9cecfa55694e67208f962b735fdb4a3498949c8e7636b17243be30a15

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
4f57139833f2bf4d8e96fba71da04256

SHA1
412f72ef752e48c15e1235fa306e9954f868c4b5

SHA256
7a189248f7e6c57e7d5a0fe3a88434801377f62ef56e62d01266a3f2eb04f970

SHA512
1c02ca52fffc8f84b3f95238df55b56dc94edb5b9f4647594ff0c4c059ff7b55f2ac3bbc8e8aad28dfc636ab449f4cce8b4858b1926b4be21cf498cb3a82472d

Download Submit
C:\Users\Admin\AppData\Local\TempWIOTF.txt

Filesize
163B

MD5
dfea7a8a763dfdbc77f08257fe2fb741

SHA1
6af78c08448a54e140127cb74387b286ea1eacda

SHA256
89f4c62852007283c0bd9bb4a392f9f41e8cc41d07b4c36c90d5d7977d679c8b

SHA512
a0aea6727bc4e4f26b60a9b9b026eb3266f1aa539b061d175d792ebbad87ec394aec217eba3a2faaa243c2fdb94ac90211c68e7073ccc64d27f64e8af8580046

Download Submit
C:\Users\Admin\AppData\Local\TempXUASW.txt

Filesize
163B

MD5
7e4e7d02803059c71cf90314f2ff9e88

SHA1
7846624dd2d9b3ef07f0b0e2802ca432c262d2f8

SHA256
cc49825cd568417fd4c799987cfb409a1898afe82c0342e03a90689e0cb0b08e

SHA512
bbcab9f2d87632e3b43a9fb95514da2144045ab719ab1e1dc5bc56732bc882c039d6c68248eb369b0fc75a11e3ac77c953ca8176e01e85f5fb4aa198e0e88ebc

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
ed93079146f9f4bd60e0e00ae6b18333

SHA1
693eb1298c2c15c0cf4a281f3243343bc6656f9a

SHA256
e5bb5169216c000e8c65e1c46f75f7ffc4590d628e4c27f9a2ccf682a4df6f25

SHA512
e305fa2b7412aeb911dd607fec49063ea478450312d14543a9f4116bfdf4f4f14979209dcfedc2a7adcf4c9180b8058fe3f0cd9e9576bcb97a5fd98b7d8705be

Download Submit
C:\Users\Admin\AppData\Local\TempYWFQX.txt

Filesize
163B

MD5
c3a23fde97e68c040e81e160d37ace89

SHA1
bb456561e395edcafc40d0f202f9e9b8fdddc062

SHA256
6fbcc762bfd0c68fd5925e0633493f20593051d20d1a7fa22b1961bdf7caa065

SHA512
46341b309e2a8bb90c1e321e2b543c802456ba3a77e02a29014a0b9b6e25edee30ecacdd38c8a656c39934d1dda9ea2e45fb36e62cc6296ea229bfb023a9aa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe

Filesize
520KB

MD5
bd68b868576244b56d58f8c9d1b665ff

SHA1
8260ebc5545cd7ef75517c98c68984c1d1935ee7

SHA256
df68a50f1a17eb8f012932220ade5cbee55ec428d38b57534c9cac0a6fe67172

SHA512
2eb8915869143ca16dba0e67077a3b7f3453034227edf91e3e57baab8811258fda228feafe776e4e62dc7358be05b1193c191881c3f4651831f7ddd405b4d5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLYUCXNRWDEBKCH\service.exe

Filesize
520KB

MD5
230d8142212f3fafa2160407c381461a

SHA1
4320a4de852fe52b17f3355cfe7c718475ae2035

SHA256
c07cba8bd2ed318d854da2ac7deda1b724016528f163f3530d1b7d62cb2d07ec

SHA512
b78743630b11093adf03d262eb359eee206023571811921241f7dbdc0e1346793cd02bed9b23a53751c012e37c033e6e97dd916a2eb1feb50dbdc7373b7df4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe

Filesize
520KB

MD5
25266d0e5290b4d7e93e4f71a74df6e8

SHA1
a42467be6888805ae260af771207668f79c21660

SHA256
fc907f31a4e47bc940fe9581449214bdf870063c400ddf75f924fb756f44e43c

SHA512
836c89b26f1dee4dcffed8dccfbf04193164f87d26d06c8eaa1f334ce18a0376b930bca339b09571ffd841911c73b20b69185853bcaf94debfe6025031d0dcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

Filesize
520KB

MD5
8d14070d20d6157a9296bb2cd2caf7cc

SHA1
84ed97965a216236259669468e8e8ce58450ec82

SHA256
9fc9e470b2dd7b6c5e6f20c3abceabb427c13480ab3fa0c8d65bd614795b5d4e

SHA512
3c1845a8af1714483c8a53b550525f30388c18ff9217ef127fb8584032818fc34c3329612cd536892862d68c54725580996875d8445dfcdcd0cb5c6e965135af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe

Filesize
520KB

MD5
1bc5d3d75880ea1b090eca633fcb3277

SHA1
288516795b053c8a7b783c0d635f005632d8da97

SHA256
2bc1d55d4ada1ccf6e8309f02404efd5c2d2df504d2fce5c791bc39d83f90fe9

SHA512
4d9709b8becb724d55ffb99ffb95b122816bbe579672167c922406a599f2b9fedb81a9c0760e1a14ac398514e6f0c82e16cc603904e018404633b17f5f745f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe

Filesize
520KB

MD5
79f1e1acbb4951b4f7d7edf35fbfb484

SHA1
58c48fd00f8e4e688615b5242bb74a7d1d3f9efb

SHA256
bfeb9907eb7e0d4191db03fb7e75e8ddf38fdc14ccb51ca5d2b0f2ba39bd9290

SHA512
25387645285f170e2088e14bae32d7d6025316b83299c5c6cfade5ae5d871ffcc4aad78f931f6a90bea048a14e0834f2480a607c9b2170a8be24d46a0f588de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe

Filesize
520KB

MD5
a5f2a3f35ce7aecf8c8a36ee9e8d847a

SHA1
a1531cd5f2e2d7edca44cb73f80a13ee5d364ddb

SHA256
b3ea86f8510c3c2edeee2cbdee8944ae8e026e79e85991c57d6fac5e32a20b07

SHA512
4c9713080e0c703160afe165bcb4a6c5c11cf10e3e4db00978876939ca33a7436a1aad79267e9a9839f17c9f4523c69a6323ddbbea7154f2fdafd23bb22a4373

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe

Filesize
520KB

MD5
6de68d75547dda51cf10e55af5ea50a4

SHA1
f596f13d67d345f7bd94cee0a3dc7e6376f2b15e

SHA256
8d8e1945ffc53a40da883cf10422fa78b6046d775c36c6b809cffdaa9ba5bd6d

SHA512
35019a2b9570d810e1d76985f524c9604100ce63e3c48b99b0c9f69767fa25073fedac3102a228c1bba229c385077cff4291fb96dd27f46ca906612678b2bfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe

Filesize
520KB

MD5
9a6fdcb607970c3952deb4cabc38d227

SHA1
dbaca47186aa17df9ce2b34c5cf0410421764f0a

SHA256
f4a3a87b65f92feeb4a401be5de5dc7db733d2e39fb31d388d926b43259cf58e

SHA512
90b572a1312d690381a04c340e08030eaea257597a6b7c05d552aa4ca64c5e41beaec278a90094380573c05680c81440882d7d19a88515ae30ae83bc90076127

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe

Filesize
520KB

MD5
4d5fc63f07abdddcd352318efc6d0b5a

SHA1
4c70ed92ddf055a4bec299e01ea6c873eacefd5d

SHA256
8eb5c2f00e029ce5b0dd722cc044fc3c5e888ba568f8724c3741ab4b93997ebd

SHA512
c495163139b9742d7db4827b09ef74a41eadb429e1ac608ca1e47d54e41c6e59ab1a43a398e85f8bee8a9e6cc108fcc71534f019391033f85f9f12a75f921404

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe

Filesize
520KB

MD5
64a8c6128a84b2c11215a49b09bd28d8

SHA1
f6cab8d0688787a5b9f6550a1fc3014cc73b1e4f

SHA256
b8277b40ca3c4fdb18d727d8d9da07964f46c0dc3f8c632bb6ec834b1bde320c

SHA512
a927c235a41871638add69ec0b9685b858f766a7b5037a6772722227465bc7a6ca2b8047a55c831191c3014d057536ba55caa6ee6ebc83843c6c2f8b0de72ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe

Filesize
520KB

MD5
cc259b57672beb2f0438c0cc7b4905e1

SHA1
e8ba6370e02f26cfb0951a8f84eeddb3ca4c4db7

SHA256
705a7eb20931a2a3e74e5b37ba8439c48ef4cabbfaa24797d8358be4fc67e6e2

SHA512
ca5f156ee8d9b0b4ca63b9d189d447f9eb4c90932df2d4010e86f943525801d6d956ec35b4901ba62712b298b25f8321df35ea2871b3e65686b5ba887ffdbf60

Download Submit
C:\Users\Admin\AppData\Local\Temp\LGVTJTNLOEJXWIQ\service.exe

Filesize
520KB

MD5
38c2dbc1efb7e16a4936341a4e5739fa

SHA1
1a6f54aafe55aa88f5957de616e5e7a48f44af0f

SHA256
fa54816c355582cf8541fc2435d558328661d96602d20d8d3ab9500a6effa69c

SHA512
c6bcf2f3ed26e03e41805e95567adfe809ef5344cf6fc6cd51fefd62cc40e198f96707de23bff04f9588b1e3c0476749019911d0953907816937980fdeab59ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.txt

Filesize
520KB

MD5
5e25b295e0754aaf749cb9c73493ca77

SHA1
a9924a16cc9dd327e755e7bc94963431efbe059a

SHA256
767f78c62c41e4438fe269cec1d81825f350ab4c4beb92097ede692f70806ff3

SHA512
be1d36c6c342fa56b808847bf19682419a833fccde1eead4bbab1fe4a870cfcefdb26795090ca106da3152bf9b5abab72b3430d81ca7c00a25c6f903a1317934

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSHBYGQGLDULKAU\service.exe

Filesize
520KB

MD5
77ace85561137cec6b6a7ae4ebca7aa5

SHA1
2077b29841f1fab69ed8b287b58e8a18b46456d5

SHA256
04af2092b5c134e3c2b3c4e440a688f7717a7fcb91fa09c36d638b830ba6ab36

SHA512
89309851ce5f39a0f4da82d387e6f94715f98db36008c011689cd2d2e8d27ac65e961719fb9f2b4f354bfa4a74803b02e5a645c66bd7b2f713b853198945644e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe

Filesize
520KB

MD5
b6dc16b7c4a699f761ef98a4e3eb5e33

SHA1
b595cee9fbb644ae6309e780e3349628b059aceb

SHA256
18b0893aff21cc00dc32ec4410e085813ddd0dd68cd94664dc0fd77b6d717a84

SHA512
a8d6e7c19f12b587956c7bd117b46d8b4081db92a593bb73c5609ae115084ae0ea28072c049068bfbd40fc1ec54811d3b63ec4bb4dfdf274e18e3ff539dca20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe

Filesize
520KB

MD5
b8c6837ef7c2fa7e569f6bb8403a1d81

SHA1
728d85dbda5ceb3dfd5f29577f907199d44d4922

SHA256
6886d24582b6b67873d914875ae1bb1d98326b42dd36142e4ed63ddbd1202c59

SHA512
8b42df91ee73047c5afcc700b352c87ec40b20119165022035bb4afaddcf6524b199355c9181626b374bceab47096317dbf074dc8ef4fed94d274e9e73d7d4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe

Filesize
520KB

MD5
2543bf4b93d4b33adf344936e5f2f4d6

SHA1
1c557d7671e215eb02ced848f0bca5ef53f525d4

SHA256
90419ef85862f5c11d6908dc61469213e4f5ebf8d32bdce4cb27f2723530ed82

SHA512
7fe10a078ee19704e08d13563c61491fce2be39fe1291882ef4bdf5f8d5a47adc4bb54a47e88e699e919f6c446eb7ad113e9f4639111df934a4d90a4ba5b00b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe

Filesize
520KB

MD5
d1fdf86c27b6f22e543bedea30fe4f91

SHA1
56e45b69fc533df78cfdfbe2f838f50ff3e706ba

SHA256
9ab0fc24826f1d87dc2de1a8fc951be6d1f5e5d999ba6609314ab4bec2fb1a06

SHA512
83871b018499559e7d02171b9cf09d00bd929bcbdc36a7ca95364116ad17fa225c2dcfbbbbbdf5969acf3e5f6e0560a8a24464272a43f8ed4f0a34cf2c25de3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe

Filesize
520KB

MD5
d08207d75fa0aa57d65f491d677c30a1

SHA1
c8ee2da413bd558dcdd8a81cc2d5bf7ae2f07bd6

SHA256
e16c2f7b1ade5746d1bc641a9d8e7108136d84daee665b784d17d84f3c2d82f8

SHA512
38c2fbaf2c338c5b7c2a3ba9c057eb57ee431cf1ee6e831884950ae8187b74f38a3acf965908103f622d1d0c46c69bef816c90b80a0b60cb9fc20b4f0ae2be3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe

Filesize
520KB

MD5
57df524fa74b55b79e1acd1fa80a5118

SHA1
839449f33435e393a962628895d0f703f305f25e

SHA256
39c00948eb29362025a0394449b071c77d0cb678ec1101d6fd8d479c6e4c6b26

SHA512
d5c2398c7f5283cdbf474f418226dd539e05b6ba3250f3bab63e30aca3d9e179d6fe19f89cec8538ff84c4cedf20a7a96ea5fa941c17b78a29e0952af93bf82d

Download Submit
memory/1064-1123-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-1122-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-1128-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-1129-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-1131-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-1132-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-1133-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-1135-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-1136-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads