blackshades | 7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
Size

520KB
MD5

45215ec7f8b8c4970d04c8aa7fe60c6d
SHA1

18c3f4806fe113ad86a062fb7bbb264c7faa6bed
SHA256

7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76
SHA512

b85585ee0a0fda99228e6b6fbd5cf9542182645ad20b9d71a0f9f507e6e279c3ca2d2f67dba0d0e43a2b4e9e9e04c518a126f8f0b4463aad28e0ba73f1d8e4cb
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXq:zW6ncoyqOp6IsTl/mXq

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral2/memory/2484-1507-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2484-1508-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2484-1513-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2484-1514-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2484-1516-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2484-1517-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VXNHAFMWMRJRFQG\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 60 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 61 IoCs

pid	Process
772	service.exe
4176	service.exe
4872	service.exe
1056	service.exe
548	service.exe
2424	service.exe
2320	service.exe
3292	service.exe
4820	service.exe
5064	service.exe
1192	service.exe
3088	service.exe
4868	service.exe
4244	service.exe
4388	service.exe
4072	service.exe
3924	service.exe
4904	service.exe
4444	service.exe
4972	service.exe
3248	service.exe
3008	service.exe
4628	service.exe
3680	service.exe
4952	service.exe
1536	service.exe
1620	service.exe
2620	service.exe
2480	service.exe
1012	service.exe
4872	service.exe
4812	service.exe
3248	service.exe
1888	service.exe
4744	service.exe
2732	service.exe
1808	service.exe
1368	service.exe
3316	service.exe
3180	service.exe
4728	service.exe
3512	service.exe
3508	service.exe
3812	service.exe
1240	service.exe
3472	service.exe
4852	service.exe
3788	service.exe
3932	service.exe
4560	service.exe
3476	service.exe
4528	service.exe
232	service.exe
1512	service.exe
548	service.exe
3664	service.exe
2464	service.exe
3708	service.exe
412	service.exe
3492	service.exe
2484	service.exe

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXENWUFBMFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQIOVHHAUBSOYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXWIQIROJYSDTDS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOHAGNWMSJRGQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQUHLHFVTKJMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EVOTMCMGEHXTUCQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNTYKIMHPDEXVDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BEPQMKMCQXGRWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKIQCJN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCPFTPNSERTOHLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXNSKSGRHD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRUXWYKOTABHES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCNUYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLUAQLGAFVWT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSWKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFWNBLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUWIOVVGAOXKJXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPSDHNAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UQERCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYVWIOVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BHMCOPKILAOVFQV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSTQYKR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGKXYBLRYYJBDRN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVROTGTVAQJMOXT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXVMWPOQCGLYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTSWJNJHXVMLOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DVTCDWLHPHEQOMQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSVUWIMRFCQQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQANY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNLJOBFBPVNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSQXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONHQYIEPIJTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKALEYCFVRSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWSQAVHAUWBRKOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPRDHNAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JIVCLVSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUIVGFJWXAKQXXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVGSRSOMSOERIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLELLUPYPENAWVM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVGHFNFKBY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYHHSPNRMUIKCJJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLYBGPGF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGSYOMQLTHJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTMRYKAKEYCEVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGDUSIIKFCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXWEYOEJBSJHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLBMFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWIBVYCT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDSTRALR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RJSOJTEUDTURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WKVLHGTAJXTRBWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXIUTUQOVQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SSCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKLIRDJOBEQRMKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GWXUDDOVLJNIQEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVRSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OKIKANVEPUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWHIGOAGLCN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMYJIMDNTLCCEF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWRHVDLCW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACWSNBXIXDHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSQTEJOBNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KGEUSJJLGCDMIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DNWEBPTYFGDMEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXDECKCHWVJKGEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHXGOCCDYDUPCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSXIGKFNBYDVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGTVARJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LELLUQYPENAWVMQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHIFNGKBM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNHIYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWBDTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSGSDCGYXTUHNUU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VXNHAFMWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KJNAEAOUMCCEGUC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTFFSYQYMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUTXKAOKIYWNMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MNJHJMUDOTDQBAY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQVGHENFKBY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JTPKTFUETURBMSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NIXVLVPNQBGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCPFTPNSERTOHLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBGNXNSKSGRHD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RPTHLGEVTJJLGCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTHTEDHYUVIOVVG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNWNSKSGQH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIAQHGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUILHFVUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLCTKJUR\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3492 set thread context of 2484	3492	service.exe	348

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4040	reg.exe
4620	reg.exe
4736	reg.exe
2604	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2484	service.exe
Token: SeCreateTokenPrivilege	2484	service.exe
Token: SeAssignPrimaryTokenPrivilege	2484	service.exe
Token: SeLockMemoryPrivilege	2484	service.exe
Token: SeIncreaseQuotaPrivilege	2484	service.exe
Token: SeMachineAccountPrivilege	2484	service.exe
Token: SeTcbPrivilege	2484	service.exe
Token: SeSecurityPrivilege	2484	service.exe
Token: SeTakeOwnershipPrivilege	2484	service.exe
Token: SeLoadDriverPrivilege	2484	service.exe
Token: SeSystemProfilePrivilege	2484	service.exe
Token: SeSystemtimePrivilege	2484	service.exe
Token: SeProfSingleProcessPrivilege	2484	service.exe
Token: SeIncBasePriorityPrivilege	2484	service.exe
Token: SeCreatePagefilePrivilege	2484	service.exe
Token: SeCreatePermanentPrivilege	2484	service.exe
Token: SeBackupPrivilege	2484	service.exe
Token: SeRestorePrivilege	2484	service.exe
Token: SeShutdownPrivilege	2484	service.exe
Token: SeDebugPrivilege	2484	service.exe
Token: SeAuditPrivilege	2484	service.exe
Token: SeSystemEnvironmentPrivilege	2484	service.exe
Token: SeChangeNotifyPrivilege	2484	service.exe
Token: SeRemoteShutdownPrivilege	2484	service.exe
Token: SeUndockPrivilege	2484	service.exe
Token: SeSyncAgentPrivilege	2484	service.exe
Token: SeEnableDelegationPrivilege	2484	service.exe
Token: SeManageVolumePrivilege	2484	service.exe
Token: SeImpersonatePrivilege	2484	service.exe
Token: SeCreateGlobalPrivilege	2484	service.exe
Token: 31	2484	service.exe
Token: 32	2484	service.exe
Token: 33	2484	service.exe
Token: 34	2484	service.exe
Token: 35	2484	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3540	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
772	service.exe
4176	service.exe
4872	service.exe
1056	service.exe
548	service.exe
2424	service.exe
2320	service.exe
3292	service.exe
4820	service.exe
5064	service.exe
1192	service.exe
3088	service.exe
4868	service.exe
4244	service.exe
4388	service.exe
4072	service.exe
3924	service.exe
4904	service.exe
4444	service.exe
4972	service.exe
3248	service.exe
3008	service.exe
4628	service.exe
3680	service.exe
4952	service.exe
1536	service.exe
1620	service.exe
2620	service.exe
2480	service.exe
1012	service.exe
4872	service.exe
4812	service.exe
3248	service.exe
1888	service.exe
4744	service.exe
2732	service.exe
1808	service.exe
1368	service.exe
3316	service.exe
3180	service.exe
4728	service.exe
3512	service.exe
3508	service.exe
3812	service.exe
1240	service.exe
3472	service.exe
4852	service.exe
3788	service.exe
3932	service.exe
4560	service.exe
3476	service.exe
4528	service.exe
232	service.exe
1512	service.exe
548	service.exe
3664	service.exe
2464	service.exe
3708	service.exe
412	service.exe
3492	service.exe
2484	service.exe
2484	service.exe
2484	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3416	3540	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	88
PID 3540 wrote to memory of 3416	3540	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	88
PID 3540 wrote to memory of 3416	3540	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	88
PID 3416 wrote to memory of 4788	3416	cmd.exe	90
PID 3416 wrote to memory of 4788	3416	cmd.exe	90
PID 3416 wrote to memory of 4788	3416	cmd.exe	90
PID 3540 wrote to memory of 772	3540	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	92
PID 3540 wrote to memory of 772	3540	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	92
PID 3540 wrote to memory of 772	3540	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	92
PID 772 wrote to memory of 3940	772	service.exe	93
PID 772 wrote to memory of 3940	772	service.exe	93
PID 772 wrote to memory of 3940	772	service.exe	93
PID 3940 wrote to memory of 3708	3940	cmd.exe	95
PID 3940 wrote to memory of 3708	3940	cmd.exe	95
PID 3940 wrote to memory of 3708	3940	cmd.exe	95
PID 772 wrote to memory of 4176	772	service.exe	99
PID 772 wrote to memory of 4176	772	service.exe	99
PID 772 wrote to memory of 4176	772	service.exe	99
PID 4176 wrote to memory of 1212	4176	service.exe	102
PID 4176 wrote to memory of 1212	4176	service.exe	102
PID 4176 wrote to memory of 1212	4176	service.exe	102
PID 1212 wrote to memory of 1536	1212	cmd.exe	104
PID 1212 wrote to memory of 1536	1212	cmd.exe	104
PID 1212 wrote to memory of 1536	1212	cmd.exe	104
PID 4176 wrote to memory of 4872	4176	service.exe	105
PID 4176 wrote to memory of 4872	4176	service.exe	105
PID 4176 wrote to memory of 4872	4176	service.exe	105
PID 4872 wrote to memory of 2716	4872	service.exe	106
PID 4872 wrote to memory of 2716	4872	service.exe	106
PID 4872 wrote to memory of 2716	4872	service.exe	106
PID 2716 wrote to memory of 4324	2716	cmd.exe	108
PID 2716 wrote to memory of 4324	2716	cmd.exe	108
PID 2716 wrote to memory of 4324	2716	cmd.exe	108
PID 4872 wrote to memory of 1056	4872	service.exe	110
PID 4872 wrote to memory of 1056	4872	service.exe	110
PID 4872 wrote to memory of 1056	4872	service.exe	110
PID 1056 wrote to memory of 232	1056	service.exe	111
PID 1056 wrote to memory of 232	1056	service.exe	111
PID 1056 wrote to memory of 232	1056	service.exe	111
PID 232 wrote to memory of 4764	232	cmd.exe	113
PID 232 wrote to memory of 4764	232	cmd.exe	113
PID 232 wrote to memory of 4764	232	cmd.exe	113
PID 1056 wrote to memory of 548	1056	service.exe	114
PID 1056 wrote to memory of 548	1056	service.exe	114
PID 1056 wrote to memory of 548	1056	service.exe	114
PID 548 wrote to memory of 32	548	service.exe	117
PID 548 wrote to memory of 32	548	service.exe	117
PID 548 wrote to memory of 32	548	service.exe	117
PID 32 wrote to memory of 4528	32	cmd.exe	119
PID 32 wrote to memory of 4528	32	cmd.exe	119
PID 32 wrote to memory of 4528	32	cmd.exe	119
PID 548 wrote to memory of 2424	548	service.exe	120
PID 548 wrote to memory of 2424	548	service.exe	120
PID 548 wrote to memory of 2424	548	service.exe	120
PID 2424 wrote to memory of 4808	2424	service.exe	121
PID 2424 wrote to memory of 4808	2424	service.exe	121
PID 2424 wrote to memory of 4808	2424	service.exe	121
PID 4808 wrote to memory of 1756	4808	cmd.exe	123
PID 4808 wrote to memory of 1756	4808	cmd.exe	123
PID 4808 wrote to memory of 1756	4808	cmd.exe	123
PID 2424 wrote to memory of 2320	2424	service.exe	124
PID 2424 wrote to memory of 2320	2424	service.exe	124
PID 2424 wrote to memory of 2320	2424	service.exe	124
PID 2320 wrote to memory of 4148	2320	service.exe	125

C:\Users\Admin\AppData\Local\Temp\7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
"C:\Users\Admin\AppData\Local\Temp\7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAOXKJ.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTHTEDHYUVIOVVG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4788
- C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe
  "C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLHPG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LSXIGKFNBYDVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:3708
- - C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
    "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYWFFO.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GWXUDDOVLJNIQEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe
      "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKIKANVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAGLCN\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAGLCN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAGLCN\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSOWNC.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYHHSPNRMUIKCJJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFWNBLC\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFWNBLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFWNBLC\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JTPKTFUETURBMSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAB.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGTVARJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUNTFB.bat" "
        10⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUWIOVVGAOXKJXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        11⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJNJHXVMLOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHBPXK.bat" "
        12⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYVWIOVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQPBJB.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJNAEAOUMCCEGUC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNJR.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCNUYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLUAQLGAFVWT\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\LETDLUAQLGAFVWT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLUAQLGAFVWT\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQKCI.bat" "
        15⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KLELLUPYPENAWVM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "
        16⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVHHAUBSOYOK\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\WQIOVHHAUBSOYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQIOVHHAUBSOYOK\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
        17⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTQLRW.bat" "
        18⤵
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXWIQIROJYSDTDS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        19⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWIBVYCT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
        21⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGSYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCEVRS\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCEVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCEVRS\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTBPOA.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYJIMDNTLCCEF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        23⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGDUSIIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQXHS.bat" "
        24⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKLIRDJOBEQRMKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFRDBG.bat" "
        25⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BHMCOPKILAOVFQV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYUBCH.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWSQAVHAUWBRKOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "
        27⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQERCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQWMKO.bat" "
        29⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBXIXDHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEHHBA.bat" "
        31⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DVTCDWLHPHEQOMQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
        32⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        33⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        34⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPHBK.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KGEUSJJLGCDMIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVREBQ.bat" "
        36⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCPFTPNSERTOHLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "
        37⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJTEUDTURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSXDE.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
        39⤵
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
        40⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
        41⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNTYKIMHPDEXVDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLFAFUVSB\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPTHLGEVTJJLGCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWJRAL.bat" "
        43⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXDECKCHWVJKGEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "
        44⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQKDIB.bat" "
        45⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LELLUQYPENAWVMQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACQML.bat" "
        46⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUIVGFJWXAKQXXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMSOERIT\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMSOERIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMSOERIT\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMGBXP.bat" "
        48⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGKXYBLRYYJBDRN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBVYCT.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKVLHGTAJXTRBWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe" /f
        50⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f
        51⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKIYWNMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        52⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQANY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
        53⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
        53⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPQMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAGDSR.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVROTGTVAQJMOXT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVREBQ.bat" "
        55⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCPFTPNSERTOHLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPWL.bat" "
        56⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENJXW.bat" "
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQUHLHFVTKJMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        58⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJOBFBPVNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTJWENE\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTJWENE\service.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVRS.bat" "
        59⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MNJHJMUDOTDQBAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe" /f
        60⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOJXWJ.bat" "
        60⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFVUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f
        61⤵
        Adds Run key to start application
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYNWJ.bat" "
        61⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSGSDCGYXTUHNUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe" /f
        62⤵
        Adds Run key to start application
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        64⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe:*:Enabled:Windows Messanger" /f
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe:*:Enabled:Windows Messanger" /f
        64⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        63⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        64⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        64⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACQML.txt

Filesize
163B

MD5
91291bc4f46fb15160fd68ef5d048266

SHA1
bd79d4bf0251f9a21b4826129df7e8c8c1d4f686

SHA256
6893c2af0877c63b6cf07d139f040fa284dc26058f0f07a51f4a740990376b38

SHA512
e15bd248249d0d776fdac65b6c6fec1cee5dda76e776558ff1e7b1af9ba8f0b60e81806780529e3628dfc3ff5388c15bf47def48f9509476119885d057f0234e

Download Submit
C:\Users\Admin\AppData\Local\TempAGDSR.txt

Filesize
163B

MD5
6b12ec09df66089c1625d97572707fe8

SHA1
088b00a1da9b5267494a65fac6c71f4d910c663c

SHA256
ecd9b779d05867e7a8986819a156a0989f455b606e9c1f9ff5ea0edf624ff382

SHA512
69fdacbfb45e2a6aba64c5020c10cbc58eb6673558d78b4e0ffb708bdce3cf29efe6c8ba854f4d81ee21a6bf0aad398558d0058f009dd045e7166a316eb3261b

Download Submit
C:\Users\Admin\AppData\Local\TempAHVDR.txt

Filesize
163B

MD5
5dced6292bcbce23868e6277ba6866b7

SHA1
aa5365f8ba9131d31e28bc7ba4081942e76e13fe

SHA256
89f8a942b7ecd68bd659191dc75c3c6186c0e2d8214d73eca7b12fbcbe222954

SHA512
283c01b07b4dee5b2e58ade4504a4701b48784c55bb4797c1bf3bd9e3a604e4d0ca87e98ed7bdd4b9cbc4a9d3f9f60392b2b5d955e0773a9d9b4e3c8f7f7f215

Download Submit
C:\Users\Admin\AppData\Local\TempAOXKJ.txt

Filesize
163B

MD5
a421bd051089aeb22b84cb05b5161472

SHA1
a2b29cb48a654ec1b0db1b67bcf5c86479307f92

SHA256
c072f6b60a5dfecfcfe03355f378f0ccd0c6e37e1429ad67b7712249e4590c5a

SHA512
c027596610a7f50b54c1eca638c74b8139ea9398d4c421975ba179c69a818c4f0f56365c1ec54c372d76eccaca6d9e4f5eda0f8707335854e5284bcf9c60aa07

Download Submit
C:\Users\Admin\AppData\Local\TempBVYCT.txt

Filesize
163B

MD5
ceb89403549632169a8cecf78468781b

SHA1
e673b4d7e0620c1f91c1ce54db868b487b5b439b

SHA256
c043bedab98a279c7908bee9af621c533e6ce4855ff67c0c8d7c97775a0e5c6e

SHA512
7c1ebf84ae94d2a20436d1c8fbc0e165b6124cf24eb728d7691743462d9ec79f263a8759cd777e3032048735ecef157e9a6d35803ca5740bfc992a28a9b701a5

Download Submit
C:\Users\Admin\AppData\Local\TempCFHQM.txt

Filesize
163B

MD5
96c73dbf64a31be001b5911c6f355ae3

SHA1
3e9af6b01429f2c043e348b7237a4694ef941d41

SHA256
33ff91c0d2e0f1e0afd92c3d2aec0a69121e9cbc940e06207835d53984cfa9fc

SHA512
5b0005f83dabebc2bb954a85992ed566f0cdd18795f121ff7300fe5408363064797f4b017c6f6ce43eee25a1df5b6596ffa07ef2d406146c63b1b4146f7df1e2

Download Submit
C:\Users\Admin\AppData\Local\TempCGHQM.txt

Filesize
163B

MD5
65becba90ec3c2268f08c642b299af1b

SHA1
2516e80885adbd1dbeca15e478b8c60b47676f28

SHA256
cd1902e1548181d4faedb54a7929a04e262fa779d8ade5413697bce636e25e3b

SHA512
4777926a9c50b958813fdf3ef2c77d083f2817e9ab12700f994a61a7c639c3ca1dbf777d65a87a8239f5362f8cb02252362f416621dd1f5ceff898a5894e5d45

Download Submit
C:\Users\Admin\AppData\Local\TempCQXHS.txt

Filesize
163B

MD5
6128fb0d0727fe45ae8f7da9feb1a109

SHA1
35647cd29de15cedabacee03befed85b9a0cde9f

SHA256
5fc95f0f6fa8a06ffc1921c294c62a7520cd1183c660ea24a4e51ad4c1f6589f

SHA512
03376d50704736c2778897872851128597bca950288da53407683966681955d817a299520757cbb98ad16c46221ab88f2e7fe9e19670869ebafe157e34d64b3b

Download Submit
C:\Users\Admin\AppData\Local\TempDXWLU.txt

Filesize
163B

MD5
4eba4145313e52413d3bfd882b7f9f5f

SHA1
45de0d742e09cc0c90c49eddf5dc8f83b1f2cad8

SHA256
9be648f7c63f86ed9423ade0cea60b9300ea178240980627070c58e660184897

SHA512
bab64c6480908735df8b24183727126c5098501f651600331b99f768fe05a71fae4c7c6a09db5a06a9a4f25363497dccbfb162c7a028e80e3a8960a82cb5e429

Download Submit
C:\Users\Admin\AppData\Local\TempEDHYU.txt

Filesize
163B

MD5
eb6b81f78f24c389d5ab5fbd8654cba1

SHA1
9696d0b43bed3f13cb76d6699e47ea0143068c24

SHA256
3f11603292f26b702872843d47aaac8fe90dd62c8c5ef9f538b9662aba965b12

SHA512
90ffce227ff04f5bcc9500d4ea92f30817120f083ccef586384d83222d82ed5d999209da676875c34d0e480e5fd252edb9dfe2ef89994fb0f41a5670b02956bc

Download Submit
C:\Users\Admin\AppData\Local\TempEHHBA.txt

Filesize
163B

MD5
9362fc152967dd1cf8f2dabc4534036c

SHA1
2dfe1def3b66b6f6f9904fbdef935e8b42f269fc

SHA256
8e678d07b7bb977a85d73a487f42cf45214e0513ad0e0d8aec7e5fba34ec80bc

SHA512
4117a24838d3a22074787927747cb5044f27c09be0ac79187ac65a9396c46882c24b32bd7c919fe2b6ff80638fbacea5ba26a2d3d6e28dff6371def12fa1316c

Download Submit
C:\Users\Admin\AppData\Local\TempENJXW.txt

Filesize
163B

MD5
324baef46bc111158746c87ced01268d

SHA1
e5ba39da595b6b0ed8954c8960730987293f31cd

SHA256
dc617cebb2b2e23265190db11e00aeec9df6d8671129ff06802eb76850dec866

SHA512
a13e8e66998bdde72465107cad611e194d58dd2f3ae054ff7182cbf36362af43389a0b7d0ba8d301d41834be3246e4ffd78b77df407b11138d4575160b7ba11d

Download Submit
C:\Users\Admin\AppData\Local\TempEWVRS.txt

Filesize
163B

MD5
2b6bb6b79f1760c96d8dae8345350053

SHA1
8807b01e4ea23dd9bde22595b40ba99c021372cc

SHA256
b13d848a0987be1a1d10b47c99ddb0585d6eed3846485c82b740fee5a39b045d

SHA512
eac54b58f8d90bcaf13aff8bf3f86b239a895fab713705ccfc8212114c4b14e8cc69627eaf85a19324316bfa09c4d8f4c95753b8239080364679e8b2e65c7dd3

Download Submit
C:\Users\Admin\AppData\Local\TempEXNJR.txt

Filesize
163B

MD5
408601e08a12a0877dfcde438e9b170e

SHA1
5d487c21914e7b1387000d702f1dd6e519373e8e

SHA256
6df005b323f2513af4d3c7288e79cbff390d3983ecf8e05be40d935169336945

SHA512
68d66b766475d0ec051d7b2ac936f6d2d0fc916e29b92a9858a4e4a09f88f3aafe5401b67fb49e07950ee3cb99187da9449b5dbafb83c7ff15416620559548b3

Download Submit
C:\Users\Admin\AppData\Local\TempEXXMV.txt

Filesize
163B

MD5
9e866f8181a3cf3103041c39bf893cc8

SHA1
10f33e54f4ac23a78b5d61623cc467a171ac9c88

SHA256
b9b06cc28bb1f0e13aaa9a5b971c77809e1ad2e509eb1d6a9710f6fd3c16ffdb

SHA512
e3199afdf57382979ffc830bcf58a65c14f1cccc6e255d763c8b2569af3bf7173105defd84c0a46a26f9bf0085b547a9882ea46f4724c55eb52bff376b05f7ac

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.txt

Filesize
163B

MD5
08853a35be8e45c3640c3f672e80fe9c

SHA1
00902980912ea37b95b6e99bd7e88d5759dfe96a

SHA256
917e075095fbbcc1b098646c4bc5e216fe0dfd4066b071f0306040d619c5cb9f

SHA512
6233dcc47cad3065a4329603cedde5086decff797d8ee270fcf527202f4aeb89e6aed8417a0e0f6c14668125744b4524247e98fa6b6632182f563c9c41390d55

Download Submit
C:\Users\Admin\AppData\Local\TempFGDME.bat

Filesize
163B

MD5
14fae50342426a511c592393ebb911da

SHA1
620af42cf093895052bbcb7216b12eda6f931800

SHA256
1c6aab0f9d927513353fcdec4febe785669b37702e7736c739137f28b95aaba8

SHA512
e1ae51641a859a235699c1943c2194cdeda37356ff14cda25f395beef169de451f8f8cd2d40fedbf43cf8d3246d1755cd0e1615907bc31918dac27a7b81241ed

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.txt

Filesize
163B

MD5
673f3201100fe8a257c12e36f4049a29

SHA1
f97afb1d3b91a839c87d2001b497351d2bf2f5ef

SHA256
4b736c214c6432ed6ec4c1b7c8ec97658fbd66a276b4b469e89b92fbf3721e26

SHA512
8ed78e8fc185d91af59d99ce418bbaf3e9079dcdccd1c38c0fe9574a4abfa6d0bb310084d07e2438261f6ba4d60d80b8286d94d763b3fe4c7ed902d9abd259b3

Download Submit
C:\Users\Admin\AppData\Local\TempFRDBG.txt

Filesize
163B

MD5
c3cbfdad331a66831e77e2028f8ca5f6

SHA1
4d036346c82428735add9c4509c223c1aeeb2880

SHA256
8e0f4fad7e9819ac21669c25c8e4160b40f4f4f6a3a6e7dd2014b15cf24713df

SHA512
1398451edd1b95b1867c45ad9bc009aa551e4667d4ef8c69db32ca50b21525a8cc3998cbb7ab808c852ad0aa66b8b03f88098c15d46e81ee1a7d53f2fbe0cb2d

Download Submit
C:\Users\Admin\AppData\Local\TempFXWST.txt

Filesize
163B

MD5
f5dddc8c8195b915447e8eca984daf4a

SHA1
92ac8e13c3544047b426c6a188f1e272801f7f73

SHA256
b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4

SHA512
f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77

Download Submit
C:\Users\Admin\AppData\Local\TempFYNWJ.txt

Filesize
163B

MD5
8f73abd6dcaf269815304cb6dacb9f23

SHA1
e911cb9735f4b719032c98f04149778e7dbfa5fc

SHA256
2fc510318eb2fcd30b9ab30f82879c50bf3de95ee30872f60e3b2a9c7a8ae108

SHA512
d3d55f28e273d2eeeec970fd652b7b322e5fc18c32e97799bd1c3a9db0a00784345d73eb2a26a3d85212f7eff2bafbb3cd04d07f56c372726a8b34569fafe218

Download Submit
C:\Users\Admin\AppData\Local\TempGPBHM.txt

Filesize
163B

MD5
21b20f17448626f42eba283a5ec11924

SHA1
2235f6387e6faa9f8f6d1b35e0477758f6101367

SHA256
a91d539f0be0b145f01226433aeae7b5025c02bb2e7182f0ab40a669d950891c

SHA512
a9cfd25ce4a83304cef4c4f239ee551dd90bd59268ca04a7bf606e32bb9867574a7e6d2198ff9b20ee111f92d76148866a82d0eda4134e3bb3b2f3a26d1b2c04

Download Submit
C:\Users\Admin\AppData\Local\TempHBPXK.txt

Filesize
163B

MD5
988a9a1dd2014ac865ad41e01c8aa11a

SHA1
4eed443a0fb6e5ef34014f004894de09c20ee7d2

SHA256
15d38228aeb7f96d7cc9762fffdcb10aff39bfb5101cac7fb1a7544fdf45c965

SHA512
b6c638e508cbebb357becca55393b47f8241c644b6c8af1810ed9fd47c26da7dd0d8e557c1376858e66054cabb658d0a81ccf6f88afc96f02e7e88468fb99e19

Download Submit
C:\Users\Admin\AppData\Local\TempHPBIM.txt

Filesize
163B

MD5
0e852e3f3893578dbbc3348986595242

SHA1
1580d7f1669b5d72ff048009acaa40bc9c6b6a8d

SHA256
acd2d8f85b9f16d5dcfae0a940261a752c0954fbd0e24794e9e62d2bdca9c012

SHA512
e601e7804202f35f98195848574164f11adfadd8685594bd764566a14917fe746a8f2fe9a8ce6e6c2ec86b2ef84c4b45ae1624fd58398631d265ce029bb79ed1

Download Submit
C:\Users\Admin\AppData\Local\TempHPHBK.txt

Filesize
163B

MD5
26d69c87fa41af3db670896263b5868a

SHA1
1d261a811512a571015b9ab42ec4ac6aeef444ad

SHA256
6fdcfccd709f7364f192a046c7adc91716e7865c22e5dff0354a296994b36070

SHA512
7e420cda86f6f965748aa78bec58b3ee0ee0a3221d1fa134d128379aadf0c0fc9484837a5d13f886c1d4d1547151ea635174fc308a9c75a7943c6ca4881e6a0a

Download Submit
C:\Users\Admin\AppData\Local\TempIRNVM.txt

Filesize
163B

MD5
5b6a25a614fb1e2488d2e696d3f06d23

SHA1
46934153a78cff395b8518346b5d81f72782b5c7

SHA256
d11fc467cc08b96815378c649fddbea1ffbedc7bd4d3223d967b8e68e585fcb9

SHA512
fce0d5a0d3328d179cef275a356b9a688ab4e24883579249614fa8631435930b6b260062c0b9e0dea5b9b0420cea25109d4b4a20306ac70e466cf066b14c6007

Download Submit
C:\Users\Admin\AppData\Local\TempJHLGO.txt

Filesize
163B

MD5
ea94bb138c62d7f2fbafa97600ddd5fc

SHA1
dc7d16ce671471b8c361c0de3ace15bdd5233cb1

SHA256
82c066980d649a2cfca0f221e4caf74ff0435deab5a85ff5d8c23d1d9d22c383

SHA512
2b71d929e2a9723077117ffa6cbc2e0ac2abec3e0b8cc481a455062a7a984fe46079fc3f3380d6d29b2e48c12c016cbdcf3e248ee5aedf3e0c3f368e9dab2819

Download Submit
C:\Users\Admin\AppData\Local\TempKSELP.txt

Filesize
163B

MD5
cd7b255d6df08d7c8ef515a65695d1d3

SHA1
adf73803df44319228413e5033db99eb46557217

SHA256
bb419376e5134a6b2b6a426c8d2084b4f382b3a6dc4f10469e64dca5c802d69f

SHA512
5087efea27901a9eff581da7f7febfc2be20c7dbe2b955bab8966a2ba15f02802c37b23ac5860aebaf6287a0af5131a5fb882b1b051fc7b1c1572bd5653ea08d

Download Submit
C:\Users\Admin\AppData\Local\TempMGBXP.txt

Filesize
163B

MD5
8ffe8b9393b75b07abd72581a54188dc

SHA1
bb63a51dd9223d73b2283a5ddfed4280931670e8

SHA256
39b8e9df325c2b90bba6700112f675693a7f368590f6cc96189cb6f7c02fce13

SHA512
75a6c546277b38f85300c9f80f46e6ddaa14038557b5abd256887c323ae835f8e35e83ddb8f2a763b803404a39b1ee5f3b12c814663c047e1c2a55016808862f

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
ba07345a5018549d2d440afdc8d97d2c

SHA1
d11f0600b6e3369e2d34ab2010f14b5f31bd46a4

SHA256
15f3bb5ca7dfb79de4bf6699674a6e66fcddc3d5c1202a4ad45e0c2948f81fdd

SHA512
826aaaf91457a40b4240f502ed8bb02015f082cbe6ddd6d58207f3c1bffc85c6691220e57e407dba46c06b44899f77c5fc9cb5978eddd68d02ed89f72ac4afa3

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
357cbe590470b122d8dbbcfbe2980298

SHA1
2633699eef670397f2488efce9fd44fb4291d864

SHA256
40b616299d708573653d595d7509022e1cf83b85e1e66901584b1679d4608c9e

SHA512
815135f83f1fb7f4c50c3bebac779159739e5c0425f14984f8e6dd586730f0bfbfcc33df4e86a6da765186ad5da50cf20a3ce0606fb45471ee53225f9ef326f6

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.txt

Filesize
163B

MD5
a6e7c23d6bc7552ac72ae074f02c516e

SHA1
690ce9672e440d5bc5a13aa031c7cf1cff3ca9bf

SHA256
22afee1df19fea8618a4232a513177dd29a55708a986d7358d98f4ed28c968be

SHA512
35fc7458c5caf4d667449d5d516cf7c160edc38d716320ca247cbddb28879a77da9da70f5825a39fd36f661c1f1b562c14a00485ff272fa8e1bacdabb653336b

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.txt

Filesize
163B

MD5
884f47a0f11a6bb28f7bae75b1e15d93

SHA1
34242bd15df7c4693cc37ebec03b7a406be659e4

SHA256
cfca6a9ccfc52b1b55f687d31772d14c55e39cc72a9214daa597cd58786e4106

SHA512
f321fd7fa9c352542844aa871915c5664dc4a081337183ee1bfe387285872d682c18bbc521f7d848d6431a7a64e2df11967fecc13c4ad52f40ed7ae701762267

Download Submit
C:\Users\Admin\AppData\Local\TempOJXWJ.txt

Filesize
163B

MD5
c2b1f1aee91002f968818f11d47fffa7

SHA1
d628ec8e54904d99a1514a3fc8b7c0213271b3fa

SHA256
5375db52ba6c6212b32b77b61cb686a0b9a302c83bc8990197cde586a9a03c4a

SHA512
4c4c1fbe3871736b0bfe9a39e6626a19a8889306d61a473f838118db986879f4d4e70bbe74a8023ea47129340fff4b3b41e2ba0ca4b8698ef2baff6dec1056d1

Download Submit
C:\Users\Admin\AppData\Local\TempOXTAB.txt

Filesize
163B

MD5
a3d09b79903c931174cea6f4dbe307fe

SHA1
17a5c5b9858472f41cb35fb741981908815c9c7b

SHA256
a36a061f7589144cc4269a2d97e9ac3a9103c00ecee8fbaf214286e9ea4bdd2c

SHA512
f6960c1c324fb0f9ade661eaff5cd4479acb8ee0ab7066f6e210fcc72d2269d0c690fbac9e789f7752cce0fdbe42567052849b0d318b643b76ce22443d5f85d6

Download Submit
C:\Users\Admin\AppData\Local\TempQKDIB.txt

Filesize
163B

MD5
5bf2e7ca68bbac609e18ec4277de1a97

SHA1
bc93540b8d034c25bb3952a6abd0443545828387

SHA256
969a8bc11291d79ec50ecdf6bd868d1896fc518fcf3661f7d3571dcb3b89d98d

SHA512
b6997cdc506a7b3c49285914dc9ac87a328de60518cbd729811436870ebc4dd0063ed1e8c4e991ff78775e534ca5f5902228f8dacca52ba4f66280a8b0eb8078

Download Submit
C:\Users\Admin\AppData\Local\TempQPBJB.txt

Filesize
163B

MD5
41d88a7f2f1d880e870de7d393e8a844

SHA1
021c80a197b9f506b4cb3b1400080b2475434941

SHA256
a31f6f21787ec181ba4c4bee78a10b18aecb5d246c3c488582a59b92b844a598

SHA512
a4052617fce26d51a8e1b907082612561808190407a34bda7bdbbbbb253eb9d44a0b8379b7ecfccdb593611243b94d839c6782099271f6cad16c18dd022306cc

Download Submit
C:\Users\Admin\AppData\Local\TempQQKCI.txt

Filesize
163B

MD5
be553e318d26d4c48e6351ad60354e07

SHA1
a74785f31994f587996deea58abd17b8d85cb435

SHA256
44d02310225ed2b3c9010beef3b167e01cc481373ab1e8df2c7fec68d8a82b59

SHA512
b4d89f42aa1c5c21b9b8c6e5f7c12a2621b83256de41a4861fb4a9d4cc2139479091c39619728e8a138b389774b8e66b3bc7baedea6bf60a11d88a7b3c90f22c

Download Submit
C:\Users\Admin\AppData\Local\TempQUPWL.txt

Filesize
163B

MD5
96ee9589f991bd9c3dcd56ca158d2b77

SHA1
d2f5d1b16cd3d9e20d97d95d27e2228461452ede

SHA256
73ac7be5d82c6725cb5c08a99f4af57ee5e888a45d4db04ebdc6a60137923571

SHA512
d37955950a9eaf0eef608960dec84def0baea494489226d19651c63d09e6c869007a9d44297c63de5fff6f5ecf02f14447b1f2a811a8b534ad0c5cfa6812f543

Download Submit
C:\Users\Admin\AppData\Local\TempQWMKO.txt

Filesize
163B

MD5
f8c327a1d00f089caade91f9fdce0c9f

SHA1
6ec1e9c0fbde19a94605ff91e882f090a136afa5

SHA256
fc79af184e268f69fbb0fc3f1277f47e36963771dc2886cd9156aba420a0f755

SHA512
fb4d97d1d9bee65d45b0184216ece0ffd3088d7cc692629706130089b31a6773ce9e3da3a071096ab861d248b5c3b38bfac25f1b5dbca103e0ed90ace9ee7994

Download Submit
C:\Users\Admin\AppData\Local\TempRSXDE.txt

Filesize
163B

MD5
5ee2dcdf707f3358fd165faf4f5bb8d3

SHA1
44f23abf92a6e5d40ec77a6a1ef55d0434264653

SHA256
cc43868528bc2262f64776caa400f4b756b4fb39c288fa8fe8088a18f0a2e36d

SHA512
646ea55b4cd90b5673f3b1a865b87df1555876fc0de7f446b8ff10d11b8b85eff789c3562bf13f155d8e6799602f796350456eb54f8e45750ffed7a18708a97b

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEF.txt

Filesize
163B

MD5
f4f179bf4a1de071f262808d5fa9c88b

SHA1
ef648d9894df6d57385122a72b62b0e9977150dd

SHA256
413cea82a7b06b41b13451452c403b36e7b3ef3fbb5a29cebb420b2b43256894

SHA512
c5b3931053191affdcff6f875fb57bf551bdcff6b887ce1a1dd2d9efb6cbb8af7db35f22ac82f85112d1a99d0a15d0a3576f29216c058fd698ea6acba4d2eb61

Download Submit
C:\Users\Admin\AppData\Local\TempSOWNC.txt

Filesize
163B

MD5
10cf72e757b7f8f546675ff7f3219612

SHA1
aff8f8b513b73a463364e99c70092349cde04447

SHA256
f7560a804958e091364329e9787dc87f80f94023fe8e9bf92566a72102008749

SHA512
76839668dd9f0592f73b6e70be3d31706d4233996abbe119f6ca363090fdc6960f7440905e40bc9710cc785d878a617405d114845db6f80261ac57d2a7e8cd14

Download Submit
C:\Users\Admin\AppData\Local\TempTBPOA.txt

Filesize
163B

MD5
c4ae48b0d8b9b12121b4014ad4e4d406

SHA1
185c92c600fcb029876c55c41f1d04bfa1ccd97d

SHA256
983e2b9911e0186a1c30277d7f4381738f4b9366483427e8614ea66b57a76513

SHA512
c3405abe6cfa1e8b6b1f29245879efe14b6da940e2105697ee43716b2a6aee813f27a51374659f8ba1705d3d6dac7ed599a59bc2773cc5d5cd84702f5e47b5d9

Download Submit
C:\Users\Admin\AppData\Local\TempTQLRW.txt

Filesize
163B

MD5
45205a053aad816fa8a70e08ed959c73

SHA1
1b44c4e5bc58f0ede8132af913f64ba2e030e5fd

SHA256
3fdbd881d5ebbd7192cdf085be8eb6653b0ed9336e1d8335bf68eff9a2f6eb19

SHA512
fc1f29c9a69dff362cd55893fe9fa1067dcd9861ec5990bd4fe04b10708f5aed390f1b61f2bc75307c77a53385738bcc105c3eebff11a5ae3c1a8466d24a6112

Download Submit
C:\Users\Admin\AppData\Local\TempUNTFB.txt

Filesize
163B

MD5
a970f6ef879204345b5089c6e61f78ca

SHA1
6aa38080aa0e7827a2a5ff5fcf50e3acdf3342a2

SHA256
fb287b966dc19a17e59d273d4b48dcb8f673c383bb4185869c56c4ce81865bb7

SHA512
564919068992dc27ad220828c8ee726eff2d55dcd27eed9f6c9d74634c8a114e7c82eda6dd9e67da350df4101436a47a73270ab2e16c3e519ce727dc4de7497c

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.txt

Filesize
163B

MD5
f286a997dafd3f45392758cd25adb9c7

SHA1
dd9863ba8a55910f95341ac38268e7bbd6c27330

SHA256
5e6541f54dfab8ef75e8af742526b73008d832be582cac12e866c730228ecfc1

SHA512
68071827c9ea291a46a5931c8a87d56a0e1122b46b420173919c818bd47ce3caa4a273b161301890cc48fba61b5867a8461cffe2ad7edd796a808d8238e3355d

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.txt

Filesize
163B

MD5
b27276983c118e15839b76dc75c9dc28

SHA1
d728189a4f0cb8d008e28313340918768a6d8550

SHA256
52dc9e048ca29a43a5404b9a3172d2be99420587b8505f17208854938716471f

SHA512
a3808f557c92260717a993f0be4e46e03ba562c63bd013137bba6037cebf0e62814ba8cdd00dad5797dff5b27c51d24d10bc3fa0854b4361bc4e84b90b8233c4

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFN.txt

Filesize
163B

MD5
dbfd9b6db7038be035b143a5c27f6de5

SHA1
4ea42c16695201dcc20a48815f3af93c59c892d7

SHA256
b90b026d1eb0eba3c20292a65232d3beeb08b012d29063d427879b455366a2cc

SHA512
03b713d9248e078de7c3d2262e504d7454076bbffce59f94bb8dad5e394a0eeecacec6eba35a8f5f67972225c20873e4f17affe70d573a7d57ae0a952f958403

Download Submit
C:\Users\Admin\AppData\Local\TempVREBQ.txt

Filesize
163B

MD5
78a4c7256c8472ad1dbb6773657cdf49

SHA1
0effd827783d49c51b8a34dcf41589fcf74953e4

SHA256
90b8395a382d66835cb33d634d166c3cea24f0fa5a2ea6b9f71339bde7c0efa7

SHA512
f5a87b7be2b11db3f22a0aede8380be224597c57c0947f523d60132775c23b62d2a9502bdb8000f131c77d8371de3c5b50a3f96666070082f403083a5d086efa

Download Submit
C:\Users\Admin\AppData\Local\TempVREBQ.txt

Filesize
163B

MD5
5739d1e19ae8eca3c7272c74c2b74469

SHA1
bb36c1b2d57b60552f821eee6e46a0dc4a99046f

SHA256
454bd3e4b4aea372ca9fbfa4fe1d6b67b8bc1c6a031dac1b38892c05ceca6a67

SHA512
9b845c99f4083a71c02c9efc4b2fd604563e3ced2a6282916ec6130cf75b2557cdd3323e27e110d95256967afdb0ef721dd0dc6fc95fbf7114135cbb89290362

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
a39454a73687ba6724aac5a2dd46e82b

SHA1
5aefa4688cd7a115c87d470b61e35250366307c0

SHA256
a9ac5445ff333c0c317e924010a3b1df0807d3688171fa19ded3462607f36323

SHA512
008cbf3e97d0000d6e3934a0cd35c164cc4684768b032cf0235f5821d0d4aace012d2f04a5ae223b9dede91070f8cca508e6523a74d68c040e393139c0c46571

Download Submit
C:\Users\Admin\AppData\Local\TempWJRAL.txt

Filesize
163B

MD5
fa6078fda371e7b8e21394913dc00141

SHA1
bff6bd876406edd8261f2a6cbc5dbf8ada2052ee

SHA256
ac3c000b4e7c36f3299ad2f8b02007be1bc0069bc3c36385f51fb052c386e4bd

SHA512
4ec8c3439199c5c43f61a448dbd3047fc51bf26655f63d797bcd488b153e5804b5459b5a5c999511ca3e17e5b55173ca141e64caedfe2ef62f881f329c0c3059

Download Submit
C:\Users\Admin\AppData\Local\TempWLHPG.txt

Filesize
163B

MD5
28dff963d76cc8da967b4ae98d8fc0f0

SHA1
c18fe87da50c89c7a4cd847ffd7f3d88ce76d108

SHA256
960f4a20f8082d1173a390a0b958344e10b05d79a0821a1cd68258adfa763287

SHA512
71e97ed7981c9760ac651ac9d0351788b0e89bcf08a600ee9872f72ec65cd86e8df99fb3a4902a279ca7928913572bdeb7a6a61f0a8a4451309c04b2cf162dcb

Download Submit
C:\Users\Admin\AppData\Local\TempXIGKF.txt

Filesize
163B

MD5
7ac1fabc9df638590705057fcfb35843

SHA1
713852ced0fe693801d29d556f4945ce46712ebe

SHA256
ef520fbaa273cc23c26e024e90e9aa9168b4f8968c42a14f802b7d1048f5fccd

SHA512
f523462b0075a98e2bc697cc4c2b06192466148f8fc3f8cd3d0d55a32df5153d0307eba4c59236e8c4ba016b36683a57b1c990f130e52518c01093cd8cff6c71

Download Submit
C:\Users\Admin\AppData\Local\TempXNIRI.txt

Filesize
163B

MD5
09f9a42b92e9d480a6fe533ee6e213ed

SHA1
074ba0383e9f9010a8150c63c05832c85c1dd3c6

SHA256
ec72415a8d68e9c2403a0e1bcdf4a49a541655e6e44db7e47cd2e848637d4d38

SHA512
010564342283cfa8c3738f4398c064e30e38b793b3e5eb515d89a8531f6efa08b0505fe71cfd0f3919e23caa253fbc2e8b895dfceaafc599966aae8b190bc9c4

Download Submit
C:\Users\Admin\AppData\Local\TempXWSTT.txt

Filesize
163B

MD5
b5222e9cba223858ef966e37fecf32db

SHA1
c343007688852be9da3377ec114fa7e3d4a19e50

SHA256
eec7d128cb2b64b791f25b5b050d2047f854b61fde1c9980dc0769efd99acef5

SHA512
01989cb469554105fd330d53ae100a3bb71dd547651f39916904bc431b39a7c53a0a6e6a8ce1dba28874bfffcfd11519e96bd7c0f47eaea561fe7e9d0a4b38f8

Download Submit
C:\Users\Admin\AppData\Local\TempYGOFD.txt

Filesize
163B

MD5
af522a5ea303ea851c24f9829c421740

SHA1
f5a77928aac462afe7f56199ae8de75e032481bf

SHA256
5ff4f4614539c82da38c5537d8ffd56163edec2b1dc2af8e41cb98e7baba0a87

SHA512
9af85c64ae72327555a0065d5206341edc93838d6fe49e41c95459add623c79acaf9803a731939b1a77526b7084d39ca62255c301550f4fa9d5ac776e7a3e183

Download Submit
C:\Users\Admin\AppData\Local\TempYUBCH.txt

Filesize
163B

MD5
a547167e3f76ca96096d13bd46a2335e

SHA1
03cd2e95cc310ee299484375e8378bd03c9e3aaf

SHA256
7bacbcae99c420bfd51b80547ec2962c0a395eeb6b94ced5d0c6ef8d3d95bb1f

SHA512
1a60940def1228ac6938eda04c17615be613922d09f45f33c08ded678c9572521d39ce80d545948496d6c467bec780c1cfe6b2dbebc569fa70edaf9292010d9f

Download Submit
C:\Users\Admin\AppData\Local\TempYWFFO.txt

Filesize
163B

MD5
af249ed154df90b4bb6d1682ed6abcbe

SHA1
c814cd4f932fa63db756375df87a83ed12b68cf4

SHA256
0b13352e08b16522a72453de33a41f0507261d27923d0e60ec5e808d1a8e8575

SHA512
3f7c9ecf418c8ce7c8c3baa7de6396c620f1ff91e3afd3e07df2723f4b5ba1795d8923141d6ce013d73cd3b47080c506a538a6ce3c4b36f73dc873ec924a8307

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe

Filesize
520KB

MD5
892cff2543c73b915fea4ee297755d90

SHA1
b015bb19af6395c55d57018813943102f3dfafe7

SHA256
cc3fe2af7ac96049a8640b206f15cc18232b69c40f4f65f942bb89d6fe04a320

SHA512
0735cad440477a81c8b4a1514cb5bbefe3a1d0f6ab00d6c62b7b12fd3d5e15e2227c0ed698ec14157982f18d6493ce8915c8b5c3c3f3757a26f65ad8671ce6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCEVRS\service.exe

Filesize
520KB

MD5
eac107cc4fa676351c913a8f55c10f3f

SHA1
78d1cdc696f040abd0a5ac243f2f86b80cf4ff3f

SHA256
d501d33898f6ccbef52a8f81b1f60b02860c1959b678f2e0201d96c0576e6838

SHA512
bbd45ee5226f56e43368c86546916f877b5d084c7fa6ed7cd98b270d6e9724b048c81ef859ddd533847dd1a47cdade01194a8ee348139d125dc683235ea9939d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe

Filesize
520KB

MD5
dff389b8a6a203c32295f66a2c95d934

SHA1
39695bbaa94ff92ab9f857f75f1da632e9f4a76d

SHA256
3d2c0e97b8bea95b98b601df21cfaa39339371a1c2ecc0d7be276c366af6fb07

SHA512
4feb077fa5bb507bf1a250c6225994df465620c2f0aa4f98062d621bc60e20a399714fdfdbb004512ef3942ffcfc21ea4b868f26101502e39e89652a7a1035d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe

Filesize
520KB

MD5
1217577cf95099598dfb04344811f67c

SHA1
52bbfacea54768e8d1c6ac89cc4ccb8b3ff0a68d

SHA256
e7e30e629be38013490129a87789feeb4bef30dd868bf384c23209973202434a

SHA512
81e129cff1c2a1f565dc3b123499dc62adf0f936e10255a7403a48b7a437e643b12f581162d889dafe07241edfd1c1dcbf35f4cf2e6d469f2ca9a7c6d9d42a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe

Filesize
520KB

MD5
6bd7684a3e3a440cf50b3a69a448a54c

SHA1
b86b97b8239494c97290b0df6ab3bbd7915cf8e8

SHA256
6e0903f52d2174a8443241f0eaac0d968acc24157edb78bde9487a8f6d8fccd4

SHA512
a0baa5526461adf4025cbdd26e7dffddae51227ff5a91361f03280c24c80bf9b787f0230d2a9c28edea46822be9ddbcc8a30c25f175714b5a53c30531b8a561e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAGLCN\service.exe

Filesize
520KB

MD5
ccde714de46c619bc0f8e0d33b28439f

SHA1
ecd2ef18f81a1143f986078fd19746d2939adbc8

SHA256
9a8a9348509166fb0b5df7fabbfcaf888e3e7b9a3f65b00a383df7be6b137a75

SHA512
4ffceff90de150cc4a35e280001ad171cfeec439e4b2438deb8581cbe204e3da6c38ff7d09ded6f8b141234978e08b1583c14d6ce88f73f7de4cab414e0f12d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe

Filesize
520KB

MD5
5f7137b7cab3d287c5e4261023bb87f7

SHA1
afd2ddf52ae0d191e622132797a50248943a3d18

SHA256
7067ea107d5a9d8cbe1c049b12c30fdca60b77767492e43696bb2cd4c98776e9

SHA512
9eb5c58668849c4e5f3dc23081eefa5f9f0788d644912dd64d6d9544da4f738c9c4a265432c6db8393c9f22da2a158ae29a99d9cafb1c2c0f92def4e6072fc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe

Filesize
520KB

MD5
f1f0c8cf2a1308c6e15ea12acf69419b

SHA1
d014748b24a5049d379e3001b84b438d9d81f307

SHA256
2736db13bacbea9afa8ab3ed2d19686ff743d4222d37e1b6cfce6a9422f55055

SHA512
5f946875cc4723cf0d62331f923ca9b988594df65cd87e5cda7e040f2f953fdaebb6e70bbd231ca6377ae9ef33968b04c15b0b968924f4b9e31c284a9500d9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

Filesize
520KB

MD5
967dd2202bbc589bc5e08ce0fc6ff2c6

SHA1
c21eaba21fe96aa72574dcc88d6a335d68e050a1

SHA256
8a9c83364ecc5e4f5b4f4ec41191dd2701fe10b7713eaa7a48b7216466b1f9fb

SHA512
b517eba495a06614b5b0a2c9b500c9f7aa55feb5804cb45ee22451b6542360ab61a857ce444a0105690fec4587e796a80244616ab0f0bffb8abd8496f9be905e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe

Filesize
520KB

MD5
474dd6c628cb8cedf383e8952ab14fec

SHA1
61d3e91978e0952857c472018070254aad37c12a

SHA256
845a82fcf577e030bca1820bd9941fbcab5c16c998c821e8548231ed49881402

SHA512
c9a0bf2d92bbcabd396cda3d53038ed5d7fdb449b149db6299bcbb51e549b8e0bb9912f0320dbd60e6e8c2977e0b3e241cc93a377d4b2b6cec7b6cedf97c7805

Download Submit
C:\Users\Admin\AppData\Local\Temp\LETDLUAQLGAFVWT\service.exe

Filesize
520KB

MD5
3052dbd6d3f043d86a3a7ae767db0aee

SHA1
54b89d6a04d3b5e08e86ddf03a2cb9aaaf6f6172

SHA256
98bc0d4be6803e842610f2631587933d0dc2fd5b12e6cc7c10bf7e99733ffc35

SHA512
cece1564ef22bc8b48951277524cda9f2a887a3d43fc47fd3e0d70215b5a638961cd9ec4ec2bfd3761062a4b3ae380b93473b5fa6f890aa6027d8eaea077f665

Download Submit
C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe

Filesize
520KB

MD5
cfb3f1214d36b376efe9a961edaa38a0

SHA1
47c14d218a83c06fd3e746b5968afc3e95d8a776

SHA256
36b6d23268d95fd0bb9974a7847017ceaa860f2c392f52b779fa82d6b0391ffd

SHA512
0d0328515347afa396a695eb051eacc165eb9374f069fcf76c7ea71bb0d53c5916ca3b457f52541c62f60e6115d5b7adda9372529e647ad750237a6f2b5c57a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe

Filesize
520KB

MD5
03fa1884e7e8c9067a4b22a47458b849

SHA1
6e3b8ff191f26c1dfbd76b540b1bde3ee5e1d0c5

SHA256
9d73d328c37d59c8d9bfe20cb05355f130900248730c13f23b31804c6601e05b

SHA512
f08191d6dcbe994f30ee15e2d88e5f49ebe508cf7fb3d2d2c1e1bef85b6bdd2c33221a50b0e4bad1d42cdb9be6ffcc1d3148d734656357c2146b46871f8b2e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFWNBLC\service.exe

Filesize
520KB

MD5
82e0fccb52351534e8bba9d0ef608576

SHA1
ec6e3f86b5fc4b996bc1572b95cf154921c680a7

SHA256
59faf2f8be7a3f6c1cbd9dbb053fd89c1db783fe7a94e0d2948758f82d8cb4d8

SHA512
e7a5ef106b9aa21e14f4cce3c08dbefc8f46d8481eec4aab5c90f8960afa4915669d00b1d76d0b32022aec8534b295ade8f47d95b46826afb305a2b7cd5a872c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKANVEP\service.exe

Filesize
520KB

MD5
7abd277216f96b3a9c89155fa11e4ca8

SHA1
b7eee722a4c324999e16646173450866e2f58376

SHA256
f3f2a53d78fc811bf62738c607c96ed33e5a982b3f17617815bc766006d64c21

SHA512
9aec6ef18306538fb0b9093ac8386f5c11db70504d7f0ba6dc8271ffa442a0035004596b9c5549467395ab871162ce331ff6459ff6cc3ae5820974db08c33bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe

Filesize
520KB

MD5
08b45edeeca54f3171de2e190f3a2987

SHA1
44da4ad2bac8d08f0db82c421ad1e0742817af04

SHA256
8baf61fe3511df3678928b3c558699baca6e264fcb44addecedfc926a0da4486

SHA512
21054bdcb474daa18c04b0ab4a926c3271a31b72404dbba07d56b3582cff8a516352c0bfb3bd137b36a6fd27d5a60a367824ed489b2ada1c967385965cc49eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe

Filesize
520KB

MD5
60f6f2c8ff591267f23d0681f012a2a2

SHA1
8c95d91f950d94c870b718abdc50abfffb15cbdc

SHA256
426ea008b8883578fc1981da84e29978884551185f97ad6801ea540b741240ce

SHA512
0a25327626c023974036d3d93ace80104051e88ce12787840e53812126c90b40ed3ad440080c20643a27e5234d049a378fb789b456d0896f8e753c16d73ebf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe

Filesize
520KB

MD5
12599fb82476496fa0ca94e9199002a4

SHA1
bcc193fbc9bfb83376d090c47a91f65b99ecb483

SHA256
b05cd109e9259717d6b9dca229234009b8dc0439aa0305d2bdecceec2f1620c3

SHA512
6e0b9e48d9668e28445ea0dbe54fa0cdff7e222d05013eb87bf3d06ff8c19c41e3d84311ec951bff3bb8409623c0c1d5ef1c79bb7b3693531552e9d8bb2c8cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQIOVHHAUBSOYOK\service.exe

Filesize
520KB

MD5
24ebe24a56a83462b86a438279d3f405

SHA1
4551e8e7ad63136f8006cf1e7c40b1fd21a5eb67

SHA256
f1c837f821a9e60086d3d42d62a1e39a7d4a8c1cef5a01b122e8a3bc3ae101f0

SHA512
056b32a90d5d75174520cb7ec7c09aabfcf5a955b9c803210e1081dcafcf1ba5d32a82ac8024a2942a85fcaa3dfc4e203209f63e5bccbfe8dd077041e6a9370b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.txt

Filesize
520KB

MD5
96b149140fd2efdce550e97f14ce1d1a

SHA1
04ea15151206b0364d417f1471bdf18076308443

SHA256
0db5ff3ad2d267f0bff608a116c92879775dd8a0204430ef0168b257760fff18

SHA512
312a302cdca61dd98833c72084b242e14accaa1652d0d4c87d756ecf25aa13901da579b15fad64e2f2a47764fd91544b0cb2254baadc04843044f7c6ed168a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

Filesize
520KB

MD5
6989634fd66c143ed410f0f8398f8b2a

SHA1
df8c1b5431353a3ff87f9ea1554a1e07f983cfa1

SHA256
b9090274a31d871839a450166a1287c0486fdeeadc3229914da1b55bb89929c7

SHA512
0dfb5fc3cc882575d3b54e60e3d1c301bef299a3d60927361c5f9720a9e99af5e1e8ffa0d4f269a9bddcfe2187c23e53119609fd02a2074e17ba4b23aa8e7fbc

Download Submit
memory/2484-1507-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2484-1508-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2484-1513-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2484-1514-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2484-1516-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2484-1517-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads