blackshades | b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
Size

520KB
MD5

36a828650bba44e1b32b96bd0c15f427
SHA1

17c64a0eff01a4175eb0b521338edebde76cdb92
SHA256

b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487
SHA512

3b2d16a3741ae17d3fae894370d6dd483e72e4ee4e9abecdeda13178c1a86504770e7ee2122b5a66eecb29cffc15665a101d46e493ad9bea4ed0abf829003608
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXQ:zW6ncoyqOp6IsTl/mXQ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 8 IoCs

resource	yara_rule
behavioral1/memory/1488-1293-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1488-1298-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1488-1299-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1488-1301-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1488-1302-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1488-1303-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1488-1305-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1488-1306-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWUDXNDIARIGR\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 52 IoCs

pid	Process
2844	service.exe
1660	service.exe
1932	service.exe
1500	service.exe
2256	service.exe
3008	service.exe
1644	service.exe
1760	service.exe
2684	service.exe
1404	service.exe
2412	service.exe
2384	service.exe
2468	service.exe
1012	service.exe
2184	service.exe
2968	service.exe
1564	service.exe
2676	service.exe
2776	service.exe
584	service.exe
660	service.exe
2312	service.exe
2228	service.exe
1848	service.exe
1648	service.exe
1876	service.exe
2672	service.exe
1896	service.exe
2812	service.exe
2456	service.exe
2584	service.exe
292	service.exe
1544	service.exe
1872	service.exe
2424	service.exe
2756	service.exe
2220	service.exe
2984	service.exe
624	service.exe
2332	service.exe
1828	service.exe
2212	service.exe
404	service.exe
1272	service.exe
1640	service.exe
2908	service.exe
2740	service.exe
2804	service.exe
2868	service.exe
1900	service.exe
2292	service.exe
1488	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
2844	service.exe
2844	service.exe
1660	service.exe
1660	service.exe
1932	service.exe
1932	service.exe
1500	service.exe
1500	service.exe
2256	service.exe
2256	service.exe
3008	service.exe
3008	service.exe
1644	service.exe
1644	service.exe
1760	service.exe
1760	service.exe
2684	service.exe
2684	service.exe
1404	service.exe
1404	service.exe
2412	service.exe
2412	service.exe
2384	service.exe
2384	service.exe
2468	service.exe
2468	service.exe
1012	service.exe
1012	service.exe
2184	service.exe
2184	service.exe
2968	service.exe
2968	service.exe
1564	service.exe
1564	service.exe
2676	service.exe
2676	service.exe
2776	service.exe
2776	service.exe
584	service.exe
584	service.exe
660	service.exe
660	service.exe
2312	service.exe
2312	service.exe
2228	service.exe
2228	service.exe
1848	service.exe
1848	service.exe
1648	service.exe
1648	service.exe
1876	service.exe
1876	service.exe
2672	service.exe
2672	service.exe
1896	service.exe
1896	service.exe
2812	service.exe
2812	service.exe
2456	service.exe
2456	service.exe
2584	service.exe
2584	service.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUVJVHFJXYBLQXY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHOJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSBVXLPVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUGGEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKXGGSYPMRMTIJB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEYEAVQDK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXSBVXLPVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\IVRPUGAUWBRKNOY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLYOYRQSEINBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SECGBJUWRPRHVDL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYPPNVHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CEYAVPDKFJXGSYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUCDOVLJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGNCDVUCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYMKJNAEAOUMDCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWRQWSIVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJTETDTURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFFRXOLPKSHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCCDXDUOCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVWKXIGLYCMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNLJOBFAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CEYUPDKFJXGRYOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUSVGLQDAPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYMYKIMAEOTMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\KOTABGESSFHCADX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\INSFCRQEFBBWREM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCWTOBXIYDIXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOCNVN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFFRXOLPLSHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHXGOCCDXDUPCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUBKXTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSEERXPXLVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMLPDGCAQWPFFHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXJJDWBDUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNSFJFCTRHHJEBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWUDXNDIARIGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UFDHCKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMGBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AONHQXIEPIJSWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKJMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMGPWHDOHIYRUWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBCXRFMHMIUQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWVXJNSAFDRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJKDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQFEFBGBWREMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONHRYIFAPJKTWXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVSSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\IXYVEFQWNLPKSGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGWFNBBCXCTOBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCSBJTPKEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSETDSTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEPMLPCGCAQWOFF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKYAFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSERUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJXYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DPQLKMCPXGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJEDFVIPKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKXTCWYMQWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XENXVFBMFGXQTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKDXEVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQEIDBSXQGGIDBK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLBHPHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANTKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGELHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTRAL\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
940	reg.exe
2376	reg.exe
2496	reg.exe
2180	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1488	service.exe
Token: SeCreateTokenPrivilege	1488	service.exe
Token: SeAssignPrimaryTokenPrivilege	1488	service.exe
Token: SeLockMemoryPrivilege	1488	service.exe
Token: SeIncreaseQuotaPrivilege	1488	service.exe
Token: SeMachineAccountPrivilege	1488	service.exe
Token: SeTcbPrivilege	1488	service.exe
Token: SeSecurityPrivilege	1488	service.exe
Token: SeTakeOwnershipPrivilege	1488	service.exe
Token: SeLoadDriverPrivilege	1488	service.exe
Token: SeSystemProfilePrivilege	1488	service.exe
Token: SeSystemtimePrivilege	1488	service.exe
Token: SeProfSingleProcessPrivilege	1488	service.exe
Token: SeIncBasePriorityPrivilege	1488	service.exe
Token: SeCreatePagefilePrivilege	1488	service.exe
Token: SeCreatePermanentPrivilege	1488	service.exe
Token: SeBackupPrivilege	1488	service.exe
Token: SeRestorePrivilege	1488	service.exe
Token: SeShutdownPrivilege	1488	service.exe
Token: SeDebugPrivilege	1488	service.exe
Token: SeAuditPrivilege	1488	service.exe
Token: SeSystemEnvironmentPrivilege	1488	service.exe
Token: SeChangeNotifyPrivilege	1488	service.exe
Token: SeRemoteShutdownPrivilege	1488	service.exe
Token: SeUndockPrivilege	1488	service.exe
Token: SeSyncAgentPrivilege	1488	service.exe
Token: SeEnableDelegationPrivilege	1488	service.exe
Token: SeManageVolumePrivilege	1488	service.exe
Token: SeImpersonatePrivilege	1488	service.exe
Token: SeCreateGlobalPrivilege	1488	service.exe
Token: 31	1488	service.exe
Token: 32	1488	service.exe
Token: 33	1488	service.exe
Token: 34	1488	service.exe
Token: 35	1488	service.exe

Suspicious use of SetWindowsHookEx 55 IoCs

pid	Process
2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
2844	service.exe
1660	service.exe
1932	service.exe
1500	service.exe
2256	service.exe
3008	service.exe
1644	service.exe
1760	service.exe
2684	service.exe
1404	service.exe
2412	service.exe
2384	service.exe
2468	service.exe
1012	service.exe
2184	service.exe
2968	service.exe
1564	service.exe
2676	service.exe
2776	service.exe
584	service.exe
660	service.exe
2312	service.exe
2228	service.exe
1848	service.exe
1648	service.exe
1876	service.exe
2672	service.exe
1896	service.exe
2812	service.exe
2456	service.exe
2584	service.exe
292	service.exe
1544	service.exe
1872	service.exe
2424	service.exe
2756	service.exe
2220	service.exe
2984	service.exe
624	service.exe
2332	service.exe
1828	service.exe
2212	service.exe
404	service.exe
1272	service.exe
1640	service.exe
1564	service.exe
2740	service.exe
2804	service.exe
2868	service.exe
1900	service.exe
2292	service.exe
1488	service.exe
1488	service.exe
1488	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2532	2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	31
PID 2776 wrote to memory of 2532	2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	31
PID 2776 wrote to memory of 2532	2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	31
PID 2776 wrote to memory of 2532	2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	31
PID 2532 wrote to memory of 2684	2532	cmd.exe	33
PID 2532 wrote to memory of 2684	2532	cmd.exe	33
PID 2532 wrote to memory of 2684	2532	cmd.exe	33
PID 2532 wrote to memory of 2684	2532	cmd.exe	33
PID 2776 wrote to memory of 2844	2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	34
PID 2776 wrote to memory of 2844	2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	34
PID 2776 wrote to memory of 2844	2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	34
PID 2776 wrote to memory of 2844	2776	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	34
PID 2844 wrote to memory of 2984	2844	service.exe	35
PID 2844 wrote to memory of 2984	2844	service.exe	35
PID 2844 wrote to memory of 2984	2844	service.exe	35
PID 2844 wrote to memory of 2984	2844	service.exe	35
PID 2984 wrote to memory of 1404	2984	cmd.exe	37
PID 2984 wrote to memory of 1404	2984	cmd.exe	37
PID 2984 wrote to memory of 1404	2984	cmd.exe	37
PID 2984 wrote to memory of 1404	2984	cmd.exe	37
PID 2844 wrote to memory of 1660	2844	service.exe	38
PID 2844 wrote to memory of 1660	2844	service.exe	38
PID 2844 wrote to memory of 1660	2844	service.exe	38
PID 2844 wrote to memory of 1660	2844	service.exe	38
PID 1660 wrote to memory of 2412	1660	service.exe	39
PID 1660 wrote to memory of 2412	1660	service.exe	39
PID 1660 wrote to memory of 2412	1660	service.exe	39
PID 1660 wrote to memory of 2412	1660	service.exe	39
PID 2412 wrote to memory of 1952	2412	cmd.exe	41
PID 2412 wrote to memory of 1952	2412	cmd.exe	41
PID 2412 wrote to memory of 1952	2412	cmd.exe	41
PID 2412 wrote to memory of 1952	2412	cmd.exe	41
PID 1660 wrote to memory of 1932	1660	service.exe	42
PID 1660 wrote to memory of 1932	1660	service.exe	42
PID 1660 wrote to memory of 1932	1660	service.exe	42
PID 1660 wrote to memory of 1932	1660	service.exe	42
PID 1932 wrote to memory of 264	1932	service.exe	43
PID 1932 wrote to memory of 264	1932	service.exe	43
PID 1932 wrote to memory of 264	1932	service.exe	43
PID 1932 wrote to memory of 264	1932	service.exe	43
PID 264 wrote to memory of 1244	264	cmd.exe	45
PID 264 wrote to memory of 1244	264	cmd.exe	45
PID 264 wrote to memory of 1244	264	cmd.exe	45
PID 264 wrote to memory of 1244	264	cmd.exe	45
PID 1932 wrote to memory of 1500	1932	service.exe	46
PID 1932 wrote to memory of 1500	1932	service.exe	46
PID 1932 wrote to memory of 1500	1932	service.exe	46
PID 1932 wrote to memory of 1500	1932	service.exe	46
PID 1500 wrote to memory of 2176	1500	service.exe	47
PID 1500 wrote to memory of 2176	1500	service.exe	47
PID 1500 wrote to memory of 2176	1500	service.exe	47
PID 1500 wrote to memory of 2176	1500	service.exe	47
PID 2176 wrote to memory of 1904	2176	cmd.exe	49
PID 2176 wrote to memory of 1904	2176	cmd.exe	49
PID 2176 wrote to memory of 1904	2176	cmd.exe	49
PID 2176 wrote to memory of 1904	2176	cmd.exe	49
PID 1500 wrote to memory of 2256	1500	service.exe	50
PID 1500 wrote to memory of 2256	1500	service.exe	50
PID 1500 wrote to memory of 2256	1500	service.exe	50
PID 1500 wrote to memory of 2256	1500	service.exe	50
PID 2256 wrote to memory of 2096	2256	service.exe	51
PID 2256 wrote to memory of 2096	2256	service.exe	51
PID 2256 wrote to memory of 2096	2256	service.exe	51
PID 2256 wrote to memory of 2096	2256	service.exe	51

C:\Users\Admin\AppData\Local\Temp\b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
"C:\Users\Admin\AppData\Local\Temp\b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
  "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1404
- - C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe
    "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJTETDTURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSGNIM.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KOTABGESSFHCADX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCLC\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCLC\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTABHE.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IVRPUGAUWBRKNOY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLYOYRQSEINBNV\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\CPLYOYRQSEINBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CPLYOYRQSEINBNV\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKDXEVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJVHFJXYBLQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREC.bat" "
        9⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSERUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHIQM.bat" "
        10⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFFRXOLPKSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUWRPRHVDL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIGOAG.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPWHDOHIYRUWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNVKKL.bat" "
        13⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXRFMHMIUQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        14⤵
        
        PID:304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKXIGLYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSTYEF.bat" "
        15⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "
        16⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYAVPDKFJXGSYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "
        17⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQEIDBSXQGGIDBK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPHFQO\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJBDQM.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJXYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        19⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJKDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJIQFEFBGBWREMG\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHOJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGLITQ.bat" "
        21⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INSFCRQEFBBWREM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        22⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJOBFAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        24⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGGEMFJYA\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBPUGGEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGGEMFJYA\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQLTHI.bat" "
        25⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYUPDKFJXGRYOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQWNKO.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCWTOBXIYDIXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNVN\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNVN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOCNVN\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        27⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHRYIFAPJKTWXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVRFC.bat" "
        28⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGHQL.bat" "
        29⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "
        30⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUCDOVLJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDHYUV.bat" "
        31⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLKMCPXGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHHFN.bat" "
        32⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        33⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGNCDVUCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        34⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJEDFVIPKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        35⤵
        
        PID:844
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAA\service.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        36⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHEMFJ.bat" "
        37⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMFGXQTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        38⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYKIMAEOTMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHIQM.bat" "
        39⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFFRXOLPLSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDXDUPCJE\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\OHXGOCCDXDUPCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDXDUPCJE\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPQWC.bat" "
        40⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUBKXTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
        41⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        42⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempENEYB.bat" "
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJHPBI.bat" "
        44⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AONHQXIEPIJSWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
        45⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXESR.bat" "
        45⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMLPDGCAQWPFFHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXJJDWBDUQR\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\YASKQXJJDWBDUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASKQXJJDWBDUQR\service.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHCIWE.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEPMLPCGCAQWOFF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYMKJNAEAOUMDCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe" /f
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe" /f
        49⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe"
        48⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIJRNW.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGGSYPMRMTIJB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLGPGE.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKJMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        52⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNSFJFCTRHHJEBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        55⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        56⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe:*:Enabled:Windows Messanger" /f
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe:*:Enabled:Windows Messanger" /f
        56⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        56⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        56⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.bat

Filesize
163B

MD5
2a28d3eb244de60a40c4fd3612ab8c71

SHA1
bf705208da5e11170daed7c38869ec3416defc40

SHA256
6144e661320f24b4bf026af8b513273d6313fbf0ac21dc86a40031e30107a93f

SHA512
132127b030c84c266d3fce7c0b8589aae5612764a98a5198e271d8d984df91a30e174ca840071da364fcf2f2661deb03b1429981633cd3fa522f8f9c7f798373

Download Submit
C:\Users\Admin\AppData\Local\TempAHIQM.bat

Filesize
163B

MD5
567978bd8c95d383eb213210ecc7d7c4

SHA1
fb55627cced65703c60612bb94514d760e9aa39f

SHA256
37d01cf8255f78ab47ea5f4ae501c760bb7ad041553170924b6fc7e02ff72327

SHA512
09660df50105a7e72c9aa6ef121212b925c6971e6cb9d94ba89a0123819566ba94ef6fcf940479a298201912d9b9bea6aaf369df1597c5748d000e6a84539ec1

Download Submit
C:\Users\Admin\AppData\Local\TempAHIQM.bat

Filesize
163B

MD5
0708a5ef04df23370d4eecd5480aac2c

SHA1
b0844a5d03a28ca0b7cc607833e3dd1fee2f2c15

SHA256
c53feef3eec1d2560f8bc7296595f985db3f9f9161b6b8c0296904bc14219601

SHA512
3167e9512be2058037eb03ba128ff90b076f7bf9a099e85d5604591b4c079d81a9f124598d595e9c0178f2ee753e0a91d785e7e52a0d199aed3de572474f6d98

Download Submit
C:\Users\Admin\AppData\Local\TempAHVDR.bat

Filesize
163B

MD5
15e1372867e970b91375effe5a748248

SHA1
9ac65450525aa421316ffc5681c15c16ea0c819a

SHA256
ad09311768152098e3f821d65e6d3eb60a0582382cbb731537932b514445ba48

SHA512
26399d87b8a7219acf7bf7f3111acb95781cef6453388b1b75f3392e2caf63c2700e54d0a0f64227a57d0aa8f8f9f8dc5b170a81945a18e73010f89cdbc35d66

Download Submit
C:\Users\Admin\AppData\Local\TempCWAMY.bat

Filesize
163B

MD5
e466b7bef8cce718fbb8bc343b27f16d

SHA1
d0b057a7abfc0101b77e241f77518957a66fe528

SHA256
691ff9337efd6cc5bcff0305153914456107aabf12afc973729a3bf48110cc8d

SHA512
39259ca71f33b1d5c91fe3783e942627708ab66c07992c56e01729c384af15bb2a710d3f21a41862941a1378004260d9cb252fe1a127cbf84d74a6fcd92903a0

Download Submit
C:\Users\Admin\AppData\Local\TempDHYUV.bat

Filesize
163B

MD5
e13f314830c35740302e2988e38038ed

SHA1
25ae4d4027f1d379c14175ed5431ae564c074ec4

SHA256
5a2491d3063b42a11f0fc9fd9dd345e475c6de25bd0e3ac44f6e2cbd0435dd86

SHA512
15eb39f7a5845955431d921816f979af697e1d637f3feb68cd2d811bb833bec0e99eeb032833d187f517270d6331d14c44bb0686ce7cdc26953f1626915b2d17

Download Submit
C:\Users\Admin\AppData\Local\TempEFOKY.bat

Filesize
163B

MD5
eb1981947d081f28fe8eefe71ba83464

SHA1
518f6efa878b2ceffc45965cee66ebc1358beeca

SHA256
ea0eefd90e9492d19be6d6a5b40601452f3c18cb5febc5f74c6a6ab2dd8081be

SHA512
27932aaf3523fae850e9b71981d1a573b86f6e838de12508ad3c3410fdb6cc66f3f0dc79394d9e803c73dba22f28eb5afe32c3d65fe00651ca55f38d7fa6f93e

Download Submit
C:\Users\Admin\AppData\Local\TempENEYB.bat

Filesize
163B

MD5
8dd5104a3409226cad2280ef472c8e22

SHA1
4d9fe1838efd406e46d6e277292799540f07c0c0

SHA256
e29c9a70fbb0dc56de0e255fe805153be54d09f3092b156c7e7faa216eb62907

SHA512
1ede201d023d6f4b6b514e522c8bdaf29d1c68a509aa680aac2cf1088cd83c80749bb4706792ef9a72b23f4d476d6c8a0d322620768d8955452977e5dba182f1

Download Submit
C:\Users\Admin\AppData\Local\TempFFYOJ.bat

Filesize
163B

MD5
f3719e263529fa662715cdd85fec8596

SHA1
6148a2364029aa9781f6f2d6143ad2b060483be5

SHA256
ee5e309ba64eb2c3b5f807c6b026a982ffee23b8bc50a9e3184b80e04275c9fc

SHA512
749de53bc273ea7004970b838725bf7c612d34254ed1ab6d5af5bb83518865a34ab97cb0a47a9804b60ba8a18c0fcdddc19f8e679f940ea04a2c72b747dc609f

Download Submit
C:\Users\Admin\AppData\Local\TempGLITQ.bat

Filesize
163B

MD5
91c53910cb73fdd3ed1245d9fc257ef6

SHA1
9e9b26a1f2ca2d0f74e0e80440d592a5862c5349

SHA256
a917a186a114d8be44fcd277a887bc74232d383dcbd75a7b6d7e863a9a345b74

SHA512
2df480a639d85224b9ab96559fd01ac51237cf42f37b8c92c3b5bd21d68cdca9e1197594dda880a8e966b820264b8317420b28d1ef2cc2baec12cc3acd5928a8

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
f1011e2ad9689a7cf42a9447ea0dc057

SHA1
39411847e28ba728aa33b0bcc301498eaf5e52f3

SHA256
55669f07ef4efb82b82c8a73655297efe72bff245e96e22b016f34880b720752

SHA512
fd56e5c98ac4d357f7d9b7bfa84011b336ad6ba226bc0f88f197a08f9c0279fe94a76a5646e64525c4b6fc6bbba476e50c060777ad4a1669bc2a24aa6c7cc6ee

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
4ff1d66e34088078840e9bfb6eedb146

SHA1
8d38af5d68d2bf926e09b6078a60bd1a85eb4b43

SHA256
9365ebd186294f5c3a7613c2f779d3eeed6037afa5c5dd1362c1bfbd14c9628d

SHA512
b9f8854a0e4573fca547d497f0e9d49d171f1a1cc65acac21781b0bc91a45c332c313b011666b9046acc954499694dc099c392a5601717a0984d1b6664f51e2d

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
003c89fa3c4c23bcaa945e0122a2ad78

SHA1
c3daf91e40f93e9c174594e57044887f42ed6ad5

SHA256
3eeeaa97262bd94b5d3dfd22d9b0676573c72e8d2b3f54486a5b65cb1cb01333

SHA512
e2abb39cfae34d9cd35fa5db9ca71745ae16250f3141682901b9af9ecedfe0b7d8a412ad76f9d39f3658a25bedb40a49139f4da829e2336a6cf00c5ad1713e22

Download Submit
C:\Users\Admin\AppData\Local\TempHCIWE.bat

Filesize
163B

MD5
c4aab59a6e9f43794e513644788f944f

SHA1
9f2c271ab850219d3a87188c3a1848cee93001b8

SHA256
feaaa0448ecb043ab6106f34b913dea22ce6499fc2f0f45c30d399a11005621d

SHA512
694557e76eb5ac1046cef50aff7824218c4612e93e329a43aaa1a9fa89113a266f71feca021251cbdc4eec57fc8993bbc550495221e9cd7ab614fffd8f25565c

Download Submit
C:\Users\Admin\AppData\Local\TempHEMFJ.bat

Filesize
163B

MD5
9cefd998d2459579fc67fd4c86ae11e9

SHA1
47e80db8106748e56c0b9e9c6a7fe9a9a7479d3d

SHA256
2d65638d2f338912ac4bfca697e2704258b9f77070ff645d374278834d3f04a0

SHA512
95dd5c02ab171fb280a76ee148674376c491978b2371f40846c5c4d51ea47125318cd0c5b86d7e97ca46156c2d1643eecff0ca4cd18cdff312916f1ac28de97d

Download Submit
C:\Users\Admin\AppData\Local\TempIGOAG.bat

Filesize
163B

MD5
6c0c1ab6a0418d2467b2d06b165d6d81

SHA1
9413bdcb0cf08e4ee205c5059468597e1f70e032

SHA256
fb9863606fe7a400b9e934275430adddefb375decc16552d4939cde56c366b4c

SHA512
5dbcd65bf5df9c3ddb26d462a84be72486d1933e355657fbed61c179cb1f000a071af4184efb066e40f871cc0c6fe4bd9e4d79882ceb74e1a2fdbceb9c094e10

Download Submit
C:\Users\Admin\AppData\Local\TempIJRNW.bat

Filesize
163B

MD5
d5811bd988972a3991bbf82f7b88d675

SHA1
c8c6a418f390f9e574aa8d3da830451c85fb022a

SHA256
537e0de448adb78c31b0cc3357f228d32c726ccd62bb6ca1d974b8f3b8d3a367

SHA512
5d1e6485262534ccbe3340bdcc12f4e3a86bcb26dfde1720c0a14c805b40e6e4e5748270aba15b9a6dddebf80845c26944ccf67f07bde0824e16e1700ef1938a

Download Submit
C:\Users\Admin\AppData\Local\TempJBDQM.bat

Filesize
163B

MD5
066291f0a606ae6954451b6996529127

SHA1
b6a4d0b8bcc0bc363ec678f588d66c4b52c0247c

SHA256
aea6f84cb4c3377d536c519e2748f950641611c4b4a826cca751a31bf6796e30

SHA512
cd1c4566e28136a33a1762eab3d59fd4c8a5d09d52ec9e6319f28ab2c1326b67d25ffcf7bc0fad29e2e907c1448d2085d4356a02a77f80ae0708e0c2b6dd8209

Download Submit
C:\Users\Admin\AppData\Local\TempJBDRN.bat

Filesize
163B

MD5
8a50e4923d199dabde964f741af5d3fd

SHA1
5c14aeac4e6e9c105f75dd4c697154223110f936

SHA256
b491c15dc5483864e46a58d6b12d5bed19814c47d0e24f7a25839b50753e6a09

SHA512
0c64ba1855c540b439dfd7cb7bf2dec6bddff1637c5a5694274a6962d7a99e92c9c8f75e6b358c5974c3aa94f3ad99a73aaaa7508240aae72a329acd7444c3a3

Download Submit
C:\Users\Admin\AppData\Local\TempJHPBI.bat

Filesize
163B

MD5
00b7af44531088a30a6650987a99ac2e

SHA1
7a862f2ac92c365d7aa9372c89dcce37bcf35510

SHA256
31cc9867679c60f20a00e3e5d05d20dc63a7b0e915a1889fb153195164c4fe65

SHA512
d50df0c790741e63dfdb7baa4b59a3133c3f8ab8e699fe34e016d871aab54e3c7947a5693aaed48e19ba4d2ab313c17460d9c6eee5a1c003214a2a3946f2b722

Download Submit
C:\Users\Admin\AppData\Local\TempJXESR.bat

Filesize
163B

MD5
c6f1ff882db38079e21bbda6b885aeda

SHA1
3092bca99537c7166c5e23b6604df505df419f91

SHA256
97490cc5b3bf06dcdd426f53b5b1598a9928f22d95fe5fbfb989a491c14bf88d

SHA512
a5537d07835d417a9dddc5a78b472de5dd2acca4015b9dcd8e92a0a73539c36732441f828561c1c59b11aa308057573621fbfabddf55a0f0e8db7deca89c3af4

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.bat

Filesize
163B

MD5
6ca4d3d41d3a4c774bfaf3f6806560d5

SHA1
fd696a7034b5ece8ccb783d4ca6794440376de92

SHA256
8a6faa2be09efda9d9b3e973fde2c51521d40a97215162f71bc1ffb722125650

SHA512
38f232cb0d6ff1d8518979754cb07dd50797871226fbe4b9c23697c5131817804b1bdaccc6d5b899a502df24e586650d8478e82fd14f987485064993455fc426

Download Submit
C:\Users\Admin\AppData\Local\TempLGPGE.bat

Filesize
163B

MD5
b0636b5a484d942d1477c49e0b735d8d

SHA1
2871ac01d4df783200865e39170489a096f8d9f6

SHA256
b8f3faf19c88193998220f98b3be87e48c560b6a77f08f375b6a41f357ea772a

SHA512
96df53a3ccfea43f36765dd5c5046339213d19dab1e16a11e019d560a6923bf564da64c16270dd39b5ead28fce52ceb67d43e08fc0512d85b690dae7ef73a0de

Download Submit
C:\Users\Admin\AppData\Local\TempLHVUG.bat

Filesize
163B

MD5
d75c35c49c091739fa8e237703fbb5be

SHA1
6f4f5091ea425894e46bbcd652365c32e210ca29

SHA256
bbba4256828f063db5ba9fb2e034e993d5dc3b8f8679e2ee5efeaf7f22e590bd

SHA512
763f88b02d6e6df01794ec982a530f7c2631bd6070982ec5be6933f5fd4714fd3de4faa903790edf1e25f760fea9bbac9f45a9a12a29f69a210d072de563c414

Download Submit
C:\Users\Admin\AppData\Local\TempLYGPG.bat

Filesize
163B

MD5
2538190c6062703177adfabf523b9e75

SHA1
85c7ead20672b32c7efdfc2a759c252cd82bac7e

SHA256
16f5e79997c3314eb05c63dfb750478c20bf0f0b485544e73fb8521214643c42

SHA512
3e99bbd7c635083eb18b1f53f4abcee43429493725ce6cc4b557a7fbf8f6fc0a61315e85701b42ce2f52f16c60cf48bb5dfea3b5061db8c54fc79276fd67d846

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.bat

Filesize
163B

MD5
96cc58b76ef274442a781d7f6d9d706a

SHA1
62a8a2e9ffda18251b67434613ab436c2c5e6167

SHA256
eb26a20af1ac8de3fbc800f12a5774117d8c1be4f57ae89792d9b2bcd8a5b7bd

SHA512
7affa11bd73a5295053d927835434c844898751e2338328ef4a1310bb4f4760f4b671d0498e18fb59d850a276b166b873b3fb80e34a49fcbe5fe1627e12cf27d

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.bat

Filesize
163B

MD5
94feb1d592f93d0e067a85161601e956

SHA1
cf04d3753ae1babda07fdf71aa667a497aa5a490

SHA256
eedbc343819537785f5ef9600d0c365dccaa40c1eb47d925a9b764030da9e49c

SHA512
3682b5b4c9e2dddf4b6e2c5a61c6077778c00e2ed15331a5c5ebd9b93130eb87e776e1ae9aac8514a378339aa413f4c9567030f32626847d2eb14db5ddb8e0a4

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.bat

Filesize
163B

MD5
120609861f7df1da17cba46cefd9f885

SHA1
ac08d0bb5fbc7651375fb895304df769f518731e

SHA256
488ef4dd57d9ca8668a839ea4c9a892c8ce4741de7c1c94c2c58003d0438ac17

SHA512
e90794edeb6997d3da6387386095e46e2af239c50aa9ec781c84bd8990e3415c941e18c90e0d4c63d79fab0920f44a60112dc5b872868042f041afb093f94739

Download Submit
C:\Users\Admin\AppData\Local\TempMPQWC.bat

Filesize
163B

MD5
e2a630fad44c4f93280de248fe544fca

SHA1
2c96c293a015a6f55c3a90dc5adf7e7b99b7aacc

SHA256
2ca1d89f77be2337f1b8708bd89d100cc913f5ed2d8aab1ae6732775d02b6fab

SHA512
1a9703c7ecb6b2b79c5ef989368a8a79ef6b1b56a101c6c3fc5ce7c67039face78add9eebf893b2e41369236db0ce6a0f950acf6ae183e474b0e6f28dbce4b64

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTI.bat

Filesize
163B

MD5
b6b840ff8307ee32791b0a11dcfc6c1b

SHA1
48ab0432da2073016e17dbd5475f8ad1df654ce1

SHA256
4ae54b9e9997d21ea0277357a399b36349def9b6f1ad5fe59d2ff90951aface4

SHA512
3b3d034efd66858153a7b032357ac6bacaf75be3d46c46f16f0a1471871aca13b8fa70690567f5af92617e9250086c76d664126ab8dca87c5d48b444224f0762

Download Submit
C:\Users\Admin\AppData\Local\TempMVREC.bat

Filesize
163B

MD5
6edac9d3462022d02e120279da89ddaf

SHA1
f278c52733191d69d88dbe1df8b6a02a93ba3fea

SHA256
22ab5108adb550ada184626694ebf822a31cb5f87674570ffb6ae03af94fa1bc

SHA512
ac9a38118f86ff136674e058c047c65089df3f0029a4226e3031a41b31a8ed17b1b82bb1abf51abfe993eca6ad044ce249016b435891c4674d1e924517ed110b

Download Submit
C:\Users\Admin\AppData\Local\TempMVRFC.bat

Filesize
163B

MD5
7be2b658becf72aeef87809ebe6682c3

SHA1
1093979795cd05c0b5207f38508e442c25ae4edc

SHA256
f177f6af87e97026b908033466da9bc5fed79cc31253f6badef3235a99c52c42

SHA512
41f06f36e74230c39845984e094cb41a2f2c9f7fa6b2053e699b0b3e70caa2d482e7217c36c5a22ac6613d0cfb7799944709cc7e923ba233f917c26feb897155

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
136b7fb3d1a7e4059c007d2c604439d5

SHA1
b46979b4355b2954b017ad8a50440895cafbcd21

SHA256
a81439c6b3bb3671f81542571a09edc46c19a71eb9310643271019f400f0c749

SHA512
201845d3f30dbde37cf26898934b003190d004c8408db9fee10f76aec96c5ac12f0ab6b2e565f5952bc9e96ed3c124a8d390aaf8f1bb8220e66e83ce72240bb0

Download Submit
C:\Users\Admin\AppData\Local\TempNVKKL.bat

Filesize
163B

MD5
33fb2b71d8d5cc932d42e0c3dfd8bfcd

SHA1
31be7f014020d47ae5e8c1103cafcaba3692d698

SHA256
907f3925ac493c33f1c64c135c2659368bbb5d3c185b57a97dadf345f6fc9e62

SHA512
c881ff480a460163aa98ad8170124bf822d0b3919999df78a6c55bcb9e4954a9997d847cb4f0e3bfe0636ad22afc0a4b2d4833d2070a03ffe49010f713217a1f

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.bat

Filesize
163B

MD5
c1266038df9c6a281312a0431b1f0b9a

SHA1
41fd51e2c1c64ca3d61a45a4f39fb2515cbfe814

SHA256
441ca566256a9552c63bafa885c4ba1309788c5dfbbbf1d6cb256699a747ce3f

SHA512
f8a759ce3e9fb85a51b7818fd58ebac88d548858e3a244c34d2b1c44271c6ecd70f5498d8803e1a4adb67981f73ff41361c8ee3e5f6b1f5f7178aa7d73c0b07f

Download Submit
C:\Users\Admin\AppData\Local\TempQLTHI.bat

Filesize
163B

MD5
4e9d20c021ca7eb22692145d5af02cb3

SHA1
89778ac20b0e2dfb652956058766385cdc3aed46

SHA256
82e2ed618e77beef8701a5f20bb27e87066b8aa46077611eb274bc4cbb6d5d90

SHA512
9ae5fe827e790fef9d871fd1d10cdea153825a8d4a9dc0cdaf2000501af25cc15bb45d3381801d592e3f0a76a458d6f6cfb4f783f915ca67388bb4e198ec2e5a

Download Submit
C:\Users\Admin\AppData\Local\TempQWNKO.bat

Filesize
163B

MD5
c9fb5a391d519d8f0e3a536529c30fa3

SHA1
59d9c1026a77152610f3574f16be9ab8e4167455

SHA256
778528332f0ffdeab469b2cf94bc3615f68b8c3a4511582e2c9e83353afd67b4

SHA512
d045b82cd3da2af83a0cbcbed8772a13a223611760fd177844e1b9a7a17f40cd8e815f4b8a02ec293ea44aabd67edf16751b529d40812620849fdba77e642b1f

Download Submit
C:\Users\Admin\AppData\Local\TempRSXEF.bat

Filesize
163B

MD5
50bbbf5524dacfec25beee4cda0c1c29

SHA1
3fd6c1b8bb90c1d0861ff798675c5fb2101c58f5

SHA256
fd428a7373e0e2051e9fcf95cfb26406832ce301cb8c8d2fe4d9185ada88c583

SHA512
2129a0f899999954ad9b157ec67b75f98fceebcf3fa07ee210ea1bd40607abbda29cca1590053ad2791e45e3233e37beac2eb9eee77b9fe0c277a08ca1bd7b7d

Download Submit
C:\Users\Admin\AppData\Local\TempRVQYM.bat

Filesize
163B

MD5
4d890f959a4d385e04d772ea987acbae

SHA1
41689789e4ff64776249ca571f2cf25d73569352

SHA256
6d52454135cf46234a716e74e7b284df88f76661ab37c31c21f56b62f9864ba1

SHA512
20f75f9081b01bc1354a411d3d8e3f7862f05fdd8b9dd5578e53e372d0456d4aa3850a4c71357a4a22a3fa6e695ce210e17487de535b6484d4f9183710038b22

Download Submit
C:\Users\Admin\AppData\Local\TempRVQYM.bat

Filesize
163B

MD5
4dd0704bf70b7b2cd6dba3eba341befe

SHA1
860564bfcb7fe35b15edf5cf68ea9d234451c946

SHA256
1d257f770fd370cdfb4a94abc88a1f46f6779b26afc818fcb46fb7d30db5b1b7

SHA512
3d7a3306837482e3d979a2c6cddd0279d713739a7acb27d602d124ef253056cd3ae8ae5a911ff57d21e7d7d150a83aeb1305e07f8273c054820d22665915be34

Download Submit
C:\Users\Admin\AppData\Local\TempSDXWL.bat

Filesize
163B

MD5
c26a343b011df42b16a20eb1e4b21ef5

SHA1
0dfa155e2a600c60d6aea6b62fa10c27c158ed79

SHA256
c00ea0b40282a342ea5dc7b6f7b0dd8ddfa38da65187885a09b2248e05bf6460

SHA512
e8c62eb5b6ba83728fff93efe994b9e4b237b050671f877301934169d1e469ee15a63007fa16af308181ad5b662121ec9d51fd372fe2d5830cf5cac2778a21c9

Download Submit
C:\Users\Admin\AppData\Local\TempSGNIM.bat

Filesize
163B

MD5
dd1710e47b3b38fb7526c5e65619e1a3

SHA1
dfa2f249fa2763ed6be626a60d9b894fd5a4f15c

SHA256
f3365aa281bc7a8122d9db0213d060aec7b3acd05ba6dd33cfe4df6fa017884a

SHA512
b8aa3874fb4f402d109f057cad2cc2a4ad40208c5113455b4ade81910b651f6c3d6ea5d48e228bc2aa823b4e7a6ac264ae6fc87093fd215d1833d2801652f5bb

Download Submit
C:\Users\Admin\AppData\Local\TempSTYEF.bat

Filesize
163B

MD5
4573a21f42451a14faf5facf42ffd274

SHA1
6718528373c249e9c14b48ab6e3555e13af5f24e

SHA256
13a8907d5761782606d4b373d7cdf80b9d094c200b8d173e1a294397d525cbbf

SHA512
c7f37c87295e9da90d37ea893f9bd7f34477d1bb835659037e82688145bbfb78385171890662d0f64b443a3ae9ea149eae87d64701d2b55ae1701f61f057484a

Download Submit
C:\Users\Admin\AppData\Local\TempTABHE.bat

Filesize
163B

MD5
3c4baafc805c41b1aa2e4300116dcb37

SHA1
9590df3ee93a3b269122febc129ee84f722407cc

SHA256
2888ba6f4d5fd005849b2bb464972e7e4104ab317b6054a423b5f4f9d6345c85

SHA512
96ad01b6fa2cf7451f1c916309cd9a9457a27736442e311fed99e8a9aa9877190773100a57db4ef66e295703752b879b491bcb3188bcb3065afcaf90bbb2ee48

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
553bef3381654ce8d6afdd841befeff7

SHA1
684eb6c54b3cf697860d781e42f49e172d0ba589

SHA256
651fa337db94e08aee6ad768a72f0013798d0727aaff3d88e50ed99fa5ba1813

SHA512
ed873df1f2d15117b19d2b3d8546fc8b62705e27838fa48cd59ccf1d0676f80eb66cf1211bc9c45b1ea2a0555acb65ae98aa50cb1b14fc6abe275702217d694b

Download Submit
C:\Users\Admin\AppData\Local\TempVHHFN.bat

Filesize
163B

MD5
ad82842722ffb58f85923fe72995a080

SHA1
b0196c7e43c41f945699d8086d0bdab02be7119c

SHA256
bddd1ccc5afa476901c4fb69ff910093b51ab37f436adfe4e3daa069d2b633e9

SHA512
a101e08b3809eed1713d50d162ae3d7a00c9b3e89f41de67d91f01091eafe2d7d93e0bb46ee4eb52419dcff7877b5c3ed1fbf33ae53c407c8f84e517f6b42bcc

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.bat

Filesize
163B

MD5
4f57139833f2bf4d8e96fba71da04256

SHA1
412f72ef752e48c15e1235fa306e9954f868c4b5

SHA256
7a189248f7e6c57e7d5a0fe3a88434801377f62ef56e62d01266a3f2eb04f970

SHA512
1c02ca52fffc8f84b3f95238df55b56dc94edb5b9f4647594ff0c4c059ff7b55f2ac3bbc8e8aad28dfc636ab449f4cce8b4858b1926b4be21cf498cb3a82472d

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
7014b90d9be55de0e424696a16ba347a

SHA1
b78527389196271a36b187ace5db4411ac3703d3

SHA256
f89fec4ad177be2d4d3275f328914e57a160f597d11b6f48f1e1de548d02cce2

SHA512
450e98e99cda42e95811f312af35878bbee1816acd17ec8ce2da92b35a4cff1514d149f1b2e2ba8629de3f14fa0e7da69b4a81202f55149dabbb622af0f6f0a7

Download Submit
C:\Users\Admin\AppData\Local\TempXIGKF.bat

Filesize
163B

MD5
635de313b7c33c5735e666cf31ef6663

SHA1
15fc001114b56900e86b2dd65679ae3d249b32c3

SHA256
89751f5bb46f37909a9b640ed38c8baa0e7b4424f2c6a7478ac8c18394c8e87d

SHA512
cb6073aa37055f48e1804835ed290ef0147b86fa4db7d37e97260bde0a0bf609c693324ca9d8b19f3fffc27a050cf79a051173e1e0ec7987e355553e3600b376

Download Submit
C:\Users\Admin\AppData\Local\TempYGHQL.bat

Filesize
163B

MD5
3fde9d66db99fe0a8345af71043380ca

SHA1
c5d9611efbb5affe1a44bff0bcab0e5b2a726a27

SHA256
4e6b534adfe1dd850837a6c6e85d65c515abd49a2bda0381586334cbe2548540

SHA512
40ed5a60eb03ea7bae6b724a0dc1c47f7f7e5fa18291d6f2861ddfd2e86418a02fd1ce4e1635dd65906282709f0747f1c43341da1d154d942f1713cc43d1d186

Download Submit
C:\Users\Admin\AppData\Local\TempYGUTF.bat

Filesize
163B

MD5
6c3852519ac85fa5dc9246ba449b598d

SHA1
52a319ab6320cbfba6af8318cf74528c331f02ba

SHA256
35a8190060466b838cdd9e59a224ad69e752c49b79aa712ad1dffb0171af1e18

SHA512
6ca37c55958c619d59461d53c5f44096bf60c7eafbd52255cb92234ad4754058f5d5002e6c75bfe3fb6687be84097bed30d2476c69d29dcb427ea2fe1b877047

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe

Filesize
520KB

MD5
4c81617b1e2d5a148ae35945a507131c

SHA1
bd7a4fb338e351bb1e935d00f0f4b03c87f4ebc1

SHA256
10728744336252223fbe1ce17311098c12095bf0baecb764b5521d9c9a9490a3

SHA512
d487caec1d3452a08ad1a04dbc6df6a0e57c186234b460e95846da4f7377d1dfdcc65f109ca7adbe05908cfd17ef5f233be78ecfd27b04ac222c0e7a8571dff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPLYOYRQSEINBNV\service.exe

Filesize
520KB

MD5
409aa4b9037708ce5cda982026da630f

SHA1
04290d4ba7745bf2fba042da7e8f70360734becb

SHA256
789ca5816a319bd1498c19fb91a41b4d51128c96aabc2ccab5e44322ac7bc99e

SHA512
bab920f65a99148a1218fa97aea585442880634e8a034bf42e21f7838da673ce241fa483f77663820fa6833d8cbb17bd226fe745effb776b72e6663fe4178e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe

Filesize
520KB

MD5
9230fa7858bdb8545ad95b4bfb18215f

SHA1
75dddfb1f304b38a67021b9e48c5221b9d6028bd

SHA256
1f13526222e394610af87dfc99a92e04b2ad0e0d72b973d4ccd25af0a14039d5

SHA512
8ea85ffd88d830daf90c27f8815dd2dbee4acd93534de41ad9ac8f43fecdf90168dea7a82e6f7f26096596d8ccab2f081490abdcaf2e5eaf779884ede4ab804c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCLC\service.exe

Filesize
520KB

MD5
7ab3dd785ba64ef06b1014d273353ba1

SHA1
a291587647f82ae9595e3a14ba13dd5897b8c8b5

SHA256
8b7067bd83b97549b90f4297c12d830a52b96a79418169923930eaf7c75eb6d0

SHA512
ad995d7bb0f19c49229bc1006f4bc22378ea247744deb4fc809991328f8d22ef6427e827da57195307d8fa56110f4eb5eb1570d7345d0cf183d2ad3b968908be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe

Filesize
520KB

MD5
7963a09b697cdb5fa79a491f839c66f7

SHA1
624d824e6495bbcea31a430ca196f028a7714871

SHA256
b666694cb81047be3e892bb006167bdbf91663497a0c850a0925cefc48fed768

SHA512
83e0e312190100bfa28eae190ea5544e22e9e9057d4620163b6a04e588be3e03ce056881c1fa340ebb7351efd9270f5e95eb294264077f06031958206bf9115c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

Filesize
520KB

MD5
98a25157973a9b066a77ebd08f95fff0

SHA1
3901dd39b521e74245debdd7ae0622c72171c7f7

SHA256
eca58610f649d012448a9854de0cc43d6c2dd0bfe566a9540e495dc7254fc32f

SHA512
f83067c335fc06ca556ab5467744a5538445b2f2d880d366846d1e81d333723d46fe5c495cccbfd70b5e42748dafcd2aa6f6586b62e5e30213d8562a31422250

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

Filesize
520KB

MD5
900f42dc1d429036ba2f56391404b07f

SHA1
67e800f888d58a5002a09e73f069adc24dd9eb31

SHA256
fc0dfa905f0dd02af9a0da10771c86b4031bd95052aae87b26ae785027d3da15

SHA512
13127265295c63c769c3c096c4113e1324d3ee66e5065ba724708e28c1f8eb07500807d0443436bd7a863a2e66a016aadd757cbc0a47bcee946d75b17d137ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBK\service.exe

Filesize
520KB

MD5
7f42bfa701564f80fd461b307f2a1ae6

SHA1
1c2b9bfb9151baaebdedfe5033bb3d6a03dfa8a2

SHA256
5fee90c125714c22fda1060a3634221dad80d280a4a281dfb54d958fc7babc97

SHA512
88819c7615d566e21d4bee6363a996aa9ee781ef6d26fbcf7bf1513e1d901e68faeb310f4a7f5b6b6ead905ed88da679ae465c01862095889d0e614fceb01198

Download Submit
\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe

Filesize
520KB

MD5
3456cf7b9a063946476f4109e08383a3

SHA1
8cb0b3e6d8194edde59212e28fa8bd57379ec5e0

SHA256
a88852b1908e669dcb2dd03326ed2b322b33853e56eee8618b084f17e581ed16

SHA512
ec218963c4e738d472544523eb743d794407026dfd6f7873650f0b66088f83acbdb3c8a1fc30f9b60e182857ef44b1931e61387ab21cc3a2e2ab65e7382c2679

Download Submit
\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe

Filesize
520KB

MD5
fd94185b24270de1beff159818b29ba9

SHA1
b8e33daafadc75bcb738caf22ce3f4f981bcfb62

SHA256
745fd53b4dc5d718aadb1d88c4788d10b9d5e616fdfcedd9bd93dfa803f8d4ec

SHA512
aea8d9896b0dbf14a1447dd034a1f03f86bc6476ee048ce4dc4c6b459a61b5fe5ceeac0de801dd154eff297d6b33329fe019018fb1f1f9135584c7846e407490

Download Submit
\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe

Filesize
520KB

MD5
caf4dc0615adfc68b106ec3a2a028b84

SHA1
7e583269c3cbf1998ff929c4186942f84357031b

SHA256
a11fb8fcfb5190f757357d4856aaf8aa50dca23e9f5b08aed6b3440e9e6337f9

SHA512
19e79f3dacedfcd92125912956fa1f16e143113e66b8c37f542e261766a8d6679de12c3bcc5602ddef7c1240c02543431f4db6a7cf3d9e43b8c2a5b1f8080f5c

Download Submit
\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe

Filesize
520KB

MD5
3377503e11ccda7a8560d0586c18fbcd

SHA1
94050b7110ccec8cca6537228f657d554f2fd155

SHA256
93b3727e704848eceeb11f57be6aec9892cb37b56ea6329f041854d463719d7e

SHA512
0df7a41638a0b3ff24c7e6bd8203b3dbcba98f9ded8dfc3f5a7c5ac8d0a3bb3f3731148b5761cd2d368ee75d16bab9c4dc4df92eb664160df3f64f36673e0423

Download Submit
\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe

Filesize
520KB

MD5
40fb0f27f1ddfd2008a50484c797e46a

SHA1
4d507aea490c3baa20853b9eb5d7d253da8baab5

SHA256
1832df4414f13419a388f6ebddfb826cb98a8b7e726794fc48eed1e3e183a19b

SHA512
6568c8b05e57a58441faef7dfa1f735dbed23e2f11311a6240c5979c1e2986ad82c19d9797a140071ec8c6ab111cb212759b908a43c84eb484bb4ae25b47fdac

Download Submit
memory/1488-1298-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-1293-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-1299-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-1301-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-1302-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-1303-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-1305-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-1306-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads