blackshades | 3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
Size

520KB
MD5

05dd4591907c614bc68aebeaed6193b8
SHA1

be46e28b8082177adde63329fdd3aafabf310d9b
SHA256

3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7
SHA512

233ba57c60b19621203deefa73f4a3ff4ec3923fb423c05f3dd2089e407fd75a872080d3f99ed6654e40aa6035a6473cd0df70f7988cdeb7dc192911cd8311a9
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXr:zW6ncoyqOp6IsTl/mXr

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 4 IoCs

resource	yara_rule
behavioral2/memory/4024-1724-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4024-1723-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4024-1729-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4024-1730-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SSCONOKIPKAOVEP\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 64 IoCs

pid	Process
1524	service.exe
2408	service.exe
1532	service.exe
2472	service.exe
4888	service.exe
4356	service.exe
2764	service.exe
1948	service.exe
3736	service.exe
2892	service.exe
4880	service.exe
2868	service.exe
3740	service.exe
232	service.exe
3864	service.exe
928	service.exe
1620	service.exe
4280	service.exe
5084	service.exe
3616	service.exe
4680	service.exe
1404	service.exe
1448	service.exe
2724	service.exe
4588	service.exe
2936	service.exe
4040	service.exe
428	service.exe
3424	service.exe
1496	service.exe
3248	service.exe
4936	service.exe
3928	service.exe
332	service.exe
2840	service.exe
3572	service.exe
1180	service.exe
2036	service.exe
444	service.exe
116	service.exe
2724	service.exe
732	service.exe
4928	service.exe
4396	service.exe
60	service.exe
2024	service.exe
4876	service.exe
2196	service.exe
3248	service.exe
1944	service.exe
4720	service.exe
2500	service.exe
2992	service.exe
5092	service.exe
2564	service.exe
2744	service.exe
4672	service.exe
3636	service.exe
3500	service.exe
2036	service.exe
3988	service.exe
860	service.exe
2096	service.exe
3688	service.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIFJFMBYCUSBCVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBRAIROJDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNTLBBDFTBPOAIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNLOEJXWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTHTEDHYVWIOVVG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FLQCDGSTOMPESAJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HFQOMQEHDBSXQGG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKRB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGRYOMQLTHIBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPKJLBOVFQVFSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESWIJGPBHMAC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LBWTSWJANJHXVMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMELMVQQFOBXWAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJKGEGWKRALQBNY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDECKDHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXTVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQLBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVSRVIMIGWULLN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYBGPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCCOUKIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SENEWNKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXPGQJIKXAXFT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNSECGBJUVRPRHU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXPVNEOHGIVVDR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYUWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRMCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XBLRYYJAACDRNMH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VRFRDBFYXTUHMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNSOCPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CGVVIKFDGVJQLPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJTKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SSCONOKIPKAOVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VRSFKRSDWWLUGGT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOJYWMWQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTHKGEVTJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIOVGHAUBROYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGSYOMQLTIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQCCPVNVJTK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VLMJSEKPBDGRSOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALEYFVOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDWNOLTFMQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLTHIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXUIUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MDNTLCBEFTBPOAI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQNBNYVBTXSOQCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JRFGXGGPKTKITRQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEYUPDKFJXGSYOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDAPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JIWDMVTEAYLEYFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSOPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXTHUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUFRQRMLRNDQYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCMRYKAACESAONH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FVWTCCNUKIMHPDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXIJCWBDUQQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJILGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GEIDKWAXSRATJWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBULMJRDKO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KQVHFJEMAXBYUSB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IECSYQHGIDABKYG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHMLTLAUQLVGWBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWTHTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCNUYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUAQLGAFVWT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OJHKNUDPTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNGKBM\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPNRMUJKCJJSOWO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGIVWER\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XKAOKHYWMMOJCGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMJNIQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMAABVBSMAHC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSNMHQXIEPIJSVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUFRQRNLSNDQYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INKKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CHVUHPGYQMHXQBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJIOKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FBBWREMGLITQOSN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUPSWUXINSFCRQE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOESOLQDQSNG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VXNHAFMWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJYXGRY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAYOTYEFDLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTNNXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4760 set thread context of 4024	4760	service.exe	385

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1600	reg.exe
3092	reg.exe
1860	reg.exe
2892	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	4024	service.exe
Token: SeCreateTokenPrivilege	4024	service.exe
Token: SeAssignPrimaryTokenPrivilege	4024	service.exe
Token: SeLockMemoryPrivilege	4024	service.exe
Token: SeIncreaseQuotaPrivilege	4024	service.exe
Token: SeMachineAccountPrivilege	4024	service.exe
Token: SeTcbPrivilege	4024	service.exe
Token: SeSecurityPrivilege	4024	service.exe
Token: SeTakeOwnershipPrivilege	4024	service.exe
Token: SeLoadDriverPrivilege	4024	service.exe
Token: SeSystemProfilePrivilege	4024	service.exe
Token: SeSystemtimePrivilege	4024	service.exe
Token: SeProfSingleProcessPrivilege	4024	service.exe
Token: SeIncBasePriorityPrivilege	4024	service.exe
Token: SeCreatePagefilePrivilege	4024	service.exe
Token: SeCreatePermanentPrivilege	4024	service.exe
Token: SeBackupPrivilege	4024	service.exe
Token: SeRestorePrivilege	4024	service.exe
Token: SeShutdownPrivilege	4024	service.exe
Token: SeDebugPrivilege	4024	service.exe
Token: SeAuditPrivilege	4024	service.exe
Token: SeSystemEnvironmentPrivilege	4024	service.exe
Token: SeChangeNotifyPrivilege	4024	service.exe
Token: SeRemoteShutdownPrivilege	4024	service.exe
Token: SeUndockPrivilege	4024	service.exe
Token: SeSyncAgentPrivilege	4024	service.exe
Token: SeEnableDelegationPrivilege	4024	service.exe
Token: SeManageVolumePrivilege	4024	service.exe
Token: SeImpersonatePrivilege	4024	service.exe
Token: SeCreateGlobalPrivilege	4024	service.exe
Token: 31	4024	service.exe
Token: 32	4024	service.exe
Token: 33	4024	service.exe
Token: 34	4024	service.exe
Token: 35	4024	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
960	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
1524	service.exe
2408	service.exe
1532	service.exe
2472	service.exe
4888	service.exe
4356	service.exe
2764	service.exe
1948	service.exe
3736	service.exe
2892	service.exe
4880	service.exe
2868	service.exe
3740	service.exe
232	service.exe
3864	service.exe
928	service.exe
1620	service.exe
4280	service.exe
5084	service.exe
3616	service.exe
4680	service.exe
1404	service.exe
1448	service.exe
2724	service.exe
4588	service.exe
2936	service.exe
4040	service.exe
428	service.exe
3424	service.exe
1496	service.exe
3248	service.exe
4936	service.exe
3928	service.exe
332	service.exe
2840	service.exe
3572	service.exe
1180	service.exe
2036	service.exe
444	service.exe
116	service.exe
2724	service.exe
732	service.exe
4928	service.exe
4396	service.exe
60	service.exe
2024	service.exe
4876	service.exe
2196	service.exe
3248	service.exe
1944	service.exe
4720	service.exe
2500	service.exe
2992	service.exe
5092	service.exe
2564	service.exe
2744	service.exe
4672	service.exe
3636	service.exe
3500	service.exe
2036	service.exe
3988	service.exe
860	service.exe
2096	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 3948	960	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	87
PID 960 wrote to memory of 3948	960	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	87
PID 960 wrote to memory of 3948	960	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	87
PID 3948 wrote to memory of 4088	3948	cmd.exe	89
PID 3948 wrote to memory of 4088	3948	cmd.exe	89
PID 3948 wrote to memory of 4088	3948	cmd.exe	89
PID 960 wrote to memory of 1524	960	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	90
PID 960 wrote to memory of 1524	960	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	90
PID 960 wrote to memory of 1524	960	3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe	90
PID 1524 wrote to memory of 632	1524	service.exe	93
PID 1524 wrote to memory of 632	1524	service.exe	93
PID 1524 wrote to memory of 632	1524	service.exe	93
PID 632 wrote to memory of 4304	632	cmd.exe	95
PID 632 wrote to memory of 4304	632	cmd.exe	95
PID 632 wrote to memory of 4304	632	cmd.exe	95
PID 1524 wrote to memory of 2408	1524	service.exe	98
PID 1524 wrote to memory of 2408	1524	service.exe	98
PID 1524 wrote to memory of 2408	1524	service.exe	98
PID 2408 wrote to memory of 2396	2408	service.exe	99
PID 2408 wrote to memory of 2396	2408	service.exe	99
PID 2408 wrote to memory of 2396	2408	service.exe	99
PID 2396 wrote to memory of 3860	2396	cmd.exe	101
PID 2396 wrote to memory of 3860	2396	cmd.exe	101
PID 2396 wrote to memory of 3860	2396	cmd.exe	101
PID 2408 wrote to memory of 1532	2408	service.exe	102
PID 2408 wrote to memory of 1532	2408	service.exe	102
PID 2408 wrote to memory of 1532	2408	service.exe	102
PID 1532 wrote to memory of 3608	1532	service.exe	104
PID 1532 wrote to memory of 3608	1532	service.exe	104
PID 1532 wrote to memory of 3608	1532	service.exe	104
PID 3608 wrote to memory of 4852	3608	cmd.exe	106
PID 3608 wrote to memory of 4852	3608	cmd.exe	106
PID 3608 wrote to memory of 4852	3608	cmd.exe	106
PID 1532 wrote to memory of 2472	1532	service.exe	107
PID 1532 wrote to memory of 2472	1532	service.exe	107
PID 1532 wrote to memory of 2472	1532	service.exe	107
PID 2472 wrote to memory of 4928	2472	service.exe	108
PID 2472 wrote to memory of 4928	2472	service.exe	108
PID 2472 wrote to memory of 4928	2472	service.exe	108
PID 4928 wrote to memory of 4028	4928	cmd.exe	110
PID 4928 wrote to memory of 4028	4928	cmd.exe	110
PID 4928 wrote to memory of 4028	4928	cmd.exe	110
PID 2472 wrote to memory of 4888	2472	service.exe	112
PID 2472 wrote to memory of 4888	2472	service.exe	112
PID 2472 wrote to memory of 4888	2472	service.exe	112
PID 4888 wrote to memory of 4764	4888	service.exe	114
PID 4888 wrote to memory of 4764	4888	service.exe	114
PID 4888 wrote to memory of 4764	4888	service.exe	114
PID 4764 wrote to memory of 4960	4764	cmd.exe	116
PID 4764 wrote to memory of 4960	4764	cmd.exe	116
PID 4764 wrote to memory of 4960	4764	cmd.exe	116
PID 4888 wrote to memory of 4356	4888	service.exe	117
PID 4888 wrote to memory of 4356	4888	service.exe	117
PID 4888 wrote to memory of 4356	4888	service.exe	117
PID 4356 wrote to memory of 1504	4356	service.exe	118
PID 4356 wrote to memory of 1504	4356	service.exe	118
PID 4356 wrote to memory of 1504	4356	service.exe	118
PID 1504 wrote to memory of 2992	1504	cmd.exe	120
PID 1504 wrote to memory of 2992	1504	cmd.exe	120
PID 1504 wrote to memory of 2992	1504	cmd.exe	120
PID 4356 wrote to memory of 2764	4356	service.exe	121
PID 4356 wrote to memory of 2764	4356	service.exe	121
PID 4356 wrote to memory of 2764	4356	service.exe	121
PID 2764 wrote to memory of 2580	2764	service.exe	122

C:\Users\Admin\AppData\Local\Temp\3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
"C:\Users\Admin\AppData\Local\Temp\3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQMLTL.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKAOKHYWMMOJCGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4088
- C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe
  "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYFGD.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALEYFVOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:4304
- - C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe
    "C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIBEFO.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KAVSRVIMIGWULLN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
      "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUHLLF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JRFGXGGPKTKITRQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXVEEY.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FVWTCCNUKIMHPDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:4028
      - C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJILGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDRXJF.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNTLBBDFTBPOAIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNLOEJXWIQ\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\LHVTKUNLOEJXWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTKUNLOEJXWIQ\service.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBOXKJ.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTHTEDHYVWIOVVG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJWVI.bat" "
        10⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTHKGEVTJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
        11⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMTIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
        12⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHKNUDPTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCXQWI.bat" "
        13⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCMRYKAACESAONH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAWXQJ.bat" "
        14⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRSFKRSDWWLUGGT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLTHIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRLDJ.bat" "
        17⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMELMVQQFOBXWAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        18⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "
        19⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFRDBFYXTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRCVV.bat" "
        20⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSOCPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFMRC.bat" "
        21⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTNNXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
        22⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXUIUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempADSXJ.bat" "
        23⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MDNTLCBEFTBPOAI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVWTCO.bat" "
        24⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DHMLTLAUQLVGWBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQLTHI.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYUPDKFJXGSYOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        26⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONIRYJFAQJKTWXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSLBLEYDFWSSA\service.exe" /f
        27⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\CUMSLBLEYDFWSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUMSLBLEYDFWSSA\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
        27⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOLQDQSNG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFQG\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJYXGRY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "
        29⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYJV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYWFGO.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMJNIQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRNVN.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGSYOMQLTIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTK\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempORSYE.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIWDMVTEAYLEYFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNEYCN.bat" "
        34⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GEIDKWAXSRATJWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBULMJRDKO\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\BJBSKGBULMJRDKO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJBSKGBULMJRDKO\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        35⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJKGEGWKRALQBNY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKDHW\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
        36⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
        37⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWIGK.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHTUPNQFTBKBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe" /f
        38⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOERIT.bat" "
        38⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VLMJSEKPBDGRSOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "
        39⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOUKIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SENEWNKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        41⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAUJWH.bat" "
        42⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FLQCDGSTOMPESAJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJGPB.bat" "
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RSNMHQXIEPIJSVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUFRQRNLSNDQYH\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCLCWA.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HNSECGBJUVRPRHU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INKKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "
        46⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXO\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXO\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
        47⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGPGE.bat" "
        48⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFJFMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBRAIROJDDSTQLR\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIDAKY.bat" "
        49⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HFQOMQEHDBSXQGG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMYUAS.bat" "
        50⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CGVVIKFDGVJQLPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe" /f
        51⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJTKG\service.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "
        51⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNYVBTXSOQCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
        52⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGRYOMQLTHIBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f
        53⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBUKXF.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQVHFJEMAXBYUSB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f
        54⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCLXVT.bat" "
        54⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPNRMUJKCJJSOWO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe" /f
        55⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBQROX.bat" "
        55⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVUHPGYQMHXQBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANVEP\service.exe" /f
        56⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANVEP\service.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        56⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        57⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
        58⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUTFNF.bat" "
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IECSYQHGIDABKYG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f
        60⤵
        Adds Run key to start application
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVJKKT.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBBWREMGLITQOSN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe" /f
        61⤵
        Adds Run key to start application
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GUPSWUXINSFCRQE\service.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe" /f
        62⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYNW.bat" "
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXTVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe" /f
        63⤵
        Adds Run key to start application
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        63⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
        64⤵
        Adds Run key to start application
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCXQVH.bat" "
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XBLRYYJAACDRNMH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f
        65⤵
        Adds Run key to start application
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNVHOS.bat" "
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
        66⤵
        Adds Run key to start application
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWTHTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f
        67⤵
        Adds Run key to start application
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"
        66⤵
        Checks computer location settings
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
        67⤵
        
        PID:828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPKJLBOVFQVFSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe" /f
        68⤵
        Adds Run key to start application
        
        PID:508
        
        C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe"
        67⤵
        Checks computer location settings
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOJCFG.bat" "
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LBWTSWJANJHXVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /f
        69⤵
        Adds Run key to start application
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe"
        68⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNJR.bat" "
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCNUYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFVWT\service.exe" /f
        70⤵
        Adds Run key to start application
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFVWT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFVWT\service.exe"
        69⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        70⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe" /f
        71⤵
        Adds Run key to start application
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe"
        70⤵
        Suspicious use of SetThreadContext
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe
        71⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        72⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        73⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe:*:Enabled:Windows Messanger" /f
        72⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SSCONOKIPKAOVEP\service.exe:*:Enabled:Windows Messanger" /f
        73⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        72⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        73⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        72⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        73⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempABPYL.txt

Filesize
163B

MD5
add64a4d5c64a3f31f858b916b2a58b4

SHA1
0f46a5e627c1d1bd3d2bf91f695459f7c99ea16f

SHA256
fe950da18fac68d34a06cce8fc236e7b7dbd6cda9353a5fb015f7b770db24e8a

SHA512
2bf37cdf951bb5505917b89733820217fff77c71aaba8be7a5c23adf2a6293c446ef77fea9233592438fc8b2fd46f5bd63c1b1deec9e7107929c0d38c02fca57

Download Submit
C:\Users\Admin\AppData\Local\TempADSXJ.txt

Filesize
163B

MD5
e8505431637028ceb2779f8bf990d7bf

SHA1
1827ff8626158e982611b8f53380f02266bb027c

SHA256
cd0722ed86358f34386e1d5bb74c109db375a417387927fa795d342d4051136c

SHA512
4357587b94e2d23300bae114509a7964e68805f6b3fc8f026d3db19a93e6a46b772c9bc1a711b6cdcb52ee33758e78e95c5012c2c120339f7734508f5beb9cb0

Download Submit
C:\Users\Admin\AppData\Local\TempAUJWH.txt

Filesize
163B

MD5
f9a7f4faa9af18882173932956c3c1e6

SHA1
aff391511d8eca8331544137ac661e8dbacce1d8

SHA256
57b835137da4a80f15ea3589fd45b96d7f6dce5212d40ccadf1167c5822839ac

SHA512
62d6f5befe02b82f3125869f39e9e77c473e6febd354c1760b3b055bce006f33e97ac49e4e378cd4c29f69b7a0522adb7c59b0e9c70b47e13a29720240b832d2

Download Submit
C:\Users\Admin\AppData\Local\TempAWXQJ.txt

Filesize
163B

MD5
0d53b4bee421bdd81b5dcc87dacb456b

SHA1
80487dbb13c97009e68ce1e3d345bc6e4631d48b

SHA256
7a4ed9a7ec3e0ed716c3860d77bf88682d88040e4f0725f9e124e6c6e487c29c

SHA512
8918509fdc4f4eaa44fdf91e3eb2c66b446fa025fb21f3dcdbe21bb649510a09e010d70baa70a9afa04b44637ea61f4b77f635e5e7745ef965f898960a9e03e6

Download Submit
C:\Users\Admin\AppData\Local\TempBOXKJ.txt

Filesize
163B

MD5
dfaeb4014d29af2c38eb49e488144a04

SHA1
a5a0d19f5423a1e4ef7664e3a6ee3e2d87e419dc

SHA256
7e431c2ebb10e1f21c74c4ba2bd2556f0689c9784a0b0d8d452fdf5835210185

SHA512
bd5003d55c94f420a82fd1d3f439e33be9c4732f7a2b7beb2d00d9c2bde60658b1688f49b3c3e9818e93e9838c53bbbc589e735da65628c5ad39b88d92602393

Download Submit
C:\Users\Admin\AppData\Local\TempBPYLK.txt

Filesize
163B

MD5
b92f29720eab1ff33db22b97c2782f15

SHA1
0ff6e778d817a7c3f71c422089e60fc5ceb91d47

SHA256
4f46515c7b989cd10d5f131087dc196fe7fc49433c9f308b45ff6ef50315de53

SHA512
f226c9dba08cb147b4851d50a766130e7ccacbbba32c39f5886d2660a61b3d0b63860da9f361e9dc540fbab44dccfcfc0a6e38447e3cbe04e8a09e9892eb3c99

Download Submit
C:\Users\Admin\AppData\Local\TempBQROX.txt

Filesize
163B

MD5
7c1fa6f92d076d05ee877978aadb952b

SHA1
54c2bd85c4281d255f385b0e64ffbbe26c3d7e28

SHA256
2407cef5ed2ba3bf5e97c67fb0b0c1c8a4df1127aef5ca21ff1fd17794cac4dc

SHA512
a559fb520f12aa4b87e7ecb1a047d8980a3e90ce76180295c42090aff6d96adb4becacbe4270166830a45aa42eef60ae6acf583210c147086eaacdbd9ca93a7e

Download Submit
C:\Users\Admin\AppData\Local\TempBUKXF.txt

Filesize
163B

MD5
fefe2ded727921f4996b93514b82813a

SHA1
1a199d1b07e0f5d50e4ae54639b365c38f440705

SHA256
e717a710419f99a5b1254f1efa892c9e5f3e64b2d1d3c384caf4d83f97379265

SHA512
e5c3d63d0be1a0cda8545ca66bae55a6cdce5c615be92e5e1d7a82826cf43462a37e72498478acff018d760c52642a1b8fa8f955c15847d5a46bad10b17cae11

Download Submit
C:\Users\Admin\AppData\Local\TempCLCWA.txt

Filesize
163B

MD5
a86ece1e1d04dce039c59a2fcbd473ab

SHA1
f8dcf222cf2731938d3a89c6110aaa94e9be83a2

SHA256
a86b836aefc59d8d29c06d79fedfdf4e468ce148bcf5af1adb0786966fdb5da8

SHA512
a7c6691df369d393d2bd23f1d5a1c8df6cc5606c5adab90f2903f807fa131977f86be97c355932d7657e771be392473183b186ec31c5d747189b5561d69baebf

Download Submit
C:\Users\Admin\AppData\Local\TempCLXVT.txt

Filesize
163B

MD5
2cba0d11dfa15720ad1a97e28ae52801

SHA1
8ea7f4a6fe828d371d7d10f4ffc4e4fbc42e66e8

SHA256
b2c61bc10f07e9394284b3e8f0fefe272ef12d68f398d9e7399405ebcf250d4b

SHA512
1903c08046122798578a0897a5308e137adf97399bef6e63d8ed3deaca516928ff6def645dce86685d4a4740bf11835655ff4880ee39a7b567b27061f9bef7c5

Download Submit
C:\Users\Admin\AppData\Local\TempCXQVH.txt

Filesize
163B

MD5
62642c1e7cd74552d14e04a27660d3cc

SHA1
29f05f5be2787dc887bcf71e1d57a1bde2a43cae

SHA256
890e3662e60b9638fa241281b0a7389a565f06f5248c05f84f529e5767fd85aa

SHA512
e92099933c7e8bbcbc72135329f53d67837abbb3f1e8f12326ee30e26f33b11d2a1308dc8551d560eb2ba4a92211bc770ca2b71b0085c3b1f3744f0f08c9048e

Download Submit
C:\Users\Admin\AppData\Local\TempCXQWI.txt

Filesize
163B

MD5
202b5fa7bc15f7e1ccfe739e9a017ea3

SHA1
272363b2ea9760be3616a6fafa9c668482131fee

SHA256
032f22059b6224d1a644ec3cf56f45407d8cc79ceff50c4aadc297ff3cb6c394

SHA512
e5585048c1d7cd61dff243962d3f4dfeac84ab626a37eb95e0be3fa3785ec64d8e4355a25f3b7f74631de2a5698f3e90ed2b096d8e371b6361a3249d1007a289

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.txt

Filesize
163B

MD5
0a642b13e305d30ca155412d35b152af

SHA1
781496d9955791faa48807abc37e66baaf0169f5

SHA256
1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797

SHA512
de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578

Download Submit
C:\Users\Admin\AppData\Local\TempDRXJF.txt

Filesize
163B

MD5
ac8ff0d881f8b0b0996be36a963a036e

SHA1
bca9d2242021d59b084672640a3574585e2cdf13

SHA256
eea2f897b3b7951e71be01582650428ab8e3f5dc601818a6ce232735875e0ce9

SHA512
895efd78153ecc0be11413d46dcd1ccffa6f0cf16f7eae0ae9e6034482fee72c26ab465188cd227fad527fcb79f5d9f19ba167163b1ccbad213f166a7df8d073

Download Submit
C:\Users\Admin\AppData\Local\TempEXNJR.txt

Filesize
163B

MD5
dcaf3e0a6ea26a9c55a5ed553613e2e1

SHA1
acab4ebb91e82d131cd9255e9e4823ba6f44b748

SHA256
50eda4a6caa82529ba83de697e5e4b469cb358f0c0b1e87c73a4215a10901b73

SHA512
e3effba2dba17a31e9af079cff878add98a55f5603b24930c2f9d6093f4b33fb1725b6ddc1139d5356219923f47f5172ba6dc5c863abdd9b4bc66436183157c5

Download Submit
C:\Users\Admin\AppData\Local\TempEYNJR.txt

Filesize
163B

MD5
5a2d7d2fdf8d93d974d5b1e5e9e8b3ab

SHA1
b73cae44242128fcf54c491ac6d0e9a8fcc0b95a

SHA256
1a61b4e919fd369fb247a817b852f0a7bd734baaecf59f66651740439822c7d8

SHA512
8e701b26d3c19db47f9d86cfe05df722218d706b3c258557c240d2c6e9b5ea528a241eb7c4eb1be11606e9379d0ef2884839f0d4f9b591d9457e37443471a37f

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.txt

Filesize
163B

MD5
a34ec4e9e6e4ae0544b22a56135aa720

SHA1
19a73998baa76982e469ecc17b8b2962caea2056

SHA256
4dc6c2dc4d27922c67777f18079c33838b58191ad588512be844ecd3b1ffde86

SHA512
303b6dd0104354117c544d3013f5705f523d369dba683e7d4cad2d7de090281a15313fcf3f6fb5bf8871ffd3ef2fd775c2d6e35c53d90e5dd4c9fb9685db78eb

Download Submit
C:\Users\Admin\AppData\Local\TempFYYNW.txt

Filesize
163B

MD5
7b60f9aa706edf6df4093a111dcde7d6

SHA1
b4e0cae00b710d14f2910ade133f7c703bffab3a

SHA256
fe8c5518c6aa29b778f287eb03d3ca215c7db7e981d6c397405577dcc7d23451

SHA512
a19b9e08ef8d2280e3f4c729165639c3811bea433765f3c0c1420ad04470636dde34cfaccbb40f0f4a0ee3d295c87f1265d68021dcedd1e6161919be561536f0

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.txt

Filesize
163B

MD5
55eac6291ede42a90de5207804c0e0ec

SHA1
f53972b85dfc194f41acf4fec1ac1ae71f8d63f9

SHA256
40b95e7cd44d32cf66e2a6add1cbd09310d05a51d59d88e9dc656ee90602efae

SHA512
d041313443f64f4571a67fda74352f256e85cd7c2d343f4171c4eecaac9c468eca9dbc427ddb8005da088bae2d6b888908245a5fa520b4ee92167a2f0819e3dc

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.txt

Filesize
163B

MD5
64aecd88bb524016da30b286f950baed

SHA1
92f8ae67f2fd1ace58b19015a0d36a4e29e54f2c

SHA256
730103496361a09411f6a6156540068057782a81ebe5d57bb77027f27861669a

SHA512
12346be4c23e9f7f762d7b1162540a6f868a919e72ba9c739929d9a43f7d1b7d3b5c15f41f8a64a61f89fc3e1bc5beeb2484c1a1dd37cdc691dbb54d71f67a9c

Download Submit
C:\Users\Admin\AppData\Local\TempGFJWA.txt

Filesize
163B

MD5
005383aecac58018a82a1cd1b58d5169

SHA1
3001b33a063724e29b60945384b84a0178275ad2

SHA256
bacc8a8daa3f030b5af8da69309099e9af9e995f6bdc492b9813e3cca61b53b6

SHA512
87aac70112a4735d6d7f2fd1c60f08016fd38cdeac096f8c8df6515fcf530c03e865753cfe5c0e65477c5d6ed54c838a72fe84e49ddfabea7bf2e198a57e8ff9

Download Submit
C:\Users\Admin\AppData\Local\TempGYXTU.txt

Filesize
163B

MD5
f662fbbeabc47fd6044be333884d08f8

SHA1
6a2789eab411b65025f34c1ef223f3c57ba9b370

SHA256
461ca657c06bf7f5612fa2a53dd8ce5948eb219691b4bc9bd13062935b8c553c

SHA512
ca54498fe5f840caa6344bb8e01792c95f2a7a0ff383899c5ee2f03cf7a144da6979e737e529beac0c0848066b2f8cb259cda2464730405547dba92771e6b078

Download Submit
C:\Users\Admin\AppData\Local\TempHIFOA.txt

Filesize
163B

MD5
cdfa77971a1f9127b97660a76d4fb58e

SHA1
875b079728e19436dd88625936b1006a4ad03e07

SHA256
b299f4cb54fcd5fc0b66cd58f10dd34a3edbc01e542cb6ae3f8e2e23cf29c2e4

SHA512
74fc432277874fadebdfbc3ce5e2c2b299fb4eefdcd9fb971664eef39fdf29e5e4fd5f6c1befe62065a5a4827cf0d99f33336da413343e1e1e9dcf01702037a8

Download Submit
C:\Users\Admin\AppData\Local\TempIBEFO.txt

Filesize
163B

MD5
372b92dcd75b94af3651c278da33916c

SHA1
1a2738db013e9341e8bc78545ee3e930ac380696

SHA256
911a32b99e671d3e5bef72c92bc4289d82d34194dfe0d4b6b1e1e955304025bd

SHA512
f294b146b388391a35b6b5eb88e2c818db371de1abf3aaa4ee5585f6a5e9278ab9a19e8c3b137577a9254064e25118afdd474ed57a00c70aa825e590ec9a9587

Download Submit
C:\Users\Admin\AppData\Local\TempIDAKY.txt

Filesize
163B

MD5
ba11e60f0032535800a01a77bda04c29

SHA1
3da1a577e70ac2c2680a00894f71a2fc00050cf6

SHA256
60a0f9d0a2e62c6d36f9cec2a6f5de46aa1dcad1a02c6748114f5db4b3bbf236

SHA512
c955ea586a8376e3c1f66f8e900feea4a739a41f7e6c3a57c3274b971839c37ee20f0ba44153d5973472c42643903cd35d6f1897d7af4ddbf493ced8233172d2

Download Submit
C:\Users\Admin\AppData\Local\TempIIRMV.txt

Filesize
163B

MD5
493a01a76222dfa968cfabb6e83dacc3

SHA1
0cd9522cac3c75cec6d9e97b0780989d9f0c701b

SHA256
100e2c604da17131bcd270f937c584cdf8ca8c1a08955828d7a242a52d86cee6

SHA512
a864350e275a618b489feebe896d69d05d4c68d3ee64db623a4e782a74fbbf674e1a73be24f407d78e4f8aa322a4b8b302b3884189bfe72c8c805daf2a2a6d26

Download Submit
C:\Users\Admin\AppData\Local\TempIJGPB.txt

Filesize
163B

MD5
5e64037ee676bcf86a209af88babf8b4

SHA1
38e9f0f4b95b8438b506d63c64965550591f8b7a

SHA256
6c97d2a7301517cb0f28e1dac122c0f25f0876d48d03c6dffdea913d9da06bab

SHA512
051bf56665d78591a50f1acd74eb1e342d6b5ec6cc1b7541b87b4d38bd68a03962e348ae93c38a39be3389577b2ed9d2a71c03b5e25df3ec0be9a123f8ed13f1

Download Submit
C:\Users\Admin\AppData\Local\TempIRNVM.txt

Filesize
163B

MD5
7bbbb601e16501019f9650372554699c

SHA1
6e59d935bc5cafc0a452796b4771f70446480400

SHA256
6f5263aa019468fb1d91be7619c35319bd7f31c7d00f94918e5c901b5acc29a4

SHA512
4db55ec095a587030e059cd819c9319f2601be64aa0b963b867e83739e14710df5f7b390828cc2d76d9991f961b4ac5be1894548ec666d4f774ab708e0cfa903

Download Submit
C:\Users\Admin\AppData\Local\TempJRNVN.txt

Filesize
163B

MD5
53972b01f722a38682c91c015d84d2b7

SHA1
24fc1f4bdfbb5c48df4079be945d2253d9f12283

SHA256
8cc942a31001859a58602872c452d47a79c52414a22388e2d080b2311c87a4db

SHA512
6b4b99493634d0634f125b4bc8462516d0547718b7cddec8014d57eb48bec61eb5d3126d02b7355d6854bb20f7a44e5c2566dccc1f76a77fc1836e517e7e6a18

Download Submit
C:\Users\Admin\AppData\Local\TempJSNWN.txt

Filesize
163B

MD5
15285851233d61e2a688de9c160730fd

SHA1
06b9b3802c61ba94d8828729ff9d7aba3da7e27d

SHA256
60bf2801ea6c831308a9257254fec51748f911dd5a3f1f384f31f1515ef6afce

SHA512
90a29fdefa94fab43a002dee8ab95449b626f3db30189662f5ebbc5aba313f3d63e9dfb7687b067e766f4193f72f4d5155c68302c34c7759e92c6e52c7326c31

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.txt

Filesize
163B

MD5
67fd95a19b3d0dbd6a8ef1de3dbf26f4

SHA1
cb882e8594587ee74269c7dcc579c8f6fbdd2b8c

SHA256
3f3641413d24d62d131470c1c6cb6128229e64bffc09960808e219ef29de5c0d

SHA512
e8fdca2aeb75eec011c93d777e3aaeafba6add1d15cf943332a509dd7b49e9b12ecc71d7f18b70569815a4df0ef4ad055f0c1b9636a91cdd0be1e7fa89c44ae7

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQD.txt

Filesize
163B

MD5
c2677e71bc7ffbb03f222a3bdcfbae17

SHA1
8afe4f097355bc9f9d06f1c2d542502526d7ae73

SHA256
a9b14cfe8718fdb6feeefbf0413b5df4f93fdf5908fd813c42fd56ee1d89d146

SHA512
5a3562a43add9cd7ae7f84344d6d1e34b170fde359cea9264c10448f08ea2b18998e50bf2333dce553adccbadee7d65b37e72f5fe6b063fd599f0c39a64fe8d6

Download Submit
C:\Users\Admin\AppData\Local\TempKTFLQ.txt

Filesize
163B

MD5
b26c8cc3ca5f915507cdbd939df6cd98

SHA1
41df0368c5141d0135229e8b792c94bc18980b4f

SHA256
f524ba0a509958fd34d65982d56b0c0da42676ed927bc88e19ac90a611b839a3

SHA512
57278b1b8023f38c0da26b937adf984b850efc224b9a1f73731a80a69e3235bebff9ed8c5d1b6a725ff89aa887f2b13bf5af20a3dd6eec7efff4b3ca9afee655

Download Submit
C:\Users\Admin\AppData\Local\TempKWIGK.txt

Filesize
163B

MD5
522b41c2c91ba629d62dfefe223736ff

SHA1
5c99c3a8c4a151818302fdba876c80849b40528d

SHA256
ca1c602408cfcc7c08205f0f3f69e430170bb2f23198e783304d4e60fefad6b7

SHA512
2b339f9e330ba9aad6d5f25328fc896b21e7dff373933cc4a0fa3ef0de8fadb992686e73242c9d11152269f2520e34bf27a3637b34facf9d18f7f8391fbf6eca

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.txt

Filesize
163B

MD5
63e7312cd6a03ebecfb4636bb0f91f19

SHA1
6faff88510b0ce90dc183d5a342330942445e24c

SHA256
04121393ee29d47027ec774e015a6d026f9a01bb76ca4938c08bb97c5d06bcbd

SHA512
391633af048491e07746b6926fb10cc61274f8c0ce84a42979b0c98010e6b438be50e86a7ffa0046e63b8552512cdee2bd5bda3dce7b7f3e5e6de768d8c8b38b

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
e7b4f98a5cdc58aab86b8229a2d25e59

SHA1
90390303a5b6104e97a032cf983a6593b5939fba

SHA256
ff41af6d36af581eaa4bb255e2ad42726e50b7b31e0faa63a4af1ac4c7a614d8

SHA512
35d6dd368b7006e6ab1adc3994f4a42c2d27df875fbbb622f9c4f06a6005d92034784d1ef271ea11722186cbc551c45fc6401bd6c8ba149d302b666347726f80

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTH.txt

Filesize
163B

MD5
15efeb5154e9c7d559ee07f765723eab

SHA1
d643850419f1105a1c01e48702bd7de886ff58f0

SHA256
07119d8d655cd6fe43703b3b54bf0b6d16b4144f92c6445693f82bfef2ec44f5

SHA512
a6fb44fd5a84d23849d0208bbd5e34ed1f951cb1e0eb38f27cb92426522d767a39bb7fd4cdecbaabc44ae249638b975535f5cdf466ac56461dbaf3178448f5c7

Download Submit
C:\Users\Admin\AppData\Local\TempMYUAS.txt

Filesize
163B

MD5
d18f0c7b1670579f56b414efa6dfdf45

SHA1
83fb4a06a126c376dba4eeed2b2b97e9b21c0e31

SHA256
6564c97d4807066985e5a5f71681210f88b6956b6ab7128270229d47b67ad5ae

SHA512
0db0ff43f74cc52a3dd5cc4bbc963357d876087c43493aa05698faee4b0aa2487c2c07b3a8c748c88f553b619cb848e96e7d512774a17383d4aa5a52aeedf001

Download Submit
C:\Users\Admin\AppData\Local\TempNEYCN.txt

Filesize
163B

MD5
2b7728807663e5f826c63912c0fe0466

SHA1
7f929fc6f5b89fd6ece6a503acd3331442a8d30d

SHA256
1c2e23cfd7e24f963d3d3838cb36e00d573498caaf6ffcf2fb2667697f04f620

SHA512
9b9c1aee81450d3e8367c2c8c16ff409e32a8d600e84b755fef0e5055dde0b645a90b38323f2bf7385f38dd884d1166e70f1cf5879e3bc00ad5c63315e2edb21

Download Submit
C:\Users\Admin\AppData\Local\TempNJWVI.txt

Filesize
163B

MD5
bd6ef1ed52d4cc4ea3b39fcdc832db74

SHA1
52dcfa670d83fe9e899d3f4b67152434f56c31c1

SHA256
383c6ce9068caa1ecb932291ab7bdfb1b5cad9c1f7e63ada6d25f94353092e3d

SHA512
f49dd2ee37c0249009d47ce1b3e69d74ad38e77ccf55c2030d353a54a1c2945a7b9435d3ccc74b231a154f59bb0897150c2a9169b693e1e971d6c7c16ca0b652

Download Submit
C:\Users\Admin\AppData\Local\TempNVHOS.txt

Filesize
163B

MD5
65dcb1450b3de3f67453f9bcef548793

SHA1
47dab7dc089379d0f3878167729b72aa27ff5a4a

SHA256
bf72ebd2daaa96247946358ff30ad4bad7264ca4d2ec2e8a87b976d3b0aafa76

SHA512
d6b8ba80f3653bbc51064150367174681632e6411aa42f819bcfd8cb3d291748364d1eeafd7ae15cd70c327f4595a4f7775aff277afebf8b80539fcca26560bc

Download Submit
C:\Users\Admin\AppData\Local\TempOERIT.txt

Filesize
163B

MD5
dd5f31157b5bdc6246c19d98dd9f8c36

SHA1
062a91864ed8022b7bc3817a17e09841ed6bc0b6

SHA256
637a11e3d914225f0552acb1701e99b4aa69bd521d1e9190d73f8f46456c4779

SHA512
28874b1309b321bc901805a671944db4589d2aed851b76a3ae7ead3f0fa97ceb0b474d4b5a62f870d0871b158097e6d39c9b03fd47b84ab34aa785d98dab2aba

Download Submit
C:\Users\Admin\AppData\Local\TempOJCFG.txt

Filesize
163B

MD5
96757bc1d0bf2359fa4d8d4bab44c2cd

SHA1
bc077041205407bc710ad5154c52312996befa09

SHA256
69afa40e0737956c86f40c8dd343448ecdc3f8c0e1888edb933af3cd10c4f884

SHA512
9961163aff82c5ebd72bf0a9c76306005ffef4e0c17458994810f0a534db369858561c5e65add3b6f2179ff56dae037d5f326c442f6d6afcdb475c2bb747c358

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLT.txt

Filesize
163B

MD5
6718f05350534884b05f7786fdf96d02

SHA1
a8a9bc6192a15d8defa62fa08f7573190c39370a

SHA256
63e53ea431e5720621cc8483a59ff63e299be5e1986af0bf759d4a930bd67213

SHA512
a94512a13f9471a450a59156108131cc69156fde14e0bcc687cff442077f30503d73fe0e51c729bc2a354469a91fdd771e233a64904516793ccdf1ad65b5eea7

Download Submit
C:\Users\Admin\AppData\Local\TempORSYE.txt

Filesize
163B

MD5
3e7576fb3d289d542f38e21dbaf099b7

SHA1
e97aba8aa1415d5778e27229fbc4069978b4ac1c

SHA256
9731444992dea4b7a21a5a98234d37002dbd5fcd3af2d7de1e01111eafd15168

SHA512
40ad358687063f64265806eb0a58478e273c020d6b17da81321bc5bb67019b040627bf09b7f29fe8fe7a5ba6ad86d8cf982804f3cc6fe77d02c856333b3c9bc8

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAT.txt

Filesize
163B

MD5
8017c40b3b87f358920ddc3a7822801d

SHA1
d1707ebb4875777b38e09531e15d0cc1bb133731

SHA256
ae1c8c15c6aa20d60fc888d7e2067bfcee9d767bfe85da8c6922e998f4c2ed5a

SHA512
b9f5f59b6d2d8e5250737c461625785dd78e697c9abf87e5f94751aa0f07e1f62fca270c00202ec6af2b18afc052de611eba4cd126b5ce78c913b0d518ca9354

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAU.txt

Filesize
163B

MD5
b6e7e717427b9a2a0cb73db79e705a84

SHA1
27812bd748e98425f675803b8f176a4256f194ed

SHA256
b504483495d7dc2be123b22b234915a5fe61a07a357a00b56f2b57222e3a63ce

SHA512
47677f7e8dfbb53cff8c626d252772dc3910b82133864bba34838c246bcf1050751a5ea87fc5f46d8d7068109c8d1d09dbf1fefbadd163c2d97f9f7d6fc299d7

Download Submit
C:\Users\Admin\AppData\Local\TempQBUUJ.txt

Filesize
163B

MD5
c872ef42f00e73a0319a155ea74d0e15

SHA1
7410c08d0e874446ecc7eff67abe22578e496d92

SHA256
356cb8a3f03f52001f593dab167201e1a906ff4a524164aff93eef9501a28f3f

SHA512
7646ff930bb06bcac5b5ba579e465a8b4f02809ec81df59655a17c03c30e81ad3c57be8573efa8cd45a3b005816775b5d78470e337ae6d5a953cdf263a4c4bbb

Download Submit
C:\Users\Admin\AppData\Local\TempQLTHI.txt

Filesize
163B

MD5
54727cbb67d70ab8d9c6af1f005fcab5

SHA1
7bc190c8f4f41a0549363212557ef5a4eb0e8247

SHA256
1e54d8575f379ba1050f0910f8aee21f8b75d06709544ecb5509fa165b2dfd03

SHA512
200a6eaee9bef6b70bd5c23e32197b50b8c467b816326e724a4c5838a9df04a677d3a12c962b61428cb8f3c8b11cd2f97e44b4180972718e68ce6ba361a5a00c

Download Submit
C:\Users\Admin\AppData\Local\TempQMLTL.txt

Filesize
163B

MD5
236678d3035ec06dcd022c63eeca42e3

SHA1
71fc841daa1773de9292e36b73b1b76a001bc3a8

SHA256
22b58a3108a4cf3fb2791eaa25b2abe2771aff3b4ede606293357895ff491b95

SHA512
1b45d14023b966b9903005b2aad97141d0b4e636b839fea6ec5d1d6dfa82c175822c329b5068a4a6f9bb29f500e9f47ceb8981c22ffbb453acf6b75536b3e036

Download Submit
C:\Users\Admin\AppData\Local\TempRRCVV.txt

Filesize
163B

MD5
6fd117f208423d249769655802c3be2a

SHA1
3ee3d49980f8c042989a99b98355f141a34f194a

SHA256
1c2ba2205211bd08851020aa7e4e858f766c23cd1f7a9edfc88aac533f454f7b

SHA512
9e2eddfb57523bd138b73dd4f3a59912f0727be0e5fb6141f7532c94478083aba7f102e5d4afbc6a098b7c6bf6ff1006a4d69a875287c985cae87c54e5b4235c

Download Submit
C:\Users\Admin\AppData\Local\TempRRLDJ.txt

Filesize
163B

MD5
f270f6d0e003786c637da69e672d7c2b

SHA1
b89b1abac6b153f43d485399d393761c163be5e1

SHA256
8981472c816f5a0f2547d1781b2ed61da0490b71c868f1065f253f0cffce0b9a

SHA512
6ddd32782a14ab8487132a7f32ea03dd6c5b3bfccdd5e31a5e88692e3a877b6160ad43f6208c055c070b31b90b053b452546ba638ceddcadb80a8ae54f8077bb

Download Submit
C:\Users\Admin\AppData\Local\TempTFMRC.txt

Filesize
163B

MD5
7b2dc6e81e9d4ee1b397576c8a5bab09

SHA1
0e7cb6bd412211c39ecddf631e4d97b4bef4aee9

SHA256
75e8fdab0df29fb80679cdd3506e947933b3e088d89ccaebedf169d64e693c50

SHA512
4d0bb20f49e0728301715d6d8d79669b57ec51becac3716326f2fd4d664c74287a93daefca78db1c1edd1ecb9090058d0d2f363f5e11b66e023c0b9983544018

Download Submit
C:\Users\Admin\AppData\Local\TempTYFGD.txt

Filesize
163B

MD5
93f1b026ec46d6b8503f3ca1156e5a9d

SHA1
2bb047e39c532dccf8f031a83cf0fddee3417055

SHA256
34246af2fbaddf700ba48f7bdecc38553ac177080df92a9af6b82cb992f65660

SHA512
0e50219de8fe680a6cbc035c35b75a477333ed51206b465af20ce186f6afecffbc792ca6f7903b4acdcf5ae000b1b8272bf8474b05fcef96ab117a9886de73ec

Download Submit
C:\Users\Admin\AppData\Local\TempUFYNW.txt

Filesize
163B

MD5
8e2cdfcb68ab80a91b19acd0bf1e498e

SHA1
2f13701b6e7e1bcb042b14225fa04bcdd22052fc

SHA256
f8f5b95e5d6dde02b4a18f9ef2395222de0c20c221e0bbf558d1eae0c4d98368

SHA512
b460f9d9df74d6aaf66b7b2a103481fa7b089d3092ddbab5c5b0c2a9ac750f35bf4c7ec56b8b19d70cb9e72663065c6433b885367e3fb0b06da94405a85b183f

Download Submit
C:\Users\Admin\AppData\Local\TempUHLLF.txt

Filesize
163B

MD5
dcb30480cac565fb0cca96b61822ae35

SHA1
83951c8244cb4574fc97a6e8816b8291ce70ae85

SHA256
54ccc1861695668b74f979898dc5ce02aaaf80f013660bef8a58dd931418700c

SHA512
20ad6c0a3e4881878243ecf8466aae95850e29e92fe9425d5d152ae07f2c3db1343ed88c10c025e7b41c36b34f3be07f579bce1aea2d0584ac62b9204e6c5a14

Download Submit
C:\Users\Admin\AppData\Local\TempUTFNF.txt

Filesize
163B

MD5
1dd5d0a857ac0815794d12cd8c99d6a9

SHA1
75268d85342b413e0a12c0a626214c648c2a940c

SHA256
c84c5107cdaba0d04963a0cb98e0f244480c72d5ac1ec375a6fcb69e48557db2

SHA512
6e1bcf70a5216f29f4e736dbf06c532bb344bb070d978e2a7ab23504dd8e1d738ce7dc16fc61a564418bdda65092f10668fc1d3d5b1812e67146ffbc9f572806

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.txt

Filesize
163B

MD5
d60e814d6fe7e9ab7d77a6faedd1edfb

SHA1
631e16e188395e018e7c5c59ee7c98ab0d79d2eb

SHA256
d05e1c31db971c55a0ca594b95bdbd1dede720ea3427ba148b843495a486be24

SHA512
d3a0df75a67f76a5578541d750e44e44def4d6952100e93fe75de1b1e545e5d44472ddf0566c817318e41ced5a6392b3cd21b4621ced16ce6188ac27b1c1890a

Download Submit
C:\Users\Admin\AppData\Local\TempVHNSE.txt

Filesize
163B

MD5
1784b64660fa6abff948dc46400ba01e

SHA1
2aa013f9f2705cd2b15a57a771880985349f0ac9

SHA256
dafb227374b143384e1183341cf06df200b78b70b28ac449257a756450e2fe35

SHA512
8f93e374766accd0836de6fb6b239f048422a70fecc120562d29f89c4f5b4e14d6c1bf3745d65a96227d7c0c74a5b753997b0ece9be12f4e44643aea03c718c9

Download Submit
C:\Users\Admin\AppData\Local\TempVJKKT.txt

Filesize
163B

MD5
e1aa77ec10b36c8029fbeef215adb276

SHA1
9cf99ce961e32fddf3ad986134f51f931db15d66

SHA256
30776d62595de30ea3cb0845a2b745687b39d3c0f1acada091953cd906bef92a

SHA512
80762902ee8ebd72cb10f1be4d9597f396369ac5ad20dd4bf96e045be0a386b11dfb452da13e18bc9074d952ce6f7a00c6ee08baf85f0e15f1795e1a73c16d89

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.txt

Filesize
163B

MD5
0d7ee6c9335600ff283e6c3556a9761d

SHA1
0aca254bf63f47db664827f53deee2b2cc6ee010

SHA256
0036d95d3c4b94f1b46d35e6eaca10da20170c21a525b7c84dd1c2fe0b0d9cba

SHA512
6688d8cfa9a29597c2e0a34bc43053fee01e1cb28c96c1d6cb49f67e6735cf85dd7afc534849a3822f828e5ed3455180100ba08a12f0841efca1fd0c2f6c53dd

Download Submit
C:\Users\Admin\AppData\Local\TempVRQFO.txt

Filesize
163B

MD5
376a41f89bf726d8018efa7f032544a2

SHA1
d85b188694bc0c2c550f9899d899f45ff74e0f8f

SHA256
316f6605f3b01c2ef8642d1fcad84fc2f7e3a6f7f5727d2cfccedd7e66807f33

SHA512
6f34ecccb7dc6ca1c424fcab8c2e0916b240429f8a5b73e88c08da6e1e9b94ab2f227b960f59a92f92de3d6b48948a2ca656b13a301b51341523dfdddafcccb0

Download Submit
C:\Users\Admin\AppData\Local\TempVWTCO.txt

Filesize
163B

MD5
fdae7ec34f1cdbaaee06fe90d7529d7a

SHA1
2a750cb1c3c768c6c391bc65522d703a3d155c7b

SHA256
4e7b935cc78a6be143dc742a3e8d14474cd8fbdc52e9a37094d08a075ac19167

SHA512
beb0369d5a98b22e0abe003ab88aa8893dcbe7fb0c5026384bd94a9321bb9c1b79ecdc91a5d5f634ba9873d48bc3d19b385d4c0712d89bbabe659f71deb6d352

Download Submit
C:\Users\Admin\AppData\Local\TempWCUYT.txt

Filesize
163B

MD5
2ab648eeb26022bf03547a170659056a

SHA1
bcdeeed4d611719eaf6432d9505ebce6c14ca865

SHA256
a842eccca13f0ace0f9257ce52c3eebd9c665b40a21b20b75204a65e7a9e67d4

SHA512
5c485a146e8d99798b7076e356e04277a8ba8e0f46ed60a45dd77146364a340888fc4698310b272e6a6e4e815dffac10210a67f695e10d8d7468af2f1001e310

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
cee52e867eea3e6cb11cacb1454673bb

SHA1
d5caf048426777e248db7e47e96f69528e4356b3

SHA256
fb395866dd130573a86c20bcb009d21c8d66abd8480a12802ed16be4a29a1582

SHA512
9fb572a40499b863fce21c793d720878e8db6c7198fb9383b22709a84cd08bede1dbfef8aa1241010e0226e6597d28bc8dfacc36b93ba1b6561d15e6893da827

Download Submit
C:\Users\Admin\AppData\Local\TempWVRSS.txt

Filesize
163B

MD5
c320041237734c9b977a3dda76c3fb2a

SHA1
988929d1cc0c5326ec4eaf230f19cf5b8e2f1b7c

SHA256
adf09a180b4c1faad72caedb15ccb4adc40c7bfd42ad6bf4687476a92f2e8dd3

SHA512
508683eda17c676511817eee3d0a42976daeafd6163c887f8796e5213639aa2581367c6fbbddd5aac4c8932ee965959d2c4b5235000d7d76118bb9d3ae06f647

Download Submit
C:\Users\Admin\AppData\Local\TempXVEEY.txt

Filesize
163B

MD5
0d7f1cfb153630b2119fb42227ddfedd

SHA1
12d3155d5d23b350c9c3d16663a0990f9d0a7761

SHA256
44560517b0c19a6dad0899dfadf3bbd1537747085c916c79609f0cfac25ddeac

SHA512
986856a80d356a743a71b2057809372a5c048814f3bd663ea06a18b1faa34894679d96720fe827175c650a6c524feec623c57bc3db64d9af7713ca58a725bc9a

Download Submit
C:\Users\Admin\AppData\Local\TempYGPGE.txt

Filesize
163B

MD5
e3107c343354758996b1c6f98a0cb471

SHA1
7e78296bd1a0f13380aacbc57717fcc848780336

SHA256
de9ece07984a1dbb2d673bcef8512f2fa4b73f0a36465c8ff858fd458c9bcf10

SHA512
bf0b4bc302933f420f77c613242919ae3377086620a975fc6fdfb8d53b3afa6d7bba0619087256d59843e93e9d531b110ab5cfc03b4115b7d44ea7e4b26fff5a

Download Submit
C:\Users\Admin\AppData\Local\TempYWFGO.txt

Filesize
163B

MD5
7e3facbfd1f323f14d0e0b6b9304104c

SHA1
d49ee38f589393b64f173e6ad02671f9685dffce

SHA256
f5f44027a982db4a8a159b6d2961ae86be5a45153cbbba09bcb51bbce2745e5d

SHA512
6afc7b8927856ca58453f2e73bb1b792a0ad379c449ff9df62c0ca22563733f2681b39ff37b788688b021455187eb683ae9f5366b450b49aa9969f6635872d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe

Filesize
520KB

MD5
0f11957dd427c56b6ce745ffac3cfc69

SHA1
7c6035684a6622dd43cb70a426e242149c7b3b0e

SHA256
5bad8d18f3ddf809a88873b4c700beb5c8d2b6a7e9a4e6a628401509f5da9dad

SHA512
3519600d56161ce449520ef14cb6c67bf892b018db31b529fc517d27756c6c299cc00e505ca5bd5d1873cb66d76295e0d59ae00249adabd0941ac0c4159dd2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe

Filesize
520KB

MD5
c03211097affa6c353927b168ac34d05

SHA1
4ab5e040a7a15f21f61d9c61c37a409905a2b6e9

SHA256
07ca03a683789b1117bb3e9ec5bfb1eef4092e8d80d6fca5fae0b9dbc9073c92

SHA512
3765030b7de0ada4b0168a53ac3b1a8bc1164f7bbb40134e7d4f248073c4fc1285615c9e39fe4b3140fead2d42b030f3f6f293fc621376bb36c6a00afe805703

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe

Filesize
520KB

MD5
2b922f356b31794fe60f4119955f444b

SHA1
1d9d217c93811794e61914bd171fcd7250731c17

SHA256
2a86e47a7517740916d701379b98c9082c357582baedd05ec46b26e4be813e94

SHA512
0bd665280f628ee7db8769692d024c4091775a25898704984ad06e29d2627fa44c0cd6d46ae0595d1e1859e39bd2d26325252cd019cd40662ca788babdfb3d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe

Filesize
520KB

MD5
10b3811b16690e4e6e92d48f27a2a23d

SHA1
fe12805b4d679350f362607935e7aa2fde9d042c

SHA256
7f307e0a380766fba260aeaa87bb4c52dcb28553f2fec452001654ea467d1fdb

SHA512
dc0663e6c37d5adf215ac8dd6d584c7eea7882f159c57bd8b39dc752de690fa4dbea679ca30c453e0eb78cc5394c81de73411171e400540787d587faaedb8d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe

Filesize
520KB

MD5
d1669969150888d04994fa97d36b17f2

SHA1
54e448dde5b9943c795ae236430c78ec7b3923a1

SHA256
0e17ceb2eb6fb238d6999b2c5d391d1805cc21bb0833c35691ed138ebf48b7fe

SHA512
3d727bf1d23d81eaa78432b97b552f07442fffa3a4d6a160e3b2c706d3653db4b05cbd5060403c26b9eb4f8eb89d1349e0303f382d3d4f4635d27a1b12f11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe

Filesize
520KB

MD5
42e2e0e9419053005d12d3e332435a2a

SHA1
8572b5fab0be55fc7799c6b65aa2da915675c7ea

SHA256
6817cc10da3941572e7f6aa928eeca7a74e1e20e5cfa2c6869ba3a49f315a17f

SHA512
46da2f2f7b536ff0a051a3a32b903f156efb5d3e8fce2e860b264d01ad80dc7c7b60d57f0aebe8ba8962f0669cd038a35fc31b2300531fe45422d3c439a81813

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe

Filesize
520KB

MD5
530f6214a52cec132f0daa65a764b0d8

SHA1
170c63b34320f5ce9c496ee126d220ae7f58c274

SHA256
471b9b64fdbb70c9d65b5dcb3afdfcbd3d1f46880758324b62b7f126c44c27f0

SHA512
8941f5a7be53a2f3e11a1a70962d34f6cdfd5107c86275e8e9aeb49c0585648bc2d3111bda4ecc47e2edd13b782dd5788a93a4063646c96e197a86b54719363b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.txt

Filesize
520KB

MD5
2c3cfb37221016178f6ca6b753ae24c8

SHA1
8e10786a03195bd2bedd85e4caad9f409f3b6194

SHA256
dd170357ec1c4d2460ed3cff7dc7989dda5eff8b89a2780e499e6092329cbe97

SHA512
1d1ae598f67d5df2d75315d68992b73a5815807924856170ac40616fd7ce41797e35fa524dee654832f182b9ebf0905cb4768de2fb7a99ffe54a4ff314d12d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe

Filesize
520KB

MD5
d6a26d2aa1edcdcac604d074faaf53ca

SHA1
be1acae4c51de59b16b929b1d37d5da5668451f3

SHA256
73108a2c55d8c3061a40b191f5a3aee58845c119fd4b77e58c963bb1e9b4bc59

SHA512
10aa0e13a7a043add1e36ce3f70d994d6baf0d4aefbf5123633d4a0f572b7ab70a47abc43d381401669aa32c1a305a3b0304d7ac60d1cf4262e75c0ca89cf610

Download Submit
C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe

Filesize
520KB

MD5
8e78414f59ea6a86840846284cf5ae3f

SHA1
bea040724dad24dcb08b2625ba81ad88f6fadb58

SHA256
62c7c11d98974633519867cf3731374c1b5d31d7e6dbe2c19a2a6e8de0a762a5

SHA512
33524b3663085ccdec91bc3af7c963ba3e3864367f98ecbbdbf8929d7f0ab42d72b523f2b18ebab85a2605f610f6067e4097ea3872b9ecabfe257060d65b549c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHVTKUNLOEJXWIQ\service.exe

Filesize
520KB

MD5
3f0c962b8acddf7ae19818f3f4c5ec97

SHA1
5840a11e79791930332ef466bdc0df6520f9fb85

SHA256
8f64dc2c734a8eb923b34f84a59725d483852970de788112458ec2526618bc3f

SHA512
e97bac31b7a813a2bb3641bda5c9d1ff6434184cee868b04410150125db3e654905580e480dc5ed1c0754bd38517608a93d317e65d326e395a562440d87ac2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe

Filesize
520KB

MD5
fd93284cf79641d44eea984029cf0624

SHA1
239d985de112fa257577f49f903b61adbffcc1cb

SHA256
153c6e06e3ee589d8714a922839fd39440a3fba9351ec4a145b4acacc48b9d78

SHA512
aa1d7220340aa39e8460445bf42d67ec75907116e8f1e40cc2609aa0c388e9dded5846aeb83148c860bba2aded81f261b874a6f24c2059ed44af9ba8675afabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe

Filesize
520KB

MD5
95d2e3824cb6dd3060513dbf79c93e2d

SHA1
e8783b8177ee705ac3207d54006df1fa9c420777

SHA256
19fe995ee8bd6f0f444642e1b801acb5fd032f13ebb67631fc5035cbaa50ae49

SHA512
49337f304f89c63df4ef9f85fac722e3e2c705f49ed1de5533af37a938fc0af81230cbcb447f819a0ab671b9d07e857abb523cf945358cee15079cfc31a7c919

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe

Filesize
520KB

MD5
eecf0ef99535048295d6b9fe05b2c09d

SHA1
fbd14b9044f10dc55e842c06f9a019c26d2c0985

SHA256
40f38252f1458570a9ff96e79b09f5c5776ff1ae7f1e57e0f0a20d6fa4f23231

SHA512
1559c3d46f4009539e7fa87610395e4c11425884fb83063c3bf1d16a4764b663ab33e47f8234c0ea125b8f7827df6606022520c8a9c05c677a704ef001fe4fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe

Filesize
520KB

MD5
db4b69908366d886b2a13615fddb8efd

SHA1
02a7dd0eb185cc88edd4f6a52b3c82e763a119fa

SHA256
cfad9c6bedf812c7337223cbca76dbba5889de58a829244a259bf111a6c77a12

SHA512
ce3efc19bcfd823c09d4ed59925441e009b0376217b2ad06ed6ef7957d43bef6e1b4d95a3762d244e0010228245c8006bfba277fbcabe760bdec7b24c7fdb7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

Filesize
520KB

MD5
15aa550fa0e440fc8e29357ba9ee1049

SHA1
cdf940247f42b89d09f2b4021613ef735bea93d3

SHA256
6fc83bc3b3eb56cd201ba921fde97bd8e5513e4c337000288aa03cc10b0d8e93

SHA512
24ac60a4f11128bf57aa8b01433164d6eb8802ad78d04db5a4b2d73b71436dffebd4811eb70ca4a1c81e0c98c651e5af515e664247ac79ae04a97e4e2fc7e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe

Filesize
520KB

MD5
be5649bc4b95bfda4a3d60c7c8dfaaa0

SHA1
d0a6ee33f149f920ba3c1abedd4ccd2e2f530947

SHA256
6a8311149992a44a966230d539f53d7d7830c0d81a25bf056abcc5ac1dd0530c

SHA512
0a6cd974977942a3d96b618f7537aab174b4706a0c10ea6bf4bfb014658cbe5e32e4f357f6e75e2247adff14d65cb400b2435cd12f6c8c4604b95efac6870659

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe

Filesize
520KB

MD5
cf24c465642053d0e4b0c93fdacbad53

SHA1
16b7154afd0b00530b590eafcbbec02c91055fe1

SHA256
28a9d7edfb5442d9a46ab6946883a0947fad08a572f210fd513840145ecdc66a

SHA512
ac06dc4224ba929c890167271f6b2a1d4dd44ff6b1601236cd9854b5d0be33d203215fb6dc17c644539d1c38a7f23c962229cfabb7f8a92ac741e571ca16067a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe

Filesize
520KB

MD5
2e78541556fcb76ea8eabbef936902f7

SHA1
8284b7542a4aec09bb5082a97a44b4f63164bee8

SHA256
d53b4ea8309ee44bda6d1bc1891808670496dd91f8c9b04f9e359378f884af16

SHA512
fbfc51b0a584092429be59c2203d8639e248058f58081b42fc429ea3608dc4eb6d81b680744fa86570656eac2f95e065c94851f1adf17d3d88f2f6e3c28d9eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe

Filesize
520KB

MD5
6cd1f3eb1996755950b87bc9c56a625a

SHA1
45c53919e234e7b1b339d508042971d2195d9982

SHA256
61ae2cd9c7b25835ccf580a2e5eb469f122824f39387d132dd6a1ca39c06fa19

SHA512
00f7d6a4c0aefa663366b4f5f4e90a103e8f16d4aa87e52af8e4c85b00e0a677779744fb27fa5b0a7e5857cd44f5ec54d06559b6da3d6ace1024d9424acf8eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe

Filesize
520KB

MD5
b54ee253d848f55294bdd424b4eb0129

SHA1
7fb1fb3f4cb44c8b57ba6194cf03fcab60e7635c

SHA256
285ca3c418c854487a534ad50f49e8f383ea7558db6dd5478bb0d3914b05490e

SHA512
3656dc88ea07027114a410ca8b4d742d1dca2a6853887d94ae0cf176ec2927ddc9c6541b73355db83eb6d80c86c681f7a2768e58f0ef592c92ae6ff6e35153d6

Download Submit
memory/4024-1724-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4024-1723-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4024-1729-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4024-1730-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads