blackshades | 0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
Size

520KB
MD5

911c0729bf84aca9ff947935bdb83a5a
SHA1

b4fca71d6aa007434c181982973f5c30c0e3225d
SHA256

0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460
SHA512

2ff445adc57545af6a1a24dc584cb07442c7def38b1cd35e70f59d10539b98fcc57e2207e79726e37c2589a123fe64c69ec254257d603f65050da238f19d1dcb
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX0:zW6ncoyqOp6IsTl/mX0

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 7 IoCs

resource	yara_rule
behavioral2/memory/3684-1170-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3684-1171-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3684-1176-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3684-1178-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3684-1180-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3684-1181-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/3684-1183-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 46 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 47 IoCs

pid	Process
2384	service.exe
4784	service.exe
2416	service.exe
4972	service.exe
1452	service.exe
2348	service.exe
2592	service.exe
4812	service.exe
1756	service.exe
3748	service.exe
4936	service.exe
4748	service.exe
5040	service.exe
2932	service.exe
2792	service.exe
2888	service.exe
4424	service.exe
2096	service.exe
4568	service.exe
2968	service.exe
2412	service.exe
2792	service.exe
1732	service.exe
4240	service.exe
680	service.exe
1184	service.exe
2816	service.exe
4788	service.exe
3996	service.exe
4692	service.exe
2304	service.exe
3428	service.exe
2868	service.exe
2408	service.exe
4884	service.exe
3460	service.exe
4584	service.exe
1540	service.exe
2792	service.exe
2616	service.exe
5060	service.exe
4128	service.exe
4952	service.exe
4516	service.exe
2756	service.exe
2816	service.exe
3684	service.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EWOKFVOPYOPMVHN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTXYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRMKPCPRMFIKTPC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIFTXJKHQCINAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GFSIWSPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVUYLBPLJXOAOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EAOUMDCFAGUCQPB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYHHSPNRMUIKCJJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPXIICWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIIUQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGCWRFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTHIDBETHOJOKWS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCHAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQNBNVBTXSOQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VTSWJNJHXVLLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICAHRHMEVMALB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MROCOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IOTFCGBJVWRPSHV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLRIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ERHVRPUGAUWBRKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAUQLVGWBFVWTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQWCDAJBGVUIJED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOKIYWMMOJCGHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQUGHENFKAY\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ERHVRPUGAUWBRKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TTGHDBDYTHOINKV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVOTMCMGEHXTUCP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WXUDDPVLJNIQEGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIUROTOVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOESNLQDQSNGJLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIRDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SFNEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXQGQKIKXAYFT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AETTGIDBDYTHOIN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKTQLFAFUVSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EKPBCFRSNLODRYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXPGQJIKXAXFT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXVDEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITVQORGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HIECEUIPJOLWTRV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSXKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FBPVNDDFAHVDRQC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBQYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RJSOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKVOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PMAMYUASWRNPBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNDOHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSGSECGYXUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGWVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMDULAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSTQYKRVHFJEMAX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHPYAAOTLTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRSPYKQVHFJEMAX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXAANTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QOSNVJKDKKTOXOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXSBVXLQVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HLQEBPYPDEYAVQD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQRNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FJYAYLNIGIYMTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODVUCWMCHQHGQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSXEFCLDIWWKLGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KJNAEAOUMDDFAHU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLWMI\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2816 set thread context of 3684	2816	service.exe	297

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2552	reg.exe
1492	reg.exe
1168	reg.exe
4476	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3684	service.exe
Token: SeCreateTokenPrivilege	3684	service.exe
Token: SeAssignPrimaryTokenPrivilege	3684	service.exe
Token: SeLockMemoryPrivilege	3684	service.exe
Token: SeIncreaseQuotaPrivilege	3684	service.exe
Token: SeMachineAccountPrivilege	3684	service.exe
Token: SeTcbPrivilege	3684	service.exe
Token: SeSecurityPrivilege	3684	service.exe
Token: SeTakeOwnershipPrivilege	3684	service.exe
Token: SeLoadDriverPrivilege	3684	service.exe
Token: SeSystemProfilePrivilege	3684	service.exe
Token: SeSystemtimePrivilege	3684	service.exe
Token: SeProfSingleProcessPrivilege	3684	service.exe
Token: SeIncBasePriorityPrivilege	3684	service.exe
Token: SeCreatePagefilePrivilege	3684	service.exe
Token: SeCreatePermanentPrivilege	3684	service.exe
Token: SeBackupPrivilege	3684	service.exe
Token: SeRestorePrivilege	3684	service.exe
Token: SeShutdownPrivilege	3684	service.exe
Token: SeDebugPrivilege	3684	service.exe
Token: SeAuditPrivilege	3684	service.exe
Token: SeSystemEnvironmentPrivilege	3684	service.exe
Token: SeChangeNotifyPrivilege	3684	service.exe
Token: SeRemoteShutdownPrivilege	3684	service.exe
Token: SeUndockPrivilege	3684	service.exe
Token: SeSyncAgentPrivilege	3684	service.exe
Token: SeEnableDelegationPrivilege	3684	service.exe
Token: SeManageVolumePrivilege	3684	service.exe
Token: SeImpersonatePrivilege	3684	service.exe
Token: SeCreateGlobalPrivilege	3684	service.exe
Token: 31	3684	service.exe
Token: 32	3684	service.exe
Token: 33	3684	service.exe
Token: 34	3684	service.exe
Token: 35	3684	service.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
4656	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
2384	service.exe
4784	service.exe
2416	service.exe
4972	service.exe
1452	service.exe
2348	service.exe
2592	service.exe
4812	service.exe
1756	service.exe
3748	service.exe
4936	service.exe
4748	service.exe
5040	service.exe
2932	service.exe
2792	service.exe
2888	service.exe
4424	service.exe
2096	service.exe
4568	service.exe
2968	service.exe
2412	service.exe
2792	service.exe
1732	service.exe
4240	service.exe
680	service.exe
1184	service.exe
2816	service.exe
4788	service.exe
3996	service.exe
4692	service.exe
2304	service.exe
3428	service.exe
2868	service.exe
2408	service.exe
4884	service.exe
3460	service.exe
4584	service.exe
1540	service.exe
2792	service.exe
2616	service.exe
5060	service.exe
4128	service.exe
4952	service.exe
4516	service.exe
2756	service.exe
2816	service.exe
3684	service.exe
3684	service.exe
3684	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 2988	4656	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	91
PID 4656 wrote to memory of 2988	4656	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	91
PID 4656 wrote to memory of 2988	4656	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	91
PID 2988 wrote to memory of 1904	2988	cmd.exe	93
PID 2988 wrote to memory of 1904	2988	cmd.exe	93
PID 2988 wrote to memory of 1904	2988	cmd.exe	93
PID 4656 wrote to memory of 2384	4656	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	94
PID 4656 wrote to memory of 2384	4656	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	94
PID 4656 wrote to memory of 2384	4656	0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe	94
PID 2384 wrote to memory of 4584	2384	service.exe	97
PID 2384 wrote to memory of 4584	2384	service.exe	97
PID 2384 wrote to memory of 4584	2384	service.exe	97
PID 4584 wrote to memory of 1968	4584	cmd.exe	99
PID 4584 wrote to memory of 1968	4584	cmd.exe	99
PID 4584 wrote to memory of 1968	4584	cmd.exe	99
PID 2384 wrote to memory of 4784	2384	service.exe	101
PID 2384 wrote to memory of 4784	2384	service.exe	101
PID 2384 wrote to memory of 4784	2384	service.exe	101
PID 4784 wrote to memory of 3428	4784	service.exe	103
PID 4784 wrote to memory of 3428	4784	service.exe	103
PID 4784 wrote to memory of 3428	4784	service.exe	103
PID 3428 wrote to memory of 456	3428	cmd.exe	105
PID 3428 wrote to memory of 456	3428	cmd.exe	105
PID 3428 wrote to memory of 456	3428	cmd.exe	105
PID 4784 wrote to memory of 2416	4784	service.exe	106
PID 4784 wrote to memory of 2416	4784	service.exe	106
PID 4784 wrote to memory of 2416	4784	service.exe	106
PID 2416 wrote to memory of 2036	2416	service.exe	107
PID 2416 wrote to memory of 2036	2416	service.exe	107
PID 2416 wrote to memory of 2036	2416	service.exe	107
PID 2036 wrote to memory of 2932	2036	cmd.exe	109
PID 2036 wrote to memory of 2932	2036	cmd.exe	109
PID 2036 wrote to memory of 2932	2036	cmd.exe	109
PID 2416 wrote to memory of 4972	2416	service.exe	111
PID 2416 wrote to memory of 4972	2416	service.exe	111
PID 2416 wrote to memory of 4972	2416	service.exe	111
PID 4972 wrote to memory of 4736	4972	service.exe	112
PID 4972 wrote to memory of 4736	4972	service.exe	112
PID 4972 wrote to memory of 4736	4972	service.exe	112
PID 4736 wrote to memory of 812	4736	cmd.exe	114
PID 4736 wrote to memory of 812	4736	cmd.exe	114
PID 4736 wrote to memory of 812	4736	cmd.exe	114
PID 4972 wrote to memory of 1452	4972	service.exe	115
PID 4972 wrote to memory of 1452	4972	service.exe	115
PID 4972 wrote to memory of 1452	4972	service.exe	115
PID 1452 wrote to memory of 3176	1452	service.exe	118
PID 1452 wrote to memory of 3176	1452	service.exe	118
PID 1452 wrote to memory of 3176	1452	service.exe	118
PID 3176 wrote to memory of 3636	3176	cmd.exe	120
PID 3176 wrote to memory of 3636	3176	cmd.exe	120
PID 3176 wrote to memory of 3636	3176	cmd.exe	120
PID 1452 wrote to memory of 2348	1452	service.exe	121
PID 1452 wrote to memory of 2348	1452	service.exe	121
PID 1452 wrote to memory of 2348	1452	service.exe	121
PID 2348 wrote to memory of 1964	2348	service.exe	122
PID 2348 wrote to memory of 1964	2348	service.exe	122
PID 2348 wrote to memory of 1964	2348	service.exe	122
PID 1964 wrote to memory of 1912	1964	cmd.exe	124
PID 1964 wrote to memory of 1912	1964	cmd.exe	124
PID 1964 wrote to memory of 1912	1964	cmd.exe	124
PID 2348 wrote to memory of 2592	2348	service.exe	125
PID 2348 wrote to memory of 2592	2348	service.exe	125
PID 2348 wrote to memory of 2592	2348	service.exe	125
PID 2592 wrote to memory of 5040	2592	service.exe	126

C:\Users\Admin\AppData\Local\Temp\0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe
"C:\Users\Admin\AppData\Local\Temp\0b51ff56d951a24826bf1afe1958387c2a26a8c772368ea12eae5c0eb43bf460.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAB.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ERHVRPUGAUWBRKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1904
- C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
  "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGHDBDYTHOINKV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe
    "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBYUSB.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRSPYKQVHFJEMAX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:456
  - - C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe
      "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJBETY.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EAOUMDCFAGUCQPB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSECGB.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EWOKFVOPYOPMVHN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:812
      - C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYAUT.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSOQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VTSWJNJHXVLLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICAHRHMEVMALB\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\QTICAHRHMEVMALB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTICAHRHMEVMALB\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSOWNC.bat" "
        9⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYHHSPNRMUIKCJJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKIQCJ.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        11⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MROCOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXVDEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMYVUY.bat" "
        13⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOSNVJKDKKTOXOD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
        14⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYIVG.bat" "
        15⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EKPBCFRSNLODRYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFCGBJVWRPSHV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAB.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ERHVRPUGAUWBRKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWNHB.bat" "
        18⤵
        
        PID:488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRMKPCPRMFIKTPC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIFTXJKHQCINAD\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\HQIFTXJKHQCINAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIFTXJKHQCINAD\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "
        19⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        20⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIIUQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
        21⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMYUASWRNPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYMNN.bat" "
        22⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HIECEUIPJOLWTRV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKFKXG.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HLQEBPYPDEYAVQD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQRNLSNDRYH\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQRNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQRNLSNDRYH\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXJ.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WSGSECGYXUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUKIMH.bat" "
        25⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLVGWBFVWTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVIPK.bat" "
        26⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQWCDAJBGVUIJED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTLFA.bat" "
        27⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOKIYWMMOJCGHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKCFTL.bat" "
        29⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBPVNDDFAHVDRQC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBQYP\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBQYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBQYP\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKOPYU.bat" "
        30⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GFSIWSPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIPTF.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQEGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
        33⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPK.bat" "
        34⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
        35⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIUROTOVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQDAPX.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOESNLQDQSNGJLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFNEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXQGQKIKXAYFT\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\HDRXQGQKIKXAYFT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDRXQGQKIKXAYFT\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "
        39⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FJYAYLNIGIYMTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHXKRB.bat" "
        40⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OSXEFCLDIWWKLGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        41⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPXM.bat" "
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTHIDBETHOJOKWS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCUSBB.bat" "
        43⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CSTQYKRVHFJEMAX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQPBK.bat" "
        44⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJNAEAOUMDDFAHU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLWMI\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKVSQU.bat" "
        45⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AETTGIDBDYTHOIN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEHIRN.bat" "
        47⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYLBPLJXOAOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        49⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        50⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe:*:Enabled:Windows Messanger" /f
        49⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe:*:Enabled:Windows Messanger" /f
        50⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        50⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        49⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        50⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBEFPK.txt

Filesize
163B

MD5
5d5193981fbb091f2db96343213a1540

SHA1
ff915d08eb74f807c0f4025cb9328452915d57b4

SHA256
0507bc248992b8bb2868f818afd9557ee243cf4a23ec0600dc075bd545593611

SHA512
22900c727121acdd2e26815c64739c26e94de8e96aada530d44006b47162cefc8200b44829f5da5a3332e4227738a6fe2dab62772ae5987f7521a971bae2dce3

Download Submit
C:\Users\Admin\AppData\Local\TempBYUSB.txt

Filesize
163B

MD5
ad91fa5fcb3f9a4560bf64e3e29345c2

SHA1
f090c138b3272c6647ceeb552347725fbe0b921b

SHA256
55aaa496cee989de8c2087ad451665d9f5302460bd073cffb383eb2a71235722

SHA512
8f94628ba226a59704c967be1fbd64522924a4a8ff6354ab288da7352e4d18557e8297291853db1f3578a1c3af9df7a75fe1a52e39cb3334f5d9711a562f911a

Download Submit
C:\Users\Admin\AppData\Local\TempCFHQM.txt

Filesize
163B

MD5
2b05b86f81f3f552c173732517bd599b

SHA1
0cb2c04c9e7e7a69a5f024b2839e57dcad9be67e

SHA256
08292b155fd449d35da74d152fc9217bc95f55a55e178be36a63a4e7c03eaef8

SHA512
a692795a37d5c5bbe675997e41f411d2168fa46a2f0a959d72dfc3bd1b6dde72e731b22bceb148bf57c458ed458917ec506fcf84e07187de7ffcc554546d4d46

Download Submit
C:\Users\Admin\AppData\Local\TempCQPBK.txt

Filesize
163B

MD5
f20f813d617504c8c3d41b05524ff2db

SHA1
a3d46b86d277ef7c02e3a1debf071bcab6acd8c2

SHA256
04659ac66bedc100622a16aeccea23897536c9a3d891e357ed1f9100f2275e4a

SHA512
9813d12e911e1f314c3806262941cfebf2bf8d7c411a04aa240a7cd14ae712f76115a16ea85a32a2cb37ca8d9bcf86813078c4a0fb599d74dfd8640814b924c4

Download Submit
C:\Users\Admin\AppData\Local\TempCUSBB.txt

Filesize
163B

MD5
aa1c14a22398ef6c5d40ed65c0cf2707

SHA1
aae424f3692d0dc36a2c02e641687cd3ee3daeef

SHA256
e5a09910c48356d9c695d636622a8dfc92bc8bbdebea6e8bde5e9425e5309c27

SHA512
d759c8be8bd44cbd02e86cbdd093d53a6c1675477303c64ff9275f78ce298bd972d6e2598e81d8ee88934721f6aad868b85d64fb0962d836a97c16308aff2d84

Download Submit
C:\Users\Admin\AppData\Local\TempDMDXB.txt

Filesize
163B

MD5
54d6c60ffc608f00dd497857e5ed5535

SHA1
a07e04085043cdca9ce013c27feaf9c150fdf4aa

SHA256
db948b4ca212e34e32f0e4509795d176f19745e001d621bce486ccaf0c61398b

SHA512
572f0c6a33637adfa394ab40f624afc85cf4c15de2c8265818fd2cc7fc6e30add6fda8200c07afe40bcd86e2d39e9e9c9643b6a65af0a587742f931ae4832287

Download Submit
C:\Users\Admin\AppData\Local\TempEHIRN.txt

Filesize
163B

MD5
a1b8c40bb88a786c6001601d1ee0d05f

SHA1
d69809bbe4406c24fa2464fc487848fe75dbd85a

SHA256
c339f5fddb844ed2de03e8e3795ca5bee76a30694531f08eb6e9a2566f2d3f9d

SHA512
2471e79706d59f0f0a363f750b3b7ac682edbbfcb03270360bcb07e6c876c89d58ddd8c03efb2f9b708aa4ac7c8a6693f8a8b265c4568f710462483bc277b781

Download Submit
C:\Users\Admin\AppData\Local\TempFGPLY.txt

Filesize
163B

MD5
4d9cd846e5ae462f57399f84e8e50885

SHA1
a2248c46ef224387d91bd5657b3bf57f5ecc68d4

SHA256
1326f6b17d8bba9c841d6e9a9cacbf6684206d466e390ca9b71f58a486835aa6

SHA512
dcb18b43f1485e0259bbcbd8b74bceaf77b9fe64a6d0f81f0eb8127e472c481bdd644bc1c24f1333ad4f44019b5c9bad19960bfdb7205c281043d04e47ed5c54

Download Submit
C:\Users\Admin\AppData\Local\TempFVIPK.txt

Filesize
163B

MD5
9f846d611886c8b57000102a0982236c

SHA1
80222b4ade3d2e00a8c923b62f6edeef38896abf

SHA256
fb13dfce3078689b589679ca6b022a8b7d4f0a262d48a82b169a23d4d19af359

SHA512
e15bc7849e5e01d9379cbe4030ef200b8db7c620f981c78b61cb7236b0c244ce243cabeca5831fe0558c0d8169a482f458545bb237bc1271492b8d23d17debdb

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXJ.txt

Filesize
163B

MD5
d6ce36dd9f718589784b732f96a47b74

SHA1
2bcdcf830c2459ca52ce321e8a40dac14d1cf88f

SHA256
cda09d1e52742534d3d40c243c5426fa88a279d917ce5e7b7443c9d1063066ec

SHA512
43b1dc34c405f0c4500e6abd21823cfd66e5a4b757cd55c09e07ae80f48975ba3da92dd745ae2036adc1bbd861d56bbcfc1302bed136197be51f66c1670dd012

Download Submit
C:\Users\Admin\AppData\Local\TempHXKRB.txt

Filesize
163B

MD5
1733b46f8f323061018c2045a618f342

SHA1
53cac017ab9f4d3f003872c2b52635c11a120957

SHA256
c82506c973f1704099b011e814298b2b9740826bfaea3212907aa107fd93dd76

SHA512
e1d6096fc0e550b38dbcef7676d735cf1b6cc12c82738deb05ec4cab2a8b2179b40093a161c610785bd301498923ccab95c82f525cbca46ad1c1f0e234fc4a83

Download Submit
C:\Users\Admin\AppData\Local\TempIRDJO.txt

Filesize
163B

MD5
2f862968031e33678a88f2721ca60fe4

SHA1
eb9b36d5d7dbf37df95e68eb7f96a9851d677ca4

SHA256
e2782e5da22d51f2f8113104c8eb4eb46ceaf5b8f1174db2a0e208411d40c71e

SHA512
6d4273685b4801dc79d6b9f83a3cff53214f469fc7272a1c49a49ba6cc518e1aef20b31ee28c93c37be6d6356b04a0c8d32266ee34e565345b9a25ac75486f99

Download Submit
C:\Users\Admin\AppData\Local\TempJBETY.txt

Filesize
163B

MD5
51046d8150e00396f70a171c659fb3d6

SHA1
e180bf5ba989fca964baa160df962dbdc05b64ba

SHA256
55d5014fea8285bfe4ac0f3cab474180f7ef8feb0d72f9e2f48f144558bcad07

SHA512
40254445c7cf646df4a19cc893f8e747e73a456e6e609978eb6c14046f954532d908a10ca0bc60e3924f461f93a42a2b8595c14110cdfe92189b0efea3041a85

Download Submit
C:\Users\Admin\AppData\Local\TempKCFTL.txt

Filesize
163B

MD5
ddc0024f27ec8b6f9eef1b440ef3eaa4

SHA1
2448c60769b28665fa22736c72f12b5ec3a8c689

SHA256
892455d99b2f97ef1b9e98444e3f7fee5606a6dd5d6ce6d4a9c4fe6d3a0ebbd3

SHA512
e4c64ccacc66a6c48baf9a2e657f1f27da1e928303eaf661c40414caf6ab8dffb454dbc94b175e8ae6b2dc13eac866ca17ad573b60e35b5219b6f0dc1a8263de

Download Submit
C:\Users\Admin\AppData\Local\TempKFKXG.txt

Filesize
163B

MD5
180e59210727c9a9f73bbcf621f572da

SHA1
cb302fb532b4c99e030039fd2113c63a0f134874

SHA256
1cca82a4a62b7735bb73f961a1a941504a83b7add718c82a576161c190dfd676

SHA512
669f0045ffe8dfcb6d95ff5ca47ad5506c0b9490225faebb30726b7c14d4bf7bf8e4594c61faf9fdbea6561f79d5ec92659d46076bbc9de2374a114616786e98

Download Submit
C:\Users\Admin\AppData\Local\TempKIQCJ.txt

Filesize
163B

MD5
3bf0ca3ba9863d35e7db3e7b2cd31b7a

SHA1
ea10955b351348e554138f493d3a22c60c44c2cf

SHA256
c4c93341d1268d21ddea7d6132776d3ae6d2cbe38c232579852cd2138a68a764

SHA512
d062c276cf111712a5cdc8a6ea648b1bf4d2e2ce312be4235dec436112234f61e43693e9dbb8850e35a050b9fd978517c1ec2bc6e7b8fcb4ad03f490d50355fb

Download Submit
C:\Users\Admin\AppData\Local\TempKOPYU.txt

Filesize
163B

MD5
c254e99fabee11d8be1b859b83f2834b

SHA1
332ae13963d30151efb76b84df48f4e0d04be478

SHA256
047d2c19c884e501efb6b709d5acb4272eedbc18fc117905fce4acebb3b4c633

SHA512
fd7b19c9ae2dd6dff49944e0efea9e692baec510e5814b12482bc104e6ed5b35f30965c3aceb68e9334a0a084d4d7f40b170a28a07c092e88aa9f7f8284eb958

Download Submit
C:\Users\Admin\AppData\Local\TempKVSQU.txt

Filesize
163B

MD5
ef88c9b556f144ea3892f98f5d493f6b

SHA1
09ad84fde8cf8045cefae4824c3aa9c17ea72016

SHA256
7e3823c30a8dcc50cbf9d104c7de6add34febfe74ff62f715558595c5913a051

SHA512
eb877fcd9411abeeb934acb019c7609c0560d7985107cad429845b60432d680552edd14913dd70ee68e6a20ff1c7e190b84b7e0ad4c262dff10f6934ad5ff847

Download Submit
C:\Users\Admin\AppData\Local\TempLTLFA.txt

Filesize
163B

MD5
523f6fb12aad9b3afc5e4ac50d4fa9ed

SHA1
5cf5036d0d780ae7ee7188a91f08f4039fd636e4

SHA256
f41ddf012c0770d9640cf251a8f511588b6dc257bdff10f99379290d122d35f6

SHA512
2d03d14896fdd72088f867fed4dbc41281bf20c11d1058b6d51d00f9d2406f3e8c23b020b97e7e753e4451fb5684c9251fa1f31c9aedc5a2ab68d4cb9f7d2dd4

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
744a5026709d2e515773358787335ddd

SHA1
30e8cd8484237258baf44dbe7519134890471634

SHA256
275ff9d4af6a5aa1439bb2288cb5bb576546130da74f614bd575738da1bb21e9

SHA512
7f2de32cf6b2874543a0c05b18c146bbcc804509cbd040f66d6facd63d56f0a765cbc9e14e513cff32fd8cc7d475c8532e11fa135fa94f76c233b369eb54d33a

Download Submit
C:\Users\Admin\AppData\Local\TempMYVUY.txt

Filesize
163B

MD5
21fb33137540bdf35c8d08f557691e06

SHA1
514be8ba7ace36a533205a2d373ce9e5ac18dda1

SHA256
1de2d80604a917e407e2e10a151cd41eb41f9afa6c08d52dbcc70035303e156e

SHA512
85664578204451cb21a68dcd9a8e955b07af6e3b554b632cba2698de9411102c3624d3433be1387eafe07cdb532ebfae2c7e9f0ba7695bebbe27e3764cd11c1d

Download Submit
C:\Users\Admin\AppData\Local\TempOWNHB.txt

Filesize
163B

MD5
d676abf4c96bf4b56a878a89502d072d

SHA1
7cee4d76a1c995a0ab27a9e7f23b89a056f0790f

SHA256
0d41f4cae68c1f413dcf0c0974c05bba04d97e465db6168c048ad167f184ebc8

SHA512
565d0409ab2a9383f7be4f721c1e9f2af84aff0ac0e70f2fb4d9f214d7ed6517b6ff6057f1ce856f3970fcbee1ebae9c57121a098f3310da3c1cb9b112179b19

Download Submit
C:\Users\Admin\AppData\Local\TempOXTAB.txt

Filesize
163B

MD5
d18f27cbcbff0b57d8cc1ca92b1fe873

SHA1
ddc061669fb53a10245d6f24b0b7e7b26747fe3f

SHA256
cc4271fa9e89959b67e3d7ed40dda3e3061dd78a5791f71c456bdaaacaf9d549

SHA512
12c0c0ebbd8cf1c10609f1a32d548587eb75a8e29c317b1c205afeb1f2aa2d4fd8fbb8cde2e8044f78040d66aaf9d51d6138b647b316f47b414e82f27e2488cd

Download Submit
C:\Users\Admin\AppData\Local\TempOXTAB.txt

Filesize
163B

MD5
8610698224f1ce4238cc3a9d26388631

SHA1
8b0b27187e159acb12577814d42c86dbe8e334b7

SHA256
c3d25eb9b2781ee346ef3e22cfd72e3402409fa4cd17bcd73f5a43ac06f94c16

SHA512
889d816916b8b80551c0f7980e0849a09b7c4e2e9b988f8993c3442428d2e4a2b280baa691d970abfd522da64cf28e9baa04fb4d91f4a4d414c6b2526360ef67

Download Submit
C:\Users\Admin\AppData\Local\TempOXTSH.txt

Filesize
163B

MD5
5e8d4720735e142ba939ae09e15ce7eb

SHA1
94659e98c8e733ba0a21fcf2803243976559429d

SHA256
cafa2c1a74130f00800753d0c66702d801d93f118424a3fe0f45713c866dd49a

SHA512
bc2628595a3c9ac1e12a9f69fb7528b48a17ade9629f91dc652dd8959ec6558ea2c42ab6117937842cec5fa8d642c66334d6fbf96a3edd80c65b52c85789daae

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.txt

Filesize
163B

MD5
f6bd5be39db4db89d196c2f9944a9580

SHA1
53b95e1a9c1e36709908f54d100d4d2bc62485c7

SHA256
7e918de8b52fdcc6b56b559131fc2da3dcae25a6ffa5d4e74fe14cc1c7f43c6f

SHA512
d9da08629c1f24b101a711d8fba4126a81fbad72a376a3671f2c4c28a57a0633954c8917f6f2b0ae1c4dcf59bbfc4395d1bbb9494861f63720027af32c8a1463

Download Submit
C:\Users\Admin\AppData\Local\TempPYAUT.txt

Filesize
163B

MD5
b81b242d63ca369b233fa36582c8796c

SHA1
91f2ba28d7ceea60b242fec5770d6faa8beb6358

SHA256
ff4fb56732f34d19d312008f66405600523da51adff0f06c9f86e163234ddb1d

SHA512
acd8f7db05de271fd445b31db9f4c1da515f48a5cbedeb77dcd949b1c986f23ba0452c57872a32a5eb011d59e95ec0ec0f9a21afa65a12a8c711b192875e8671

Download Submit
C:\Users\Admin\AppData\Local\TempPYPEN.txt

Filesize
163B

MD5
c44afd7912f51c2659b9efde3da5a6d4

SHA1
ca797fe6a18d25216fb817ed0169c0c06c0be19c

SHA256
5782ff77fa470c2c03b83cc6b102b5c650f20e8cb19f23544b2c63236038a0bf

SHA512
266aef161fa8d67a747652b874bf4017e3209a2ddd0a3e3390a41cc8825cd3afd749c75268868d2b398bb8ad632348fe90e8a2ae84c48e15ede9f3994fa32f36

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.txt

Filesize
163B

MD5
e115dd731a66a0d6b86e24bd7d9df00f

SHA1
389d013e35da35bd9464d3c17865d9bca0bddb34

SHA256
bf0111bb204110231ee3d618c515d3222d14bb6511fa6e72366804e0af34b663

SHA512
e8e1ce929b4c0b657bec7f022773180faf9dc66fa1452c254677b72df806b515e9c2c3c5fb9ecff73d1900f3f7e234064b78121cae9cabb2047b06fd7df11bb2

Download Submit
C:\Users\Admin\AppData\Local\TempQDAPX.txt

Filesize
163B

MD5
92ae3555c5d0f1cc672c547510b46410

SHA1
b69bd15dc681887156b11eba1f0c23bdb573c0ce

SHA256
9e1cf37ef22189f9335fe0ebd2d8d0f0046906cab31edba1ec6e3a0cc1e3d9a4

SHA512
a6b05f408ecdfd15181380ef1d7afdace513d2b614aca7936ceb6b2dc1fb5d9a34dcd97df9ab862c0e592f751762685ef539c95dde8e0b44a8445df84637c1dd

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXM.txt

Filesize
163B

MD5
5781f0b891ab129dc3ad49cbb3c17dc4

SHA1
51903e0472dd1a0a5a3e6ab81aa38c6d3c813679

SHA256
553d90ba51b8182004f9325ff660b552365a354dded73bd497c3fd1b311f3f9f

SHA512
5f3d1cb4b29353b5f4081a63daf1ba7c4c81af916c856398e71e84313684239af37e238d4f7fa20150577fc2f55462b90ee986243d3625e4cb1a7f2990399676

Download Submit
C:\Users\Admin\AppData\Local\TempQYMNN.txt

Filesize
163B

MD5
320108166a139eaa778137873e101e1e

SHA1
9512d0994bd49a432a51ad88d8530937e3844cbb

SHA256
0cc11619de55e6a6f53ef0337e57be0383a569a167a2c8c29b4a23957d337ab1

SHA512
c650e8d11ea4807f14a87b6abf78c2ab9dcc405c9774fa02ff44992d54d75ecbdb8b8ca4d4b58cc270019e80b888a9df8b5bcdc84fded66a8a36ca6b10d93b7b

Download Submit
C:\Users\Admin\AppData\Local\TempSDPAX.txt

Filesize
163B

MD5
096b2b4c690092627c0de5f0a0587ef1

SHA1
9f5499cde773dccffabf0671c26780dd90df403d

SHA256
fbe8f44c9a17da252c656438e559c522bda22756c4b386bd9f8b25bd8fa7f129

SHA512
c4e8912a2bc0729f21b23ee8f55f9d40b708fc8e09ba94809cc79e8fb805e1e6ea189276c27e9401dc351bf3450fda3594e72032aa011b6452ad6e4edec88a03

Download Submit
C:\Users\Admin\AppData\Local\TempSECGB.txt

Filesize
163B

MD5
c648676b3409318a0ba3556b9d3841ce

SHA1
7abe96be2844f485c5e2dce64f64bd9ac9f4ba9d

SHA256
f1d53f255a5f4a0bc911111887353af79287e73fdf1969a2361d9aa0b3bcf0c8

SHA512
344f0057d7becd11ae1c3482ae510159582224266d0c7aea34370639ed599fc555b8fec8600f04ccc4e66eb674487516c6917882e6454d58a6650cf149724a48

Download Submit
C:\Users\Admin\AppData\Local\TempSOWNC.txt

Filesize
163B

MD5
54de8d3808c477390a6eb8a521cd438c

SHA1
e71b85d6e241559afb6bb59c35efddf27973d61a

SHA256
285128544512662b0c5dce0f15b1b0436eb4bce6481ca485f48cb7fabcf91e51

SHA512
2ff756627f91ca0577bfcb63239dba5bc3779b5c16aec82b7d8e1767e488e97a5064443d8adf80262aedc332cde5f3ef606e6695773c6dd3506dde5378bacc7a

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.txt

Filesize
163B

MD5
f7ba3003abace6b729e90846c39c6611

SHA1
5bf554b79425f3a5360099fe06c1e130646e92b3

SHA256
1ae7f323380aeb55d296ed26692acfdba76fde7324227038a99ffc882aca0ea0

SHA512
025fad4227a44c11522895fe779e8de2f065792b777091a07b6bc3590715485ae54faa6223580fd171134d93514dda0350e1c848d853f876a5a99a8b679cdca5

Download Submit
C:\Users\Admin\AppData\Local\TempTYIVG.txt

Filesize
163B

MD5
5eef91812f31b246b026cde2a42c85b6

SHA1
124fe519724946f377271975b576e7f59297cee0

SHA256
b4bb5345a5083de43845d5ecb79701f51c4710eaf00f0342a065752af1a7bfa1

SHA512
d3549002ab5ed970eea67511e568b320ac517c162fe1a9bddcc4e01a53d9d6f46721506ee53ab3a462b509b4c368ceaabc80b52f01b0e4651de76d0d1d8734e6

Download Submit
C:\Users\Admin\AppData\Local\TempUKIMH.txt

Filesize
163B

MD5
ae2842a439c6b8c7f1c37622a815b1e1

SHA1
2522555d1615e0abf8fff285290f316b0cabf78e

SHA256
77be13c912c0b1d6de3ee8b5546a887ad20afa32c6323c7390820c4b03250fba

SHA512
9ee0a27c64ebcaf1218ae39845a39ec53a8625c91064c08e28e9c8e37cba7c7540022424a48136a99b0250d446a0cc60040127dfcda21911156d9ce03ff65895

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFN.txt

Filesize
163B

MD5
bd032580b7effbda479aa5f35e128787

SHA1
50508bb841bfd66058e19d4d0d971214fe972095

SHA256
a9692075f56f7d52e431da2ac5574b7c74a01dde78bd823e0c4796483c39fad8

SHA512
3530dcd2586f93cf7061be08b75951e8350e9df9153c0619f9f7b06f7448ca59893777576a5c0fee503a22d83147a6e4a56614d549b9c685c1f4730c2032944c

Download Submit
C:\Users\Admin\AppData\Local\TempVHNSE.txt

Filesize
163B

MD5
c472e3e74e3ca0c47c1b69893e320dd2

SHA1
9d3375c6871b703f8d2b105bc190f3899dc7e165

SHA256
c72a7b1a25bbbfebfbbd7c54bcd8073867c6489824218a39287b09247ba4e6ba

SHA512
855384bc974cde049edd3fcf0132b0826b842f643c54e81f2702a04240a8d60229cd0e4711a5637d0aa5ebc13d01c70bd8c53c4d6ff613ec11e5eb9ec97845ee

Download Submit
C:\Users\Admin\AppData\Local\TempWFFOK.txt

Filesize
163B

MD5
3fb6f383a6569a2644b9b521c3c29c63

SHA1
11473a58356b244d8a54c78626a17d72b634a474

SHA256
d3db2bf635e6d3a7e421257da4ec663bbdee3310bfcbde23237e73d8ad371335

SHA512
195c1c7a17fa85fc9953131516727c008a75f3ba97c625ae1ea7fae417a880159a6baf906f0a9fa2e3e69ef8707fddc54b472788a8e36948cbb94ca54ef1bde1

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
b96c1ebb8b5ae79aaf417f1571d5ca9d

SHA1
4c6aaa43c13cdaedfa9081a4b25ce410d9f7c22f

SHA256
5d01af8e8cfdfc694da1b87e6cf5e43d43c0ebd49c7683ad8bd1f7e6a3bdb85d

SHA512
63a1dc44375831ad55eb83976cdcfcbed3c69f6d6eae78802ec684e4c77dbb29d477e29cfff6d57c1916b43687d7180e4c4620abe20b5bcb611eef764fe3b60f

Download Submit
C:\Users\Admin\AppData\Local\TempWIPTF.txt

Filesize
163B

MD5
652f407aec6e62db91f8dceaeb49bb33

SHA1
0eeded2abdfe0fb8c0eeab654b062b4bf3030bfe

SHA256
9a073162fd314d1076ec3bd0432a678aa65b00df5414ade34a9f5fb716951e5e

SHA512
7ccb3fc2c29cc1257bb2eb0d163e07204c476d0c26a2208a38bef33ad45781d50738b8c356d29f478bc467efd4d767cc406ea26035dc010e6672de293d228960

Download Submit
C:\Users\Admin\AppData\Local\TempWLXIH.txt

Filesize
163B

MD5
1036694855fb4a7a2d274b4c669b26b2

SHA1
35b314a574c52a15ef97db6bcb93b67e65d7147c

SHA256
98eed1fa6b348ef715e7b27b7513cd15422bf93d431d48d1ba065676633662dd

SHA512
367a96fdcb0ba7be9d191d3247fc8f1225c348ca91e334a21d14280ddc2ffc1b760c345f776e087a4ff673ddc5163601d4d29cf6bde02104182f50ce4458ec47

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPK.txt

Filesize
163B

MD5
3be5651aff782cb913c886141056312f

SHA1
fc74b74441bb809ab2c3f2a519076e0b622dd811

SHA256
4982445754d15953209afcc8a495b211a2588f39b453854264d8d9f13470a930

SHA512
200822c05f137384a3740d0c8db281bbbac97b24aa88bfeb322b1f49d3fb1859cd60ae48b2b2e5be2b9482f141c7b21cd9468fff63d7444200d9f3a961486bf7

Download Submit
C:\Users\Admin\AppData\Local\TempYFGDM.txt

Filesize
163B

MD5
ae2b80ec322acc6a3a92946b6017b9b2

SHA1
df6d13bde6c449353f44fef2a2ee64117504e7b8

SHA256
40baf497022d6b4a4b5aab79809cfe0e6cc012491fabd0beff85cf55ee2495cf

SHA512
ea3175e8f20c417250ebc64d9ba7ff6f9092ea1cfcc598a93f2a58de8329d98c649d47bf2a8b4a85a834d9fe222e56f993b245cd9a89cac10a8cad028b9200f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe

Filesize
520KB

MD5
990d6b928a52e92b2e12c74863af1e1c

SHA1
00a0bd3b3d13f910a36f60ab8f841c59a26d4e6a

SHA256
ab15db53d3c6e068001a477b6ed8a1e512affeffc93f3fff8011256e3330c6bb

SHA512
11d92192a2ea617dfa49ad0c72347c70681927da762d69d371802538280326237271a1369f4fe9e6a11b1cfb75193f360d09eded84dd58cd2352f9bfaab0852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

Filesize
520KB

MD5
7ef0f75c9bec54afaec8203d88098550

SHA1
8406f64c541b878f71d03766ea02f56bf935bd4a

SHA256
b2b3fa7acc8da8e85b7cd7b115c67de4421181a1e5dbe557b63d568669b5f7a7

SHA512
50356447a50bcceef8f6dfd47a3216d073c11a7503f71d4ced5d13b21fe2b68a21a3d4f226d06fe999c8715a5b622ded0a436ec2f0bc6e2442da125252f20db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe

Filesize
520KB

MD5
cf1b086f5aefb19a11226d07ce540600

SHA1
8d9ae6fa114fd24bbf2d0308b7512c50cc56cd4a

SHA256
8eee564e6065b3e959c83ae2e25a17f9f2d2dabacecccbe05886e7884bdb4b79

SHA512
5e300a46bb22934587641aa3ecd7883f9f7e75bc0335f14f24514995a759787eebf5223b9d62e42b0174edf05ea15bb3cd45eab1ad74230a00e689dd2b29b6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe

Filesize
520KB

MD5
3c51f77634ff5148e9ffa77520c8e88c

SHA1
3d8316b4d06ce974435d2b4437e806f1ce093061

SHA256
c14379b9072b6fd4c92803100cd3cfc317e5b3886041fc29f708466cee6913b0

SHA512
81c64df5ea8aea5cef800023c12a12ff096c5c635169468eb8945b41728cefda6aa4e3fbb15b170cd2ab03225831f9a5a0c0dbfd2c5ddef8579d39476993dfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.txt

Filesize
520KB

MD5
2b23c239c649588e030a37ac93291805

SHA1
8c338eb74a0593ef272c28c249bb5c37bcee8dbd

SHA256
622bd34b7289fd876040c883f6e90467a1562bc440ba24a23e6204c03422dd83

SHA512
b88c8d3c5c08ec4862c18db02899e87218924341d4d6b274f2f5497af7cc761c33be4fe285b8a613acdfbeff4f0a6fd93a0f40ea3d223b08c59f5f0c24b5131b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe

Filesize
520KB

MD5
0c1a7cc84145116788588a6fdae83150

SHA1
226a179a28fc5e66b6d89b0db40336694d26c49b

SHA256
a97b5c29376a3ebc1b2ce34b8a67aa0cb5cfb35a04fcb1a386c0305ed1429b17

SHA512
6951f9387206caca7c8886c3463b460d27226d34d07cbe8e8c89972a4a414805463ec95fa6982ee0721c9aba33e45d90fda33dc261f0f37070a1666ec21f712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe

Filesize
520KB

MD5
727d0199fc753d6ade3844bc2e919dd0

SHA1
414e0da59867907220b76e74dc3aef1507d479f3

SHA256
8aada10407ff13eaa5b7a64594ce987bf665b08b485ed0e822f2a4b0a3430038

SHA512
2c1136611e684cb7112642d4d958bf77babd6e468da20f734682e9d6cb7112f204266a00e68599eb77af961aab8999b4b5b631c57faca390640cac2b35c69906

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe

Filesize
520KB

MD5
948eb316717aa31a72730976827615e2

SHA1
337d73490df9d045c0ceca9b5f940141adc12e55

SHA256
f35bd8bcc3781fbd41b79dab1d773d7543dbb7133b215ca8feb76fb7aa86b719

SHA512
584ec6a9aa89dc0385b8d79b15f416bd3a284799c577dee13e6057118ce343fa99d6018e45ba7766757b3eb8557eacb7268cd2926766e2ac4c98846f10632aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe

Filesize
520KB

MD5
233a31b26a864a18fbc408b53b9847d6

SHA1
fd8eb0f712d7b1f26a67147541d45f87130476d3

SHA256
e25c7a1b4de21ead774ef11bdbd470d69309ba6b89989db48ce33cc944c3e69a

SHA512
5d627bf4026e559a21132b5753ec242c9c68b6dbfc287264919ba68c03fc2bee7e1900ff71f570985b069efbcac388176322ffa359f3ea8865009102b1c30267

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe

Filesize
520KB

MD5
8f24e95ba39fb539a7ad35973af50f41

SHA1
7368b7b18d7b5ebf8900bdf614190165180333d8

SHA256
aa94886c13eb5453857ae1189ef9be95e99a0099ec689a4dd6f4eb8cb9cf840c

SHA512
3b977616ee2e1e61ec883fa7056e573d04073453ac84079e8e9cc3a6455759cbee9c7db8cb5d6426bcd635dba4f42c4434c6bbc59b98c27fe24bf3d3dedad2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe

Filesize
520KB

MD5
9af553284067e81774da7ac5bb86c1bd

SHA1
191b6c6af28a590d3b31f86d74524c7734592e33

SHA256
e2f874a62e909a4450dbaaa69875c4430e41479da4ab9800201da9f34dd42dcb

SHA512
faa6c1f665af563cf2f494d99578c03db596ebe3811e477d8db1972a5d38c565c13ea93b12dc47e4e18de09b36dee16232b37acf9a4531899b68154ad275cd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIFTXJKHQCINAD\service.exe

Filesize
520KB

MD5
68aea9ac898f35d514e148b98c440f0c

SHA1
bd0cb5114bd2f74e19732d86e5e9c66aacf6303d

SHA256
df87b800e47d082009a3cbb9e20e0cb129fb14813e46d1a8e4c168ce2de98684

SHA512
de5462d2d6cf5a2a81507224b40564e29bfba4c2de4c17702d2a0666fbcb6e77eceb81f248eaf78c51fbfe6aebd979ae86c253270dcf022759a571bc89edb526

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe

Filesize
520KB

MD5
5db02284fc8becfff79fb3a3434ca040

SHA1
cc98f448956153ad979cae0d40cc64a2b9cf84d5

SHA256
5d77cfd9ce16ad81a4fb5ca04cedb5d2800c566d871414284bfeefda6a3f2a82

SHA512
8c20769184b13a88c4e6e8e03c7e24f87ddd850529948c422828e9d2a5b2b1f5c6d6c950fd7024ebf1da1b557b325efe74fea72609fc4ddb25e979606e0794a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QTICAHRHMEVMALB\service.exe

Filesize
520KB

MD5
8eedb91228dea96256351ff573a6152a

SHA1
5fc3893b5354c4c56d80a0ab62070467515941da

SHA256
0001a72e13df5453150e242995d02fcbace13f2da79bbfce7b732c90be6e244e

SHA512
4d0864e1d0160505b6326ff65e28c26f920612da4a4a2db25fd53289ef660598ed189263e92cd21c79736e21253dbc623e6de0cb4be23a78009de10db25d18e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGCWRFMH\service.exe

Filesize
520KB

MD5
6274d263d80c495dc5a6d20813b4e429

SHA1
1051fac0882148a98cd713dbc47c5b84dda8add8

SHA256
a7fc6d80b3fd1f822a263787b1d0ba6320688b8f7120fce4cfefcb29dc80239a

SHA512
f2f84282b45c299749ee929a9e9a41376586da43c05710d703e4b754d8cc897cdc2f208d67f4747e1d1735eb5025eb96ba286f1e8e0eaef3001548aa7b721858

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe

Filesize
520KB

MD5
2304494e26e2a623f3cc5234044515d5

SHA1
900ae2b202d21db5c0dfe7398abd71b96d4a0aa4

SHA256
a57adf2c0da85857891f9ef12bb80747cab0f21244982910edde2543eb98dce3

SHA512
61f491035a5657d0c02fea358c27841b740d0f1f40ea425a49c98f7cb5696f7af00d5da6ac40d830c8e936e31ed8cb669f05a3f7cd80ad8b74738a70583454e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe

Filesize
520KB

MD5
0d7693613c2d5aad722c4ffa510cfae9

SHA1
dbe4c55bb9a3c70eb3b56560143dafd6a1b5a925

SHA256
97b81535072bb17360c29bac7ae14cdeee3d059ac434db7041ca731577f8bad3

SHA512
865d1fbac4857558037f28917f8a8e0859d7a2a4e8d305ff207f8193cc222c5b2e972861ba916eb759d16b165f26018e89e3a93f4afb239b9942298c2d0e38e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe

Filesize
520KB

MD5
31d99eebcfceffb5489ead2815263461

SHA1
6fcc6c573e46038fea02914711da8dae5822ccc0

SHA256
0e6e9c99542dddda2ea0d71f14dd9e5cec9bd0fe76a0928afcd059d1a7da7880

SHA512
ac9b5a9a6e84f61bb12878df997f79a8605e786c5b53f2d432f050c63a6053e00e936579f67d21466cbb9226dabbd63efe02a96ad9f8ff23fafc8c9d363bc28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

Filesize
520KB

MD5
cfa298e501b697d48d04aada079f8cdf

SHA1
3d47ea113ed3265aae518ef257e473828934b338

SHA256
6eee82642caea6a4956c28761de05ca91c3b4a4a9b69a96dc063a2a0d2e8d23e

SHA512
2751b5023ba4fa03c9e4da11fb24731f306cf0c53b76a397465282acede779767837a697b7d0d6e0f9df3d9a182932d110f341f71481058bf5b60eb4c6d5038d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe

Filesize
520KB

MD5
235732bf25a9823ef71aa0b44fb455e5

SHA1
19b860507aaa8dd3572ac57143b4cf5e3d6eca54

SHA256
af2deff3a5fd5f609c4882d10202fad2b184a88c656ba46ab416c72bf1823916

SHA512
e33210707665c3febc5a031e8d9df325a1a4a4434ecb2afa906f715e656e688ab37de90d0fc9cc1537dfe78ba5a945856e1484b87391ca16604c8433db3f5b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe

Filesize
520KB

MD5
7a5ae970e49d9ac1688dd7f7ac8f9da9

SHA1
82b3c8f345945f0f9a89005483b992fa35ea7f86

SHA256
cb8adaaaafda606b24a016cb6ee67f92b8a78b8fc3172a5b2b7d1e805e1020d6

SHA512
fb7ad36f6b8c3c99f9a8fe4aa22ae249105a950a01b951d2ac2ebef5740ae4c07c18d5da6ad4633185cdc1fc7b9f379c7e0754ae0a711aaa3d774fd28a1c7c6e

Download Submit
memory/3684-1170-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3684-1171-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3684-1176-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3684-1178-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3684-1180-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3684-1181-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3684-1183-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads