blackshades | 10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe
Size

520KB
MD5

7f1c88ea3a29e63516a50ae0df8c511e
SHA1

21c7851415fb128169ed11f1fbfd8219aa59229e
SHA256

10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f
SHA512

f6b64f430cb492fec84d4fc63c54373e60f65210d9ed15c79a334f9c9e3ff7f66d9bb46ce5c3d7b96df1ce8a27d09dd1d2ca7cfcf6cf19c57b4ef41da9993f8b
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXJ:zW6ncoyqOp6IsTl/mXJ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 5 IoCs

resource	yara_rule
behavioral2/memory/2920-1579-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2920-1578-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2920-1584-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2920-1585-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/2920-1587-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 63 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 64 IoCs

pid	Process
3516	service.exe
2588	service.exe
4144	service.exe
4244	service.exe
3828	service.exe
2716	service.exe
4188	service.exe
4192	service.exe
4380	service.exe
1468	service.exe
2092	service.exe
5104	service.exe
3872	service.exe
3504	service.exe
1100	service.exe
4392	service.exe
1580	service.exe
2372	service.exe
2444	service.exe
4392	service.exe
1392	service.exe
4128	service.exe
1628	service.exe
3264	service.exe
400	service.exe
2024	service.exe
4540	service.exe
3500	service.exe
1104	service.exe
2444	service.exe
4768	service.exe
3580	service.exe
4136	service.exe
1148	service.exe
1664	service.exe
2304	service.exe
3900	service.exe
2728	service.exe
5092	service.exe
1644	service.exe
4600	service.exe
1792	service.exe
4724	service.exe
4380	service.exe
4268	service.exe
4468	service.exe
5092	service.exe
4620	service.exe
2232	service.exe
432	service.exe
4404	service.exe
8	service.exe
4824	service.exe
1596	service.exe
5092	service.exe
2092	service.exe
2828	service.exe
2060	service.exe
4716	service.exe
2228	service.exe
1560	service.exe
2440	service.exe
3980	service.exe
2920	service.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYHHSPNRMUIKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XENXVFBMFGXQTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQLRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGJVWER\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKKUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FJYAYLNIGIYMTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVUCWMCHQHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLYCMSKBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVANDRMKPCPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTAQYMXNJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJHXVMMOJCFGPLY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMYCHVUG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NRWDEBKCHVVJKFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDKWAXSRATJW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IOTFDHCJVWRQSIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRIQFPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJKVSQUPWLMELMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSKBLEYDFVSSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XTUHNUUFYYNWJIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGVTJTNLODJWWIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCCOUKIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGSECGYXUVINU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAJASKGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTMCMFEGXTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBTXSOQCIPPYAUT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPDQBYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIGNJMTDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HLIIUQOSNVKLDKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REIECSYQHHJEABL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYWKPUBCHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXEOXVFCMGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSPPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIVXJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXJRISOJSETDS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGEHXTUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LTHIAHIRMVMBKVT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUGP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWDMVTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGATARNXOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JNKKWSQUPXMNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIEYTHO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RJSOJTEUDTURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQNBNVBTXSPQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTONTPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGWULLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSIBYAHQGMDULAK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQCGLYKSKTQKUFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMIGNIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECGBIUVQORGUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWNKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHWXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHWWJLGEHWKRAMQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNOBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJFDKFVIQK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCGCAQWOFFHCIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKIQCJN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVCLYUSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPXK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUXBSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWIICVACTPQL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUVJVHFJXYBLQXY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSPJEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOFXOLGAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWSUGMTTEYXMVIH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXVYJOTABGDS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FJXGGSYOMQLTIJB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEAVPDK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SXUIUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQRNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONIRYJFAQJKTWXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSKBLEYDFWSSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JFDFVIQKPMXUASW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOBHMCO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TKTQLUFVAFUVSBN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXVMWPOQCGLYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCGCAQWOFEHCIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKHQCIN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDOLKOCFBPVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFABWQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRECQYQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOLUGMRDBFAITUQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LPUBCHAFTTGIDBE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPWRHUCLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYWBOESOLQDQSNG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VXNHAFMWMRJRFPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BQYPDEAAVQDLFKY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVWJOVWHBPYLKXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKXTBWYMQVCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DTTRAALSWIGKFNB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPBBPUMUISJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIFJEMBYCUSBCVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROIDDSTQLR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3980 set thread context of 2920	3980	service.exe	363

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2500	reg.exe
2444	reg.exe
728	reg.exe
4880	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2920	service.exe
Token: SeCreateTokenPrivilege	2920	service.exe
Token: SeAssignPrimaryTokenPrivilege	2920	service.exe
Token: SeLockMemoryPrivilege	2920	service.exe
Token: SeIncreaseQuotaPrivilege	2920	service.exe
Token: SeMachineAccountPrivilege	2920	service.exe
Token: SeTcbPrivilege	2920	service.exe
Token: SeSecurityPrivilege	2920	service.exe
Token: SeTakeOwnershipPrivilege	2920	service.exe
Token: SeLoadDriverPrivilege	2920	service.exe
Token: SeSystemProfilePrivilege	2920	service.exe
Token: SeSystemtimePrivilege	2920	service.exe
Token: SeProfSingleProcessPrivilege	2920	service.exe
Token: SeIncBasePriorityPrivilege	2920	service.exe
Token: SeCreatePagefilePrivilege	2920	service.exe
Token: SeCreatePermanentPrivilege	2920	service.exe
Token: SeBackupPrivilege	2920	service.exe
Token: SeRestorePrivilege	2920	service.exe
Token: SeShutdownPrivilege	2920	service.exe
Token: SeDebugPrivilege	2920	service.exe
Token: SeAuditPrivilege	2920	service.exe
Token: SeSystemEnvironmentPrivilege	2920	service.exe
Token: SeChangeNotifyPrivilege	2920	service.exe
Token: SeRemoteShutdownPrivilege	2920	service.exe
Token: SeUndockPrivilege	2920	service.exe
Token: SeSyncAgentPrivilege	2920	service.exe
Token: SeEnableDelegationPrivilege	2920	service.exe
Token: SeManageVolumePrivilege	2920	service.exe
Token: SeImpersonatePrivilege	2920	service.exe
Token: SeCreateGlobalPrivilege	2920	service.exe
Token: 31	2920	service.exe
Token: 32	2920	service.exe
Token: 33	2920	service.exe
Token: 34	2920	service.exe
Token: 35	2920	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1100	10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe
3516	service.exe
2588	service.exe
4144	service.exe
4244	service.exe
3828	service.exe
2716	service.exe
4188	service.exe
4192	service.exe
4380	service.exe
1468	service.exe
2092	service.exe
5104	service.exe
3872	service.exe
3504	service.exe
1100	service.exe
4392	service.exe
1580	service.exe
2372	service.exe
2444	service.exe
4392	service.exe
1392	service.exe
4128	service.exe
1628	service.exe
3264	service.exe
400	service.exe
2332	service.exe
4540	service.exe
3500	service.exe
1104	service.exe
2444	service.exe
4768	service.exe
3580	service.exe
4136	service.exe
1148	service.exe
1664	service.exe
2304	service.exe
3900	service.exe
2728	service.exe
5092	service.exe
1644	service.exe
4600	service.exe
1792	service.exe
4724	service.exe
4380	service.exe
4268	service.exe
4468	service.exe
5092	service.exe
4620	service.exe
2232	service.exe
432	service.exe
4404	service.exe
8	service.exe
4824	service.exe
1596	service.exe
5092	service.exe
2092	service.exe
2828	service.exe
2060	service.exe
4716	service.exe
2228	service.exe
1560	service.exe
2440	service.exe
3980	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1096	1100	10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe	88
PID 1100 wrote to memory of 1096	1100	10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe	88
PID 1100 wrote to memory of 1096	1100	10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe	88
PID 1096 wrote to memory of 3244	1096	cmd.exe	90
PID 1096 wrote to memory of 3244	1096	cmd.exe	90
PID 1096 wrote to memory of 3244	1096	cmd.exe	90
PID 1100 wrote to memory of 3516	1100	10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe	91
PID 1100 wrote to memory of 3516	1100	10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe	91
PID 1100 wrote to memory of 3516	1100	10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe	91
PID 3516 wrote to memory of 4080	3516	service.exe	94
PID 3516 wrote to memory of 4080	3516	service.exe	94
PID 3516 wrote to memory of 4080	3516	service.exe	94
PID 4080 wrote to memory of 3064	4080	cmd.exe	96
PID 4080 wrote to memory of 3064	4080	cmd.exe	96
PID 4080 wrote to memory of 3064	4080	cmd.exe	96
PID 3516 wrote to memory of 2588	3516	service.exe	99
PID 3516 wrote to memory of 2588	3516	service.exe	99
PID 3516 wrote to memory of 2588	3516	service.exe	99
PID 2588 wrote to memory of 2132	2588	service.exe	100
PID 2588 wrote to memory of 2132	2588	service.exe	100
PID 2588 wrote to memory of 2132	2588	service.exe	100
PID 2132 wrote to memory of 4704	2132	cmd.exe	102
PID 2132 wrote to memory of 4704	2132	cmd.exe	102
PID 2132 wrote to memory of 4704	2132	cmd.exe	102
PID 2588 wrote to memory of 4144	2588	service.exe	103
PID 2588 wrote to memory of 4144	2588	service.exe	103
PID 2588 wrote to memory of 4144	2588	service.exe	103
PID 4144 wrote to memory of 3872	4144	service.exe	104
PID 4144 wrote to memory of 3872	4144	service.exe	104
PID 4144 wrote to memory of 3872	4144	service.exe	104
PID 3872 wrote to memory of 4612	3872	cmd.exe	107
PID 3872 wrote to memory of 4612	3872	cmd.exe	107
PID 3872 wrote to memory of 4612	3872	cmd.exe	107
PID 4144 wrote to memory of 4244	4144	service.exe	108
PID 4144 wrote to memory of 4244	4144	service.exe	108
PID 4144 wrote to memory of 4244	4144	service.exe	108
PID 4244 wrote to memory of 1340	4244	service.exe	109
PID 4244 wrote to memory of 1340	4244	service.exe	109
PID 4244 wrote to memory of 1340	4244	service.exe	109
PID 1340 wrote to memory of 3812	1340	cmd.exe	111
PID 1340 wrote to memory of 3812	1340	cmd.exe	111
PID 1340 wrote to memory of 3812	1340	cmd.exe	111
PID 4244 wrote to memory of 3828	4244	service.exe	112
PID 4244 wrote to memory of 3828	4244	service.exe	112
PID 4244 wrote to memory of 3828	4244	service.exe	112
PID 3828 wrote to memory of 1344	3828	service.exe	115
PID 3828 wrote to memory of 1344	3828	service.exe	115
PID 3828 wrote to memory of 1344	3828	service.exe	115
PID 1344 wrote to memory of 1628	1344	cmd.exe	117
PID 1344 wrote to memory of 1628	1344	cmd.exe	117
PID 1344 wrote to memory of 1628	1344	cmd.exe	117
PID 3828 wrote to memory of 2716	3828	service.exe	118
PID 3828 wrote to memory of 2716	3828	service.exe	118
PID 3828 wrote to memory of 2716	3828	service.exe	118
PID 2716 wrote to memory of 4852	2716	service.exe	119
PID 2716 wrote to memory of 4852	2716	service.exe	119
PID 2716 wrote to memory of 4852	2716	service.exe	119
PID 4852 wrote to memory of 2148	4852	cmd.exe	121
PID 4852 wrote to memory of 2148	4852	cmd.exe	121
PID 4852 wrote to memory of 2148	4852	cmd.exe	121
PID 2716 wrote to memory of 4188	2716	service.exe	122
PID 2716 wrote to memory of 4188	2716	service.exe	122
PID 2716 wrote to memory of 4188	2716	service.exe	122
PID 4188 wrote to memory of 4928	4188	service.exe	123

C:\Users\Admin\AppData\Local\Temp\10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe
"C:\Users\Admin\AppData\Local\Temp\10be5c92b3628dac2738ba911ecbfcfad9b94b7499144f2f10c0a1957a7bd54f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSKEN.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHXVMMOJCFGPLY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3244
- C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe
  "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJRNV.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FJXGGSYOMQLTIJB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:3064
- - C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe
    "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKKUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe
      "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDKWAXSRATJW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REIECSYQHHJEABL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:3812
      - C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FJYAYLNIGIYMTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHSPNR.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BQYPDEAAVQDLFKY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGPGD.bat" "
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFJEMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
        11⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXUIUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQRNLSNDRYH\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQRNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQRNLSNDRYH\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGAOX.bat" "
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSECGYXUVINU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNKKWSQUPXMNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        14⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBIWDR.bat" "
        15⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOCFBPVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASKGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDESAO.bat" "
        17⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLYCMSKBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAFUVS.bat" "
        18⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQCGLYKSKTQKUFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSRDLD.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGCAQWOFFHCIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOQGTB.bat" "
        20⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOLUGMRDBFAITUQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYTHOJ.bat" "
        21⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LPUBCHAFTTGIDBE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJTEUDTURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRXDE.bat" "
        23⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXK\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXK\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIREDR.bat" "
        24⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VBTXSOQCIPPYAUT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "
        25⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFDHCJVWRQSIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRIQFPFB\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIGKFM.bat" "
        26⤵
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQLRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
        27⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUNTFB.bat" "
        28⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVWJOVWHBPYLKXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"
        28⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        29⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWIICVACTPQL\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\XRJPWIICVACTPQL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XRJPWIICVACTPQL\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONIRYJFAQJKTWXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYWBOESOLQDQSNG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
        32⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXEOXVFCMGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        33⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        34⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSPQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTONTPFSAJ\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\XEWHTSTONTPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWHTSTONTPFSAJ\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
        35⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIVXJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDWWLU.bat" "
        36⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIGNJMTDO\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "
        37⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJVHFJXYBLQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRNOOX.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JFDFVIQKPMXUASW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUJJ.bat" "
        39⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFABWQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPK.bat" "
        40⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWULLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
        41⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBIUVQORGUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWNKFYOPMVHNS\service.exe" /f
        42⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\ENEWNKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENEWNKFYOPMVHNS\service.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYKHM.bat" "
        42⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKTQLUFVAFUVSBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTRALS.bat" "
        43⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRISOJSETDS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f
        44⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEPVMK.bat" "
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHWXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
        45⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSSGP.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGEHXTUC\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGEHXTUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGEHXTUC\service.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHQHF.bat" "
        47⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe" /f
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
        48⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRMKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTPXPD.bat" "
        49⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HLIIUQOSNVKLDKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSWJNN.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LTHIAHIRMVMBKVT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQFOB.bat" "
        51⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJKVSQUPWLMELMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        52⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNOBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VNMUJIJFDKFVIQK\service.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSRDLD.bat" "
        54⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGCAQWOFEHCIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe" /f
        55⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRTYEF.bat" "
        55⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWDMVTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPHNUGGATARNXOJ\service.exe"
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVCYYS.bat" "
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWSUGMTTEYXMVIH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
        57⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYHHSPNRMUIKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYCVTC.bat" "
        58⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DTTRAALSWIGKFNB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe" /f
        59⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUISJ\service.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJQA.bat" "
        59⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRWDEBKCHVVJKFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
        60⤵
        Adds Run key to start application
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCTMRD.bat" "
        60⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTUHNUUFYYNWJIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe" /f
        61⤵
        Adds Run key to start application
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGVTJTNLODJWWIQ\service.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "
        61⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOUKIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        62⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHEMFK.bat" "
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMFGXQTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
        63⤵
        Adds Run key to start application
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBNVBT.bat" "
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DHWWJLGEHWKRAMQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
        64⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
        63⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "
        64⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOFXOLGAAPQNWIO\service.exe" /f
        65⤵
        Adds Run key to start application
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\FOFXOLGAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOFXOLGAAPQNWIO\service.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        65⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
        66⤵
        Adds Run key to start application
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
        66⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        67⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        68⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe:*:Enabled:Windows Messanger" /f
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe:*:Enabled:Windows Messanger" /f
        68⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        68⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        67⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        68⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempABPYL.txt

Filesize
163B

MD5
d1411aeea0a1d39cd2ba886115a0e406

SHA1
6c82d0b0f04401d57a07ad98a5df19a7b18c3825

SHA256
6ac5c7a38ffe086cff3763017f6befd52e1ab90922072c84a37b9bc6c656bbbe

SHA512
17b236912ec54dc694467cc57eab3cb1747b275129edbdfb410477a88b43c362c0923d693ada69a6c1310c58670de1e1fdbd0ab21ca4655574fe3363a3eb40a6

Download Submit
C:\Users\Admin\AppData\Local\TempABPYL.txt

Filesize
163B

MD5
07eac661d1b577e5b372b206c824c2d5

SHA1
5e31c3f675be31225f7fe90c39b52161b503a7ee

SHA256
a42445b8898e0d4dfb54b8bc5d5e14c56ee52930c88e113112e0dce363d4f36d

SHA512
b17da091c3f5075e2fe629252281c160e439bd3e64aed6fb5bcd147076b9c083f5e2e9615d66651b0595d4e74049b4c5b1ed51d6f608069a49a554453abcc579

Download Submit
C:\Users\Admin\AppData\Local\TempAFUVS.txt

Filesize
163B

MD5
ba1f1bd435b28eccd546420cc5be7a96

SHA1
56c4557fcff16d997a6d785d4ebb38439206ced6

SHA256
e8feeb27c504eb2c77ac3feb5375379a5d525d789f1187ce8a4a24f8c0b88529

SHA512
d7f88feaaefe976eb05b1b44af58858ed320842776a8894875f3f475625eccfda598703a9ee64def3106ed920a13e494a78576b840b92b7b722d11df70d415be

Download Submit
C:\Users\Admin\AppData\Local\TempBEFPK.txt

Filesize
163B

MD5
4919834bbde5f7a57e3d98ad143f17ae

SHA1
aa52486d8d559e94adb28699c8387c7cdfefa9f1

SHA256
7c661ba44c6f5064b55c764f44f8bc59b56f687050f7f431ebaec92c57e71f1c

SHA512
dd7b84e28ad0c1dae0b38501f0365af8799b2b65baaddd8257d018b0a2b899022514a09aea9909f726281a86e377c37a7f722c514821e45deaedea9e59690491

Download Submit
C:\Users\Admin\AppData\Local\TempBIWDR.txt

Filesize
163B

MD5
07bdcc8f46797f3abf73a8a329437fc1

SHA1
ca4c65dd543c0f6c8e5c96a5582949865e01d368

SHA256
d9a2385369660d031efcddbc26c701e0681299544687b01ad8989c1e427b273f

SHA512
96fbf3d9762704250b922fa3b942cba41a8404c117060d66b726317428841f16088d018c3d3b4386dc2ba5a56df59114ba3369daadd7bbec82ef5397d85a6a04

Download Submit
C:\Users\Admin\AppData\Local\TempBNVBT.txt

Filesize
163B

MD5
7c048c8277da2100cbe5a654a78e06a6

SHA1
16e0cd3eca1892193fd68343462eb1a591cd72a6

SHA256
0d5b734b1b9d6ef3e54c7e860136db7e4748ac99ac7f893181cc23107fefdb9a

SHA512
b020c74ef61319a0b72ddead28a87b8e6280583e422d1480a524bbe98523f5af9bc84816d2b4e96e114ea8fb87b812c5d12e9cb3fbb059349e21e7d3b57008a5

Download Submit
C:\Users\Admin\AppData\Local\TempCTMRD.txt

Filesize
163B

MD5
1d49743fd2ca624dbb63c11c2313dd1c

SHA1
76ff69e9c73fb60e4b2d860cb9ddb86b3f9fd389

SHA256
5002a045e367589d1b77d274cef21a976dbb50a6541f49fe625bc0779e7072ea

SHA512
4299df5243bdbe28ba0e469d21952b019733b6d569737d21b83f25cb8660f57432e03ebd8021077789a72edea4e09a1c3aac6acfef832bcccd208fa8116f61b0

Download Submit
C:\Users\Admin\AppData\Local\TempDESAO.txt

Filesize
163B

MD5
5b8a64d8a40c0ee634f051917d11e111

SHA1
e803fb652a18a07cea05c4174de8361269e8193e

SHA256
0f7ddfe9ea42dc3c0b9769896b24b77eb92e5aa47ea797462d56e89242db8c22

SHA512
183d901404e67e2b839a50daa7de077716297d5c818407897c297dba7133d2c9ad15f74b75592140233a7e4ea2dd44fe6a69727ac02680ce585feb55503c3eae

Download Submit
C:\Users\Admin\AppData\Local\TempDMDXB.txt

Filesize
163B

MD5
c3f5531d03071c2009f71087a7c6359b

SHA1
5ebab0c8c18029cf3e0705f9857181f8d89ed9d4

SHA256
dc16a4737a84a025ffca5a8558043dd1e86fa3c7b865e3ef7be2e30bb8d5c2f8

SHA512
349f5874539d177d9d8ac0a19f8fecea49808c5eeb17dc365b6d4fcd56c7f26c9e0be88bd59a5756e3129672d2847bc4d4c6311ebb6bc03b0147a444275dd57a

Download Submit
C:\Users\Admin\AppData\Local\TempDWWLU.txt

Filesize
163B

MD5
5173f087c79d96c19c0b3c179d070d52

SHA1
c75236909f9401a0b974abe7ba97af86ea5b68f6

SHA256
5e40da6ed8954741e011fc6bbeb8c1ede726e596f915abcd773375198ccaae5e

SHA512
c996d44fbc155a9c4033ef0f8981c63b838ebbd9123a3a958b5e4053b65e8c9e3842be0356e179be2b1608533477c0c2931d8803bda82244213f1c23ead085f1

Download Submit
C:\Users\Admin\AppData\Local\TempENEYC.txt

Filesize
163B

MD5
42cbb906a357b23e88eeb5ff28f96129

SHA1
1615507daf3bb0185f426cce62510498779ad003

SHA256
fb04957debeee10eb6d671599f04687240537aafad8950ea7f3b2f59f7956034

SHA512
39d63695e07872510758ee89e3ab1f0ae680d778a67224ebc5d2e139506bfc2db9fa723ff2414cb9891a647be933d739daeb003d951be97af73e31151643ac8c

Download Submit
C:\Users\Admin\AppData\Local\TempEPVMK.txt

Filesize
163B

MD5
6df101e5793392a3a4687cb3f0d05d43

SHA1
8bde684a4b0df6d745ccf82ac144b7f10552c5f0

SHA256
89213ed3a57910f62abb88be0afd10006ad3c0229991b8387f4d6a915970e9cc

SHA512
d918b19bf4e2ae9a0678321b6253aa4efec4b87d2248d3faa05e282fe1a85625f777df6bde8e6be7d92de6901528a29c97fba82027281fde1f7cefa2f827bea9

Download Submit
C:\Users\Admin\AppData\Local\TempEYNJR.txt

Filesize
163B

MD5
5a2d7d2fdf8d93d974d5b1e5e9e8b3ab

SHA1
b73cae44242128fcf54c491ac6d0e9a8fcc0b95a

SHA256
1a61b4e919fd369fb247a817b852f0a7bd734baaecf59f66651740439822c7d8

SHA512
8e701b26d3c19db47f9d86cfe05df722218d706b3c258557c240d2c6e9b5ea528a241eb7c4eb1be11606e9379d0ef2884839f0d4f9b591d9457e37443471a37f

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.txt

Filesize
163B

MD5
8d4ee8b48f58a86392ee3aaea0e2bede

SHA1
546ed5aa01cece7dabe24439265708e71aaef500

SHA256
aea71b243d933b25133be7c4304f8686a6f8cf6b93434c193aff9066083ebe3f

SHA512
1ca3731f4ba95ae7fba8e0d6a0c760c013d17061cca2546ff1e1ccb8c98814f3244dd0daa9139a6d41f148a5eddec102069b3afb660aa87a377d036d0c800b3a

Download Submit
C:\Users\Admin\AppData\Local\TempGWJQA.txt

Filesize
163B

MD5
ff00f653cca12ff89c1093f4c4474057

SHA1
61de0079c2342226a77b8ae63b3134b67e30bc55

SHA256
8b8d3faa6fcf447f05567e088de707146c7198280d2cfba32c7bc0a29c257727

SHA512
20ec421758ffb87a796b6c8a8f7da9a521c4f1002293cd432d4a36de44284fe31065e630e6422af7dadaa0a9bd2244b941dac9b820d5cddbb51e0c120ccc0fde

Download Submit
C:\Users\Admin\AppData\Local\TempHEMFK.txt

Filesize
163B

MD5
9cefd998d2459579fc67fd4c86ae11e9

SHA1
47e80db8106748e56c0b9e9c6a7fe9a9a7479d3d

SHA256
2d65638d2f338912ac4bfca697e2704258b9f77070ff645d374278834d3f04a0

SHA512
95dd5c02ab171fb280a76ee148674376c491978b2371f40846c5c4d51ea47125318cd0c5b86d7e97ca46156c2d1643eecff0ca4cd18cdff312916f1ac28de97d

Download Submit
C:\Users\Admin\AppData\Local\TempHSPNR.txt

Filesize
163B

MD5
6f07097d152d92ade698b09ed8073086

SHA1
c1698ca121c6f94a67eb921299cf55ef5f871d3f

SHA256
9ea509bb14b875b70195035144f507e3a23f339b3c5bf21e63f15105f7308c27

SHA512
01e6fe5f92a638956e29721aad9d5eb7ef80376fcab13c14f6113a6818908ac57ad6bb2a3fa25d12c7e8c656e81021f96fe62aec6367dfaa1e018c87f96c8b6a

Download Submit
C:\Users\Admin\AppData\Local\TempIGKFM.txt

Filesize
163B

MD5
259fcf2d77cd48c375b929493d9e95d0

SHA1
ae081b27b04fa7248d5a76d5a71b4cf3abb748cf

SHA256
03d5d4132156b47723a4dbb1e4c4972cddb4849d49c11bd99b16b9b0741b3253

SHA512
daa5860fd72a954f303015944d10875b968a5e40d2631e7c110696447747ceac4e47d29f3c523ae1d576c48dfbc14a1ab2f5b0f18ef4ae8686b6a53fef50dcfa

Download Submit
C:\Users\Admin\AppData\Local\TempIJRNV.txt

Filesize
163B

MD5
cc96f8097db5d6de467ff5c3bf6ee0f6

SHA1
ed8c320c28291f9653aa8ce27120d03d51108a52

SHA256
9abea05793954156ce1708bb67d41f4122010e1af30dc3674eb97b633f9ecffe

SHA512
d1820f71102a88453b1edd2f7b849b7fdb56b95e7cff5f4992564da6db17a4c3e81787aea2de08bebfb3f39f0374daa162931ab6cc572e25b3989004c26517fc

Download Submit
C:\Users\Admin\AppData\Local\TempIREDR.txt

Filesize
163B

MD5
88fba022a2374c9f89fcabccdc32088e

SHA1
f4bf73d6e34d313709c09e6c3f50e1d68cdd0c2f

SHA256
fb8d8da7b34a02e7c35ac25f161685aade8a07f5810e1150a9a12ee88770fc28

SHA512
15014314272b64a1b591ed6e52eb7b3edd01e0c1ca07537b9e4d36fe793361e4b5a4c2bbd2f8c314e8bad8f328d8c21dc43ee465232af9337eaf4b26e36ba5e7

Download Submit
C:\Users\Admin\AppData\Local\TempJBDRN.txt

Filesize
163B

MD5
8a50e4923d199dabde964f741af5d3fd

SHA1
5c14aeac4e6e9c105f75dd4c697154223110f936

SHA256
b491c15dc5483864e46a58d6b12d5bed19814c47d0e24f7a25839b50753e6a09

SHA512
0c64ba1855c540b439dfd7cb7bf2dec6bddff1637c5a5694274a6962d7a99e92c9c8f75e6b358c5974c3aa94f3ad99a73aaaa7508240aae72a329acd7444c3a3

Download Submit
C:\Users\Admin\AppData\Local\TempJSOWN.txt

Filesize
163B

MD5
f5e8a9716cfd7b9d8b54695d2c431028

SHA1
a03a0d81523fe2c2e57bb96600d535967861811e

SHA256
a0b845eadc98e67c46474aaea2bb2e32cc1baec934419bd4c757a2a018e84a3e

SHA512
db01c4705b161f474a44109507520af5b786a90371954084d5271e40d7ff42633c6e1069735a861d832beadc62047b1d7f06613b5609dd5991c0153b4179556a

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.txt

Filesize
163B

MD5
fab5d0126cf77eddf769e492bc1d084d

SHA1
f445840aba09a8d1f8a7add52a172fd605b0b0d5

SHA256
241c1c9a1b55d5262cea18859160431f9fd7d1cdef980e265574ebf86f357fa8

SHA512
9781dd5be35e276acbb13fa3e0a1e1dc9de43e3cbd57a277e09aeb55358470c4e9cda38674162d324deb09e33f07f35f20d847397d845d466975a61f42ddfc5b

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQD.txt

Filesize
163B

MD5
7bc90f2382d026a068c0214d6b56110a

SHA1
e32f9b826c1f29490a7611f2f4c3c0ad53ad2b49

SHA256
654b8b08b9c428d2cafa1ff91395f2f3227ccaf916608dfe0f1f41ea4ec6a349

SHA512
645dc007e01b6e1a0f70398be632e1ebad8ba155f433e7d48177828d5544c3799939adadb7fc6d779320a3ba899a9cbeee1651e0cc50990c64622ac441e4dd27

Download Submit
C:\Users\Admin\AppData\Local\TempKSKEN.txt

Filesize
163B

MD5
64fadc43bac04236ccc314d2fe40fb68

SHA1
90192eb84cfbf5693031874eba45e8e5bd52fd6f

SHA256
1e7e45e9fe1e033c17b8dafb85ec3f0c045eb684943857425923895da4272eeb

SHA512
3c15fef069d98200d099b05a4352aae5574835b8687aeb7fd0f74b4628a32b8c0b3c78aec3adfe615e0b0f2c620bc3a0370a3d06c410593205869dea5a4f41d5

Download Submit
C:\Users\Admin\AppData\Local\TempKTPCO.txt

Filesize
163B

MD5
3dce1f45a7aab7cdd5aa871b0cb72f70

SHA1
9f1e1df0b7abd3e6cc01d26f5f74f89e72fceb68

SHA256
d901aa3fd80e99b9dc89c599ddfff6ab127deb3c9543d61c7cd58d7038470225

SHA512
e5e55be15af3a45c21c28ac940797e0f04b9bd3b7d30428533e5cd6603e59dd3f4416b5e7a8933005cbb33f65aa540418c53403dbcba1a62bb8c9aba08bfa1a9

Download Submit
C:\Users\Admin\AppData\Local\TempLHQHF.txt

Filesize
163B

MD5
f814f4259a2f98d4da28c79ed3a6bb4f

SHA1
b36d0e73e50229d7ad8821238034a6bd95cf482b

SHA256
eae0bace75f623e11d6b7ef774140e65632b6e3f4df9cb6f90138299c79aea68

SHA512
badd7876a8498ca1aa06c486d73d702210adc70aae2e996340a842443823ea76ac04c457d379d422ff2f451eb0ec2739fe13d4952b70a18dca85540a79cf7654

Download Submit
C:\Users\Admin\AppData\Local\TempLIQDJ.txt

Filesize
163B

MD5
957ad5dbaa44ac91d5d250272d2a94e1

SHA1
d6c101bb30848098ab9c181fbbc422278ab6f6e3

SHA256
64b0e81a7b92bcd7830d11fd3c39e32283c4a7fb1c38688c28fa581186061582

SHA512
052d798609fb80f14c32c1ee87a9741d11fbf89a72e53e08c146031c943dbe2f450ef3c4ca6d35d9d015574eaf7a41f773418fc0c6637b3d5914e6ffd405e857

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
dad343b1ab90833b51b7114c70319010

SHA1
ce24d4888706d87480b532344aec97e342e7c933

SHA256
3ef51cbf08cbe065cbe0fe441542e7e3a75a7c81288a4753de4bed6147ca3d19

SHA512
5667310b582d74badbf73671d2d5d8e76d131c97de4a4dbea89d1991fe08b3d4cb2d15ce9590b3f45e27ef90a4c487c1a1189740ecb1044847ab967274f1d9c8

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
9fb89caec6f093f5b98a120aa434a6e6

SHA1
7ac90bdec43895a090525864e7e03191b1e9862b

SHA256
0487f19665acc64817da8d7c6566bc0f2e05de4fe3dda344f2da61e9fbf6680e

SHA512
1959f45c5cae5618a7dd50a2a1417022db08067257cf996b8f80711c2d1a2efee2a733b175708eb9508d930032b37379190877f864ac36c325a32cee0d06d2f5

Download Submit
C:\Users\Admin\AppData\Local\TempLPQVB.txt

Filesize
163B

MD5
07f0416265fc0a7b6a27ccb426c82d20

SHA1
7c227301671a94f824ec16aa62516a9789530edb

SHA256
919d6f5791ec99d256d4db165666af90e36dc350f1953b9e23bc6a52d4808898

SHA512
a57fb81f2d1fe104c03887cbcd87e89c65dd8d1e0ce411f536b99384348da33f0a6bb4a47a93b942f09e38400e3fe2fa475f27ca9401e678b5437e09dba8965a

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.txt

Filesize
163B

MD5
db88d6e66cb9f33cd3b932f2517a8cac

SHA1
9729534ac3b52ce4e9272e5c663ce5ee9f2f0bdd

SHA256
7f21172affe62c4c6e0c8af2beb6c0bb9bfd562ca57e710879ff348955ce9f53

SHA512
ceeff57ec720ce40805499862515416e3336dd527ec3d8f0545312fc7342a1668845323e8eb264b85e026a29395e7bdb16b73ec25e520a4ba41486f7fa1986b9

Download Submit
C:\Users\Admin\AppData\Local\TempOQGTB.txt

Filesize
163B

MD5
6dae7294e837d1e750c0009f6c27520a

SHA1
57d96f8ba9692a7794ed50acb7051f950a94eb1e

SHA256
73493a9f7f9d0b9dca8c323d09adc64a4dce84e270a417fff8aa55a4948a702c

SHA512
ea1ec99eada7896aa4a1c9cfcbd1313e6263e7fc2c6d0c9c4e1fcc5727f68498ed3e5ce4c94623a549c2d2f3ed556d39bfa377e69ec6e642e118d9736d80f521

Download Submit
C:\Users\Admin\AppData\Local\TempOXTSH.txt

Filesize
163B

MD5
bc36df4141c4571df4b328c6269397ef

SHA1
7ca87fbb23c5958d6a159b9a32a60e3f2fd4e967

SHA256
046d8a81e4cd3576b293b213036f947095867192d9918e65feb0b65ac35b4c3c

SHA512
a79049d0b3026e1519c6b154452376ad5311db825e6593ee75cf885c422b65968ff640d38bb51327f86b0fa8e9b382bdcc10a4a8db0859dc7ae5a8628f8930a1

Download Submit
C:\Users\Admin\AppData\Local\TempPXODM.txt

Filesize
163B

MD5
064980d572e573e41cfb79e310369d69

SHA1
c48f752070a34a7bf790e1b3e2e95503275edd1f

SHA256
11f3448ed0674a7deb1db20a2eac212e743461d223c786c01b3e5d7472f46cbb

SHA512
59cab5247fdc3567b394bea3024d42d7f04672efd90f0014a4b53407c84a5c495a705105ed2e8b471344d2ada9b2b460a17707d76205290f9198658447f39a3a

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.txt

Filesize
163B

MD5
878f9cef61636cca20cfb70db6163294

SHA1
6af0e6d2f4839baad8de028762aaae888e12e698

SHA256
224e5d724d4f06b25b986fee6169b27ae18dcd8060982a5842bfa7a22430dda3

SHA512
84b6f14411541b4043692c395b4167e6d619573e1495a2aea63063ff7439e91c5034f75e664159462c7540a1a646560b6af8645a6033756dd804924819ccd211

Download Submit
C:\Users\Admin\AppData\Local\TempQQFOB.txt

Filesize
163B

MD5
1b8a24eccf10e34c7d9d7b7106534508

SHA1
445ef2123a82c0343807b2a73a0287b7c4f14299

SHA256
6922b123a6d917cce1a4949984d2a79fcca081f1f34e1713fa0ffead678a2bfe

SHA512
8841a7a8fa42ae481c3f304ce90161969124ddd9acf9c3f6ab3d3a76090015b3d4e88370fb140cecaedec2de79641fa7d9f132f79b293f729beb6f816e1abc10

Download Submit
C:\Users\Admin\AppData\Local\TempQRXDE.txt

Filesize
163B

MD5
b24fb2969dafda9deae8e554160a432a

SHA1
37c8fde90431b0e58458468ab53bd892db352969

SHA256
58ff67f07463061cc5ca04a7805def51488cc7d8ad92121263e668f8e4a649e2

SHA512
5c8c6a2e9b41a159a21efeb22108abab43bf225639b5481a981cdfc0d8108af848266cc0eff8f9152a0f2f8a2d5a4317f5d23d49cab8c8ca9a8ddf9d5f5a31a3

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.txt

Filesize
163B

MD5
cbe40e64aff925aad78e085839c6a2b2

SHA1
3fe84d0b3408195f3430b5ddf1fb9d05dca0142c

SHA256
f55993f8bbdc06ad308475b162b45a703abe32a030624c5b73d738b1f8e41627

SHA512
e08128ad7db07d204c97aacb0e1314aafcbc502a96665bc5ab07f0149c15e96a08015db269fb448d54bae48c01aee6b7e186d1176f73b334352100f49b54774f

Download Submit
C:\Users\Admin\AppData\Local\TempRMUJJ.txt

Filesize
163B

MD5
5cd05df4f5db1f57328d0f43cf3f4bc2

SHA1
e9721fa20f2e591166ef6b7794783272369a0c5c

SHA256
53c2b96ecdfe3f98363d1280b3125c4f73ade6e50cd00a900ec03db168987a8b

SHA512
78a198538746372979c453799170f955edd0304c1f79feb155301a62386be9ec616ad2c27926321d5497052161b11f740e2692c8b36ec159814edc37e92deef9

Download Submit
C:\Users\Admin\AppData\Local\TempRNOOX.txt

Filesize
163B

MD5
b2ee8ddf3b3f0bbe3699bb094e8d6d84

SHA1
0b99ca07c691136f91944b73463cf84239cadf6a

SHA256
e8d95d55f828ef8c2334eb7f2a9567e947aceb4708e9658104aa98604eb181aa

SHA512
0f113a8af1b2a8eb6456fcee932dd3b788b5ee838f026d1f91522d1fd575be274865de59b62c2153fecc588fbe397c3f849127fc8863f34cf519d25358e85a3e

Download Submit
C:\Users\Admin\AppData\Local\TempRTYEF.txt

Filesize
163B

MD5
8a471c98573c32fb000e49a27026dbaf

SHA1
c8e852f251159b3fd227b968c935f284f4b3d7b6

SHA256
fddf79ded5e8e38107b86bfbdbf38a58ee7e77c354fed01ca00076e52e390f15

SHA512
88ad4e534fe8a98cf86d083e53e1851ee0229e793e32ea466b7f722388a070eb7f279acff3a9d61b6327abc6ec14fc5bd60ed7754fb0e76c917487574a75880c

Download Submit
C:\Users\Admin\AppData\Local\TempSDPAX.txt

Filesize
163B

MD5
552ee2570631ef134768fed9dd4171eb

SHA1
96c2b049bbdb34d7984d9a982fb7555ce35f22cd

SHA256
b93c0ba3be4b091b8c33fe17897048027dfb6fa5396baeee62467810ecf66be1

SHA512
9f82b591ab2b8b492e70c8c05686b45c5645e15f4fcced205fc0a91a0d1f86d9f47381419b58a7d0661fe14a8ee9d7ded70e269ae3688deec4836f571b99a80c

Download Submit
C:\Users\Admin\AppData\Local\TempSRDLD.txt

Filesize
163B

MD5
619650b8d031e2dac05a9f09a6cbfb3d

SHA1
2e9b1b55269d49e9d916724766dc98596c06d69d

SHA256
e1e1a5f7ef990386b686427f03c003bd9cd5d4ef711a557846b75612ba6e1102

SHA512
327cefcaca693498d79641b3706ab6a48b9b7075b0ffac0f078be8a8bb83e88a0a8669e7099c8b8b91583a65b6940527abc40b39e02cb570c2a9c7a763896b6a

Download Submit
C:\Users\Admin\AppData\Local\TempSRDLD.txt

Filesize
163B

MD5
a1fb91f9ac30ad31fa9252fced055312

SHA1
25b889be994a685631c42ddaaa1eeb45552ce04b

SHA256
d3df305ed561c4363f6ba690d58e565bd158a3d25f6325c0713a0611376bebeb

SHA512
1e29c3735fddab655ea59aa1e43cd900e83804aff5bb84ef64241cd606b0f50352f96e4dc6cb28af7048b51bcb6a15d708f1d4dbd428aeff3aa3c010c000bf7a

Download Submit
C:\Users\Admin\AppData\Local\TempSWJNN.txt

Filesize
163B

MD5
c6db0dd9feb74c4e429f55f879e41c2d

SHA1
983b5454b7b38924f540292efae0ec302aeb4d82

SHA256
03e8a676208852efc6a1fea230f86515915e38428ec298436bb55f1058ca7519

SHA512
17c059ec1e23ecd0610424f9b6b82bbb818bb40b86ac03bad26766db1b297bc72ebca94cedbc9ccb9f88733eb937804cc7756e8da9e0550e726d22d3f287d7ac

Download Submit
C:\Users\Admin\AppData\Local\TempTFLQC.txt

Filesize
163B

MD5
2a203fa95c511f4fb3b42526e9c38269

SHA1
08fdb577504ba55a11d89dbda642ec864b792b51

SHA256
ce994fc8d684e32a48593a350bc056e2fbbf2c0e593deda1d1438c90ec5b6301

SHA512
c5653976a7f3a4fb082a74d55391fefed64defef20c1cd347a634b46aedfce988eb04a181dd9e99774fdce526bc43df3e3f8c5d2802ab5eb57b3a1d6a197b486

Download Submit
C:\Users\Admin\AppData\Local\TempTPXPD.txt

Filesize
163B

MD5
b4c3e0ae0eea57204d095bebb7fe590c

SHA1
9f433edab91566767f5130fe0ac7cba2c112082c

SHA256
2056549edb0a1bf270a1b54c40646a88132d8e6f0e7122d1b480cdf49ffe0ad0

SHA512
c87b335bef43ddd41d0ca57a5edcd595aa62984392f7e5151c3c0cfbd9b1d510c0e216d026bea6c131c861bd2e6e9ca416b777a74d33ff5ec168eec99a5a01e2

Download Submit
C:\Users\Admin\AppData\Local\TempTRALS.txt

Filesize
163B

MD5
9f63e74366ed4e44759f1839abc23282

SHA1
bfd7974f2c2db1f1d3d62a5a62e8614b21bac8be

SHA256
9c0414a9287b6918f61a39759f4f230e426e90a09f73053847554b4a5b764aef

SHA512
0dd147cb9977bf0fbe185a6f6c2e72829dabe8fd444de7cc0cdf5d1d5a0db389e6dd40e88f0e7a6d7b6b8690f3b835072375037028231cbf15772218127a19c7

Download Submit
C:\Users\Admin\AppData\Local\TempTYKHM.txt

Filesize
163B

MD5
e8e32524e36ee057c07930fb73c593f0

SHA1
47b1458e34d280a6ce43a992e8b5e47a5644cc29

SHA256
333800e64ecc52753e36c5a484d65bcdfc9e52a0e67fc14d19f2a10e95b91a4c

SHA512
578d39c6233f809442280678835cede9d6a73f8d3011d5e613508f6ceae34460b9e6dccc6e318f616e9cb6138e4071fe906b543d300bf48c339579c06f20d7fa

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.txt

Filesize
163B

MD5
61101519a3da1228d0e0498cf23f87f5

SHA1
23984750bbaf6fceb0c0fbeb529e99639b05e8be

SHA256
9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac

SHA512
26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71

Download Submit
C:\Users\Admin\AppData\Local\TempVCYYS.txt

Filesize
163B

MD5
08ab99e2fa80e03a20f719b789a9326a

SHA1
0a90795580924621e9ac282878a6ddb1ac6838c5

SHA256
e8a67a4fcb7eee0b9a7e8ddd3a48c7d4bd4dab353eacf34f38e5c5a50554e4a2

SHA512
0788bba872d4d56d2483c2c26a7b3e68286f67e4fbe4b7747793a08fcc909942b0f189697673cd4b38c5d9d76d9df092b33a8c72b94ba0e20a757e796505dadc

Download Submit
C:\Users\Admin\AppData\Local\TempVGAOX.txt

Filesize
163B

MD5
a1a4c4123a34efa35165ec504b3469c2

SHA1
88bd04026fac949e189848ce90eb352da2a0c97f

SHA256
fdcd67afdb258806763d47d307cfc2f9153d29223c87aee1a2338453f5a48230

SHA512
9a73c3e38e70ee0a300d938c77a8d205b47a9c417f874a94a69c2b19df75dc5b65d871b713a387304963587de12ef085a39bd1a36fd6da2da65b6dac069d83f2

Download Submit
C:\Users\Admin\AppData\Local\TempVRQFO.txt

Filesize
163B

MD5
7b4429133f5c6e37c64297f81ec77670

SHA1
b56d1182c2e66f79b10c11a3d505d21d9c368e77

SHA256
549609b0e948251fdc0bc9c4e50c8b5088d611c3fe760c52a705a843fc9cff13

SHA512
e2e600c82b35ddbd10bb8b875771e85073ee7b3c9ca7dca8240747457c7b5ffe6a44ffbc71b8df0cd78eb9b42018a221cebc606e120a9cdf477aa6981ec89ce9

Download Submit
C:\Users\Admin\AppData\Local\TempWALYJ.txt

Filesize
163B

MD5
d3982d515423eb673768282a1f0074f8

SHA1
4fb941aae0e293f3e745afdd2bf8d97c5f658214

SHA256
5e33a0e83db829079b53d42829b2a7e59f75f543c9d064a36c084d221f5eed5c

SHA512
10bd35722880519584f8f2477da201a60d72c457c592d0aca0644e6bb5354d19312a0d9eb30eccb7362cb2e5fb148360ced6b9645a41babc505914f058fb5cc8

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.txt

Filesize
163B

MD5
cee52e867eea3e6cb11cacb1454673bb

SHA1
d5caf048426777e248db7e47e96f69528e4356b3

SHA256
fb395866dd130573a86c20bcb009d21c8d66abd8480a12802ed16be4a29a1582

SHA512
9fb572a40499b863fce21c793d720878e8db6c7198fb9383b22709a84cd08bede1dbfef8aa1241010e0226e6597d28bc8dfacc36b93ba1b6561d15e6893da827

Download Submit
C:\Users\Admin\AppData\Local\TempWSSGP.txt

Filesize
163B

MD5
3ed8f948cba0b914050b142fca9c9f16

SHA1
12a106902d90d55a83232e9d9cb7f725c67cb243

SHA256
21035af6eab2cfd88e3930b5d6e6015f8f8167e123081fb5ea063c81c2059f8f

SHA512
2648fe53d07776e6ccf2d25621dbd0d3a81a200808506ff00d425c7f83d6fe63f68ea6de905094a49bc8ee1cb1bd3f1536212b0d351288c6e53f2602b2871197

Download Submit
C:\Users\Admin\AppData\Local\TempXIGKF.txt

Filesize
163B

MD5
7ac1fabc9df638590705057fcfb35843

SHA1
713852ced0fe693801d29d556f4945ce46712ebe

SHA256
ef520fbaa273cc23c26e024e90e9aa9168b4f8968c42a14f802b7d1048f5fccd

SHA512
f523462b0075a98e2bc697cc4c2b06192466148f8fc3f8cd3d0d55a32df5153d0307eba4c59236e8c4ba016b36683a57b1c990f130e52518c01093cd8cff6c71

Download Submit
C:\Users\Admin\AppData\Local\TempYCVTC.txt

Filesize
163B

MD5
2b7814129c6f9ae59448c2471f5d9cae

SHA1
6466f27505bc244e7bd1f5acc5c49ea1c53fdb3a

SHA256
fd4f7eaa57ab46321c3eabf2076f30a0fd3ebd40eb2ee3c6359765bd89537348

SHA512
906062ee3e0f19bedf2dfe74bedd6180ea4730bc88f2e37624e8c9752ce6a2ef1713015cde66f160f9713436c53a13c11e5edc9e87afd343842d523ac74e756c

Download Submit
C:\Users\Admin\AppData\Local\TempYGOFD.txt

Filesize
163B

MD5
1c8a1be9bc3ebb31b2592214152bb854

SHA1
ad9dc2375b15466336615991e8f93396679cd5c7

SHA256
8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb

SHA512
0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81

Download Submit
C:\Users\Admin\AppData\Local\TempYGPGD.txt

Filesize
163B

MD5
1f8f579ab62cfe581c4c6de860067269

SHA1
6f7cebb86c094487b897e28f8bdc260ff16775b6

SHA256
206b0a8b5576f2f0dff9c0c148dedaec8c2e8b12e29a91b89e3af94010328d84

SHA512
c3fdc977c60ffa648d4e3e9d79773512721dad09ca6502c700cd4bf0f8f8fd08f6f559221b108263af8163df501cf439d73cb2c4d64937501551171dcc3c01f0

Download Submit
C:\Users\Admin\AppData\Local\TempYGUTF.txt

Filesize
163B

MD5
11f5f8cd027dfab9da04c7643c79486e

SHA1
bb54ca86acfd76eff98aee1f3c1675ad846f1a82

SHA256
a81790dbcae61363e4e1a6616d9bf24f71186d92aca717254c73f56c604bc137

SHA512
fe277d9f57df86de119c49075f7a411cb5f337b5eacd56254537be2c45de71cd2056a0adb12a9a04951da17bf0f011c6e327be82bf71f2d5ebaddaff7347f232

Download Submit
C:\Users\Admin\AppData\Local\TempYTHOJ.txt

Filesize
163B

MD5
e6f1c71e39abc1036a520ca17bce6b7b

SHA1
1347bdf1ecb68f66ae16780a655ca970938c4212

SHA256
e87f4751e7955c798bc6e71f8de64624f0781704221ca358dd78e5d2a985dfb3

SHA512
895598bcc945977b9dc3b6ca99645d051a9505eed944a00a736bb5db681488eebddf31088ef7706b6e37bdfb87e9487d097c9d9a9a1f2b03f736de73016b25a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe

Filesize
520KB

MD5
5a64cb2324dac049c7edbe33d851e915

SHA1
a6de365aa5f6e2588be679a69499dd0b9b21a45c

SHA256
e4087b3195c315f3342165f26839fc55a52b35d21cde27b1f9c5937e7646c1f6

SHA512
f8cc1fc5eb2b5c3b68bf65b8416eed899aa10e395633bae785503bf642509b8085808d76aee52031d7a1f74a5053519de329fa80b61ae150906223c2cbc94324

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe

Filesize
520KB

MD5
916b2c822f0ea01b18bc2e5c491b3e23

SHA1
654adf57ac48a40f81c7a7ee65f9dfb7a4253ba5

SHA256
4d67d0bde37ccf7d637655dad0ef6ede1814b8561a28de17a53cd18eb46fda4b

SHA512
fbced6528cf72d4084a749d5181699d9b5d85c9ed9dc9096367f12e781c58c4d9929a4a4b27f30cd850111dfd644f1197e3e3f44c2ac8f450632a906836df1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe

Filesize
520KB

MD5
ca3a2c64468ee2d85cd1eeaf6c4383ca

SHA1
5b79c4090ecca22fa347c4da4e400e3e1c6ddd81

SHA256
e6f2be6aeacc43bb7783fbca5b2d68a3128abe0203667c63466a278f3941f477

SHA512
250e5813576a79917e5bdc0a70f0640cc7f3446692a69505275c1f3aec5d3f02217af19e1e02da2824075b423f67c2ac6c97e61b83619be432c1147993f8bcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe

Filesize
520KB

MD5
8fdb121ba3e125f15fda5d37da3e457d

SHA1
034f15a867a1a8c41696480388b8a6d0517ea908

SHA256
4adf8f7ab18dce54ee240d8f83d3155d9d2d32e2962d4a35fb70c32b4a3cfc42

SHA512
135401a046bdc7bbd3cecfeed6374854fc912e23e03843e5a91fe6af688748bb07c80d2dc10c937e01fa0747813127bb83a2bfbc5d839b636db0ccf9338569e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
4506edefbd49049512aa0c9366ffabe3

SHA1
75a8cf5c7988d65b6c18d9011cc8c1260276f013

SHA256
f5788a098ad0522d7c1a71f79f5a04d9127775cd5ded73182066f83a8f358897

SHA512
64a4c5fb72ca3ee3162bc7aedfd238fbf8b4410472fdcd95def75d30390e6d3a83a4169fef3389c5e371b4b46323748d3b01e1f7e5acb2fb6baf99cd872f577a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe

Filesize
520KB

MD5
ca9fd5fcf1e867fc7ee972a424251adb

SHA1
fdd0d29982a4752dfd46f7a8e0062156cb95e62c

SHA256
ebb612f78566f4234b0f89a513f58257c4bab7da6e6e4e8a3a766575cc7e3d8a

SHA512
1211cf6869a49ef79c4b6a3d165dc6af092f863631eb49bcb16fc572a68284b8a7486f36860d9366d92f63e4db3a81688fee796287d88c17a8ce85314814aee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe

Filesize
520KB

MD5
0b27fc7ba2779548618061230821e0be

SHA1
c75c0d63b9696e437d7aca7cd7e6c301b34ae9a0

SHA256
ffba8303a8b8f77c3a0fee5d97102460a2c5aca7adcd1af7cefe7f008ae6108d

SHA512
1f9ce1799285d4f6635347b93990b997986a02b57d32a5252057a26e35c6a97f3e57071285dabf528736adee8fac708adc2de50506b878b2fd27928d706021db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe

Filesize
520KB

MD5
f8ad2f1bfcffac08a454e7011b7395de

SHA1
e369798633e0ee9c6a78c4fe27be3eaa0fe280d5

SHA256
86f3d936c4082941f4f6b1bff10f1a66c0622065c5874d802b0d25cc1e9ac663

SHA512
e76bf4a7756b06b0a9730770f9e0085617e342a2387ced438812b55fce61cdc771ff42f097f47c6cf0ea67d7695f3104dbefb56322f9e9bf3d0a6ca3c23449a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe

Filesize
520KB

MD5
498323570ad9cccc74f779968dd33fbe

SHA1
f546866fa01fca63246c878ddb2a18962e108064

SHA256
68f5f514f11101731aaa15f857dae9d1f199d1869551c2f94c283373e88e22d8

SHA512
55f6ca4ef41504c7b8a729336aaa0a7cdbdc1d2f4b42b105a8cce6818a5df8f52ada1001086270a086255e24a945642c9f2df9d30c75124fb054012c7b558cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.txt

Filesize
520KB

MD5
6a02d36df87b45428d5208b3d16d7c8a

SHA1
64f1915ca9ba500ec638c72a2c022e7c96210f22

SHA256
349fcdb635c01ed38a03043d89d2999d61440f04e296726dbc91a55e37c94b07

SHA512
5fc41e249219e04aa593cf640834c424c2ef719158c5db8e25085fe105bfc77f5ffbf9786c6629b5073ce6699531a6d23c9f027ee56297806f1957ed00289263

Download Submit
C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHFQO\service.exe

Filesize
520KB

MD5
1b19ca26cf9de55286ab7ccead18bf70

SHA1
f9423a33b3aae324cc2908ebd557c4f269603019

SHA256
d587c8c285984d6fbd0613041e95c6ff995f73dbfc0b86c63c9cae1f3c9d43d8

SHA512
f53257164b3f131eb525a14da70456deff0fd54362ad1fadabcec9624618a063b1419d3161ea6a10c4dfa21a37eb367ad785b7dca1d970f344766deed512ae62

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

Filesize
520KB

MD5
1a107ce3fe5aef82c540b78bc18de7b6

SHA1
aeb67b39481a0afe49f9a4093405ae1d5bdd9a92

SHA256
03425127087dec1a4ef2a25c84e2ef063f39137c1832661760df6f4c6cfff1e1

SHA512
6b6ba6447bdb643aa0b9c0374d17a303130944af50abe8e8d0eb4e803148f4f7f18d3ad5a858f0734363139e4157e7cd4dcf441266a7f1345beb1154eef52907

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

Filesize
520KB

MD5
954ac5fa83a8e324fa47696ae78bdb25

SHA1
28f01e6ed73f0f97e8fa41c28a9d090d2ae9a849

SHA256
8f432c006a5db10b0b762d1136823cfa188adc6e8c2615a8a2d349035254ffce

SHA512
017b93fb677c4adedf39bd810a5481fdff0c891724f8c4111a6e3b9885aa2953497490a5039afb63e6ecc3f654629c65304b87de9af38c19afcb4b90b1061cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe

Filesize
520KB

MD5
ab5a6d2638f83a4ec41fb131c0d2d37e

SHA1
93d0587a5153232a4661f981ae51b68089e5126e

SHA256
d7aa52371ea140de789fce82d5744d0ed4332543cf8d1f6bd28d433f278a44fa

SHA512
460174a5095644f84dc44d379c52803bbc700e0a228ba33a0255acbe380ac078cadae332cf93fc893c03abe54c05356a8309b75a71238be3431ba10d4ef89be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe

Filesize
520KB

MD5
5bd899b6afcb85cdd7e59933126037dc

SHA1
09d944f288be253dd42ddc083600b402702d2e7a

SHA256
863dec12f2473d541d1160d044ff0589ede96326c8cfc67f3bc75aaa0b2bfdf8

SHA512
d902254521b7105b120cd70579a075225c56fd563a1ac7c3cd10fcf9b27eabf924787fbd8b323a3005ecb2189ed520d75f92a1ac44aebb54b47dcc054fa3e9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe

Filesize
520KB

MD5
c26cf6e4927bf6efd01eb8315b1b9891

SHA1
a0516909e702420b93d0a89d8f5a16c490dc1639

SHA256
076bb514ccc4935206c339d5ff04b3d320fb66c18b907e861b71951700126fc7

SHA512
97915a55a74db08f17f11b27a9c97b6b094bd6bdaa315a386f027443dad1442f4571664d09091dcde24c6ae117d4d12a249a9d73ce84f566a7b12e3a1c57a622

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe

Filesize
520KB

MD5
7c8f6f0c111ec3174914f68ca4c75c3d

SHA1
12ec800b29cc7dbcd634712509d01e5955cfc274

SHA256
e9e55753a51ceb1adf03ad58c7a26645cb9a19e1be07ad47caacbfb84166cf0b

SHA512
2e95a82ddcf5cbee02f8b3689dd61ca14b52b34b032ec05ff0c514a089c13018020ddd3835c9aacd2d6906a69af4c6971987eb5a27af470c1fe99b28867ddb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe

Filesize
520KB

MD5
c6cbc1e6f3deb77ebf92754d19c752f9

SHA1
9b21dd6f74ec6841a6f006a115e41a927c5271ec

SHA256
6d3eeed92178b39989d25dcc407d0eed4dda80e1eca59793cbe2907257369ab0

SHA512
f9f323d47c3f6e01aeb66bfae20678db9937037ed2fad46c2e78ca49245e6f531a821741e284218f1db26ac039bc11cc84b769b0c72a00b1f7a81c7fdcbf84a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCVFRQRNLSNDRYH\service.exe

Filesize
520KB

MD5
80ec6a646fcf51d8c3ea8ec3159e3243

SHA1
ac0377cafaaffb898cd0f7f8eff3aa34572a98d7

SHA256
66f174972890c085544806fe21e82d297659cd8414920db2bfd2b8c9d6735bb1

SHA512
02a10088dc2f6711538d92ad0f28488b8319e55a389b940980f67d1b6dd00c6057d4c9cc1b787cf391f07dcdbb5c56dcc96020a09e96ddef6fffad3a83160eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe

Filesize
520KB

MD5
1492b3165eab6cab2b5dd86f06dadaca

SHA1
6246be9a411f74c5283068b8a877534bd40cc2d3

SHA256
10e6d706818ca49cf6194c9f8e356eb07c823753bd415d34d4c46c089c92593a

SHA512
818c1eaea1b9def951b7dde23fc029b576fc6ef58415367b8f31c81d33c8451c08482b3819e6caa5fffb27fe01d9fe6dd97ec376b82a7e78b9cf04b7aeb53253

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGNIYLT\service.exe

Filesize
520KB

MD5
6312f17230bc47e464ff3b202a868980

SHA1
ce0754c7416319e81dcb3b691fbdf57720e58ebc

SHA256
02aca160ea5184c6743a6345e54a92715c958b2a84568f0b4281569d3f327628

SHA512
d92e614a1659d0fc2315bde802b92d219aceb6b89f6dd22523d29030dbf0ed58bbda8e259ca5b549d83a46e76e206a7c9e96daa6af0127e57af9a09fb342ab0d

Download Submit
memory/2920-1579-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2920-1578-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2920-1584-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2920-1585-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2920-1587-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads