blackshades | 842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/03/2025, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe
Size

520KB
MD5

6b32200e49031b8048ef42264a2ca961
SHA1

d4d2689081fe9deb2286647e15c59236fe4ab080
SHA256

842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342
SHA512

809bb69bbbebb7eb9b67b8d2e5d99d1d91c316999dc3617ae80445b08bbdbad5a90942327b07f9a030e59485558ac86d9d490fbff0fd9cdbb44e7217b8e990b1
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXd:zW6ncoyqOp6IsTl/mXd

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 2 IoCs

resource	yara_rule
behavioral1/memory/1788-1561-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1788-1566-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDHNAMU\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 63 IoCs

pid	Process
2144	service.exe
2820	service.exe
1248	service.exe
1324	service.exe
2336	service.exe
2468	service.exe
1764	service.exe
892	service.exe
2020	service.exe
2804	service.exe
2260	service.exe
980	service.exe
2508	service.exe
2476	service.exe
1540	service.exe
1544	service.exe
2432	service.exe
2512	service.exe
1552	service.exe
1444	service.exe
2676	service.exe
2656	service.exe
2268	service.exe
2148	service.exe
1744	service.exe
1808	service.exe
2940	service.exe
2020	service.exe
2984	service.exe
2460	service.exe
2676	service.exe
2656	service.exe
1960	service.exe
2172	service.exe
1612	service.exe
2160	service.exe
2832	service.exe
2512	service.exe
1552	service.exe
2260	service.exe
2428	service.exe
768	service.exe
1684	service.exe
1524	service.exe
2900	service.exe
3052	service.exe
2880	service.exe
940	service.exe
1660	service.exe
588	service.exe
836	service.exe
1160	service.exe
1716	service.exe
1684	service.exe
2636	service.exe
2900	service.exe
824	service.exe
2804	service.exe
432	service.exe
1108	service.exe
2328	service.exe
2568	service.exe
1788	service.exe

Loads dropped DLL 64 IoCs

pid	Process
1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe
1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe
2144	service.exe
2144	service.exe
2820	service.exe
2820	service.exe
1248	service.exe
1248	service.exe
1324	service.exe
1324	service.exe
2336	service.exe
2336	service.exe
2468	service.exe
2468	service.exe
1764	service.exe
1764	service.exe
892	service.exe
892	service.exe
2020	service.exe
2020	service.exe
2804	service.exe
2804	service.exe
2260	service.exe
2260	service.exe
980	service.exe
980	service.exe
2508	service.exe
2508	service.exe
2476	service.exe
2476	service.exe
1540	service.exe
1540	service.exe
1544	service.exe
1544	service.exe
2420	service.exe
2420	service.exe
2512	service.exe
2512	service.exe
1552	service.exe
1552	service.exe
1444	service.exe
1444	service.exe
2676	service.exe
2676	service.exe
2656	service.exe
2656	service.exe
2268	service.exe
2268	service.exe
2148	service.exe
2148	service.exe
1744	service.exe
1744	service.exe
1808	service.exe
1808	service.exe
2940	service.exe
2940	service.exe
2020	service.exe
2020	service.exe
2984	service.exe
2984	service.exe
2460	service.exe
2460	service.exe
2676	service.exe
2676	service.exe

Adds Run key to start application 2 TTPs 63 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HQNIXRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCNUYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTDLUAQLGAFVWT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLYCMSKBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWAOESNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUBKYTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJILGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HCARWPFFHCAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRUXWYKOTABHES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLFAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKVLHGTAJXTQBVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\KRVHFJEMAXBUSBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIHJEBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEWVDXNDIARIHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GRSNMOERITYIVGF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQVOEOIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WCDBJCGVVIJFDFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAVHWCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GLYHHTQNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEEFAFBWQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NKJNAEAOUMDCFAG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVARMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNBOWCUYTPQDJQQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLEDKTJPGXODND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNLJNBFAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QWMKOJRFHXGGPLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMEKRDDQWOWKUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWHFJEMAXCUSBBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQYL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QVGEIDLAXBYTRAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJIKGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUNSLBLFDGWSTBO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKPCOWOBDXTOCYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPLKXENXVFBMFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSQXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGIYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUGHEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OGXPLGWQBQAQROW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLJMYCHVUG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKVLHGTAJXTRBWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSBN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXVMWPOQCGLYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXTVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQLBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFOFXOLGVPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSWKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRINFWNBLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LGPYWHDOHIYRUVH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMJSEKP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKVLHGTAJXTRBWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSUPNUPFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\BRRPXJQUGEIDLWA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\AQROWIPUFDHCKVA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKCIPYBBOUMUIS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWNNL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GBXQVOEOIGJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYYUVINUVGAOXJJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNWIOT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAWVMCQMJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKUKPHYPDNE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XJHLGOCDWUDDWMH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOFXPLGAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNLJNBEAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEME\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFPYWGDNHIYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKALEYCFVRSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NLPKSGHYHHQLULA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXSBVXLQVBCIAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTUHMTUFYYNWJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDHNAMU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\VBTXSOPCIPPYAUT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKLIQCJN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHFMIYLSC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOUKIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVWJOVWHBPYLKXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMGBAQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQVIMHFWUKKMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPGLDULJAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECGBIUVQORGUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYXJRISOJSETDTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMSJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAWVMCQMKYPBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFDKUKPHYPDOE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKXEOXVFCMGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXIJCWBDTQQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSPJEETURAA\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
912	reg.exe
2780	reg.exe
2760	reg.exe
1540	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1788	service.exe
Token: SeCreateTokenPrivilege	1788	service.exe
Token: SeAssignPrimaryTokenPrivilege	1788	service.exe
Token: SeLockMemoryPrivilege	1788	service.exe
Token: SeIncreaseQuotaPrivilege	1788	service.exe
Token: SeMachineAccountPrivilege	1788	service.exe
Token: SeTcbPrivilege	1788	service.exe
Token: SeSecurityPrivilege	1788	service.exe
Token: SeTakeOwnershipPrivilege	1788	service.exe
Token: SeLoadDriverPrivilege	1788	service.exe
Token: SeSystemProfilePrivilege	1788	service.exe
Token: SeSystemtimePrivilege	1788	service.exe
Token: SeProfSingleProcessPrivilege	1788	service.exe
Token: SeIncBasePriorityPrivilege	1788	service.exe
Token: SeCreatePagefilePrivilege	1788	service.exe
Token: SeCreatePermanentPrivilege	1788	service.exe
Token: SeBackupPrivilege	1788	service.exe
Token: SeRestorePrivilege	1788	service.exe
Token: SeShutdownPrivilege	1788	service.exe
Token: SeDebugPrivilege	1788	service.exe
Token: SeAuditPrivilege	1788	service.exe
Token: SeSystemEnvironmentPrivilege	1788	service.exe
Token: SeChangeNotifyPrivilege	1788	service.exe
Token: SeRemoteShutdownPrivilege	1788	service.exe
Token: SeUndockPrivilege	1788	service.exe
Token: SeSyncAgentPrivilege	1788	service.exe
Token: SeEnableDelegationPrivilege	1788	service.exe
Token: SeManageVolumePrivilege	1788	service.exe
Token: SeImpersonatePrivilege	1788	service.exe
Token: SeCreateGlobalPrivilege	1788	service.exe
Token: 31	1788	service.exe
Token: 32	1788	service.exe
Token: 33	1788	service.exe
Token: 34	1788	service.exe
Token: 35	1788	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe
2144	service.exe
2820	service.exe
1248	service.exe
1324	service.exe
2336	service.exe
2468	service.exe
1764	service.exe
892	service.exe
2020	service.exe
2804	service.exe
2260	service.exe
980	service.exe
2508	service.exe
2476	service.exe
1540	service.exe
1544	service.exe
2420	service.exe
2512	service.exe
1552	service.exe
1444	service.exe
2676	service.exe
2656	service.exe
2268	service.exe
2148	service.exe
1744	service.exe
1808	service.exe
2940	service.exe
2020	service.exe
2984	service.exe
2460	service.exe
2676	service.exe
2656	service.exe
1960	service.exe
2172	service.exe
1612	service.exe
2160	service.exe
2832	service.exe
2512	service.exe
1552	service.exe
2260	service.exe
2428	service.exe
768	service.exe
1684	service.exe
1524	service.exe
2900	service.exe
3052	service.exe
2880	service.exe
940	service.exe
1660	service.exe
588	service.exe
836	service.exe
1160	service.exe
1716	service.exe
1684	service.exe
2636	service.exe
2900	service.exe
824	service.exe
2804	service.exe
432	service.exe
1108	service.exe
2328	service.exe
2568	service.exe
1788	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2212	1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe	30
PID 1736 wrote to memory of 2212	1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe	30
PID 1736 wrote to memory of 2212	1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe	30
PID 1736 wrote to memory of 2212	1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe	30
PID 2212 wrote to memory of 2024	2212	cmd.exe	32
PID 2212 wrote to memory of 2024	2212	cmd.exe	32
PID 2212 wrote to memory of 2024	2212	cmd.exe	32
PID 2212 wrote to memory of 2024	2212	cmd.exe	32
PID 1736 wrote to memory of 2144	1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe	33
PID 1736 wrote to memory of 2144	1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe	33
PID 1736 wrote to memory of 2144	1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe	33
PID 1736 wrote to memory of 2144	1736	842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe	33
PID 2144 wrote to memory of 2980	2144	service.exe	34
PID 2144 wrote to memory of 2980	2144	service.exe	34
PID 2144 wrote to memory of 2980	2144	service.exe	34
PID 2144 wrote to memory of 2980	2144	service.exe	34
PID 2980 wrote to memory of 2944	2980	cmd.exe	36
PID 2980 wrote to memory of 2944	2980	cmd.exe	36
PID 2980 wrote to memory of 2944	2980	cmd.exe	36
PID 2980 wrote to memory of 2944	2980	cmd.exe	36
PID 2144 wrote to memory of 2820	2144	service.exe	37
PID 2144 wrote to memory of 2820	2144	service.exe	37
PID 2144 wrote to memory of 2820	2144	service.exe	37
PID 2144 wrote to memory of 2820	2144	service.exe	37
PID 2820 wrote to memory of 2988	2820	service.exe	38
PID 2820 wrote to memory of 2988	2820	service.exe	38
PID 2820 wrote to memory of 2988	2820	service.exe	38
PID 2820 wrote to memory of 2988	2820	service.exe	38
PID 2988 wrote to memory of 1692	2988	cmd.exe	40
PID 2988 wrote to memory of 1692	2988	cmd.exe	40
PID 2988 wrote to memory of 1692	2988	cmd.exe	40
PID 2988 wrote to memory of 1692	2988	cmd.exe	40
PID 2820 wrote to memory of 1248	2820	service.exe	41
PID 2820 wrote to memory of 1248	2820	service.exe	41
PID 2820 wrote to memory of 1248	2820	service.exe	41
PID 2820 wrote to memory of 1248	2820	service.exe	41
PID 1248 wrote to memory of 1952	1248	service.exe	42
PID 1248 wrote to memory of 1952	1248	service.exe	42
PID 1248 wrote to memory of 1952	1248	service.exe	42
PID 1248 wrote to memory of 1952	1248	service.exe	42
PID 1952 wrote to memory of 1660	1952	cmd.exe	44
PID 1952 wrote to memory of 1660	1952	cmd.exe	44
PID 1952 wrote to memory of 1660	1952	cmd.exe	44
PID 1952 wrote to memory of 1660	1952	cmd.exe	44
PID 1248 wrote to memory of 1324	1248	service.exe	45
PID 1248 wrote to memory of 1324	1248	service.exe	45
PID 1248 wrote to memory of 1324	1248	service.exe	45
PID 1248 wrote to memory of 1324	1248	service.exe	45
PID 1324 wrote to memory of 1168	1324	service.exe	46
PID 1324 wrote to memory of 1168	1324	service.exe	46
PID 1324 wrote to memory of 1168	1324	service.exe	46
PID 1324 wrote to memory of 1168	1324	service.exe	46
PID 1168 wrote to memory of 2292	1168	cmd.exe	48
PID 1168 wrote to memory of 2292	1168	cmd.exe	48
PID 1168 wrote to memory of 2292	1168	cmd.exe	48
PID 1168 wrote to memory of 2292	1168	cmd.exe	48
PID 1324 wrote to memory of 2336	1324	service.exe	49
PID 1324 wrote to memory of 2336	1324	service.exe	49
PID 1324 wrote to memory of 2336	1324	service.exe	49
PID 1324 wrote to memory of 2336	1324	service.exe	49
PID 2336 wrote to memory of 1876	2336	service.exe	50
PID 2336 wrote to memory of 1876	2336	service.exe	50
PID 2336 wrote to memory of 1876	2336	service.exe	50
PID 2336 wrote to memory of 1876	2336	service.exe	50

C:\Users\Admin\AppData\Local\Temp\842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe
"C:\Users\Admin\AppData\Local\Temp\842179c6817bea1e2665d7bdd327d738d5a713a1f2e0cdb8e7da041329195342.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJIKGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDGWSTBO\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2024
- C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDGWSTBO\service.exe
  "C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDGWSTBO\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempBUUJS.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNBOWCUYTPQDJQQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2944
- - C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe
    "C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempIPUFD.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWQBQAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe
      "C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIREDQ.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VBTXSOPCIPPYAUT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWDTMS.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYYUVINUVGAOXJJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "
        7⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
        9⤵
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXOLGVPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
        10⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVKXIH.bat" "
        11⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRALSW.bat" "
        12⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYXJRISOJSETDTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "
        13⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLUQDA.bat" "
        14⤵
        
        PID:564
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYEIYW.bat" "
        15⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKPCOWOBDXTOCYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFYNW.bat" "
        16⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXTVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMKYPBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFDKUKPHYPDOE\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\TWLFDKUKPHYPDOE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TWLFDKUKPHYPDOE\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        18⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
        18⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe"
        19⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPTUGH.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPLKXENXVFBMFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTJWENE\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSQXTJWENE\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBVXCS.bat" "
        21⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKVLHGTAJXTQBVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCWYDT.bat" "
        22⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKVLHGTAJXTRBWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
        23⤵
        Adds Run key to start application
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUNTFB.bat" "
        23⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVWJOVWHBPYLKXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBAQROXJP\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\GOGYPMGBAQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBAQROXJP\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGHEN.bat" "
        24⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKXEOXVFCMGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDTQQ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDTQQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDTQQ\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHQHE.bat" "
        25⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUKYGO.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KRVHFJEMAXBUSBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXSQTI.bat" "
        27⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AQROWIPUFDHCKVA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQKCIPYBBOUMUIS\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVC.bat" "
        28⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXAMY.bat" "
        29⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIFOAG.bat" "
        30⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LGPYWHDOHIYRUVH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        31⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBFAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKIURQ.bat" "
        32⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QWMKOJRFHXGGPLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMEKRDDQWOWKUKG\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\SMEKRDDQWOWKUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMEKRDDQWOWKUKG\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCWYDT.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKVLHGTAJXTRBWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQHFQO.bat" "
        34⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XJHLGOCDWUDDWMH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOFXPLGAAPQNWIO\service.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYTRAA.bat" "
        35⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BRRPXJQUGEIDLWA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJQKPA.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCDBJCGVVIJFDFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDQ.bat" "
        38⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBEAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKYGOF.bat" "
        39⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWHFJEMAXCUSBBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYL\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPRWC.bat" "
        40⤵
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUBKYTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
        41⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAVHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJWAAX.bat" "
        42⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GRSNMOERITYIVGF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe" /f
        43⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUTJTMLNDIWVHQ\service.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHEJE.bat" "
        43⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HQNIXRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
        44⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe" /f
        45⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKSOXO.bat" "
        45⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYHHTQNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJILGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe" /f
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFO.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFPYWGDNHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEXNJR.bat" "
        48⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCNUYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTDLUAQLGAFVWT\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\LDTDLUAQLGAFVWT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LDTDLUAQLGAFVWT\service.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
        49⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
        50⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
        50⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQVIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe" /f
        51⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIHJEBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEWVDXNDIARIHR\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\MPEWVDXNDIARIHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEWVDXNDIARIHR\service.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        52⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJUSRV.bat" "
        53⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NLPKSGHYHHQLULA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLQVBCIAF\service.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "
        54⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOUKIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe" /f
        56⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDESAO.bat" "
        56⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLYCMSKBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUCQPB.bat" "
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NKJNAEAOUMDCFAG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe" /f
        58⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUJXFN.bat" "
        58⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVGEIDLAXBYTRAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBIUVQORGUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f
        60⤵
        Adds Run key to start application
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIVCSL.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTUHMTUFYYNWJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe" /f
        61⤵
        Adds Run key to start application
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSEMDH.bat" "
        61⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HCARWPFFHCAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f
        62⤵
        Adds Run key to start application
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
        62⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWNNL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe" /f
        63⤵
        Adds Run key to start application
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GBXQVOEOIGJVWES\service.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        63⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f
        64⤵
        Adds Run key to start application
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe" /f
        65⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe
        65⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        66⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        67⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe:*:Enabled:Windows Messanger" /f
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDHNAMU\service.exe:*:Enabled:Windows Messanger" /f
        67⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        66⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        67⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        66⤵
        
        PID:932
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        67⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAHVDQ.bat

Filesize
163B

MD5
e5fea69fd378f24cd1e7dc48ceb8289b

SHA1
40726f47bb9fdd955834922939ddf3f5404583b9

SHA256
5399625df7343f1ac173b24c626b96e7ea6eb480c6745331fcdf5b1b14901b09

SHA512
ca258556151b7f69d0a0368418469edae5092593d2a3a5833e380f91e66d8bf688626a12b40d68bbd8bb9e783b64d6126fab2ac614efc3c0bcd5f424a3d29a2b

Download Submit
C:\Users\Admin\AppData\Local\TempAHVDR.bat

Filesize
163B

MD5
288404ad3a354f01cdbe49b6e22f2238

SHA1
271846f48474dfcfd9793e67019d8c4cd00a3199

SHA256
5824040f5c09e0a448bcc117cc31c781e6dd7e0ac6910081dd51f958a136028a

SHA512
bf3cd87d1b4dbad957146574d6799bda3cbc12362126b2c7e9380b4327d7e90b3d37a7bcbaf8b7b5d50490ea4ab6b8a578b235a2009c1b6b333ed192d8a30873

Download Submit
C:\Users\Admin\AppData\Local\TempBUUJS.bat

Filesize
163B

MD5
1aac4a137d53110e6c4b73c2c74aebf3

SHA1
50f5cc7f8dc1b4ee5ae6e67692dabc0e5683fa7b

SHA256
ad1c2e026c69c4d1e45e5daa32b556d7c561d04933d4cb8447d3f98de49fe53a

SHA512
d67657c87e62c638c46b340572ed01e474014c9724d0d224bcaa2790e38f72751ebb138307bec05fa17395260e8f2cd8d0cedf0c299816f3700373fe3f282072

Download Submit
C:\Users\Admin\AppData\Local\TempBVXCS.bat

Filesize
163B

MD5
098a362b43f4a0db6697b57f03216638

SHA1
f189d8be3c12718deddc920dbaa1d792ed32fe23

SHA256
09b1e23c28c97e3c2b0e45911c0a8368bff53d34c62394be49f5d1a8822fc21d

SHA512
a5947e495659a82f2e8b73aa2b6761173cd77ccc0a317aebec3e96568f038c3173f0a526dc001b71fa64e5f80e380d0b4cf080456c800010523259d6c5de22b5

Download Submit
C:\Users\Admin\AppData\Local\TempCFHQM.bat

Filesize
163B

MD5
bd992db7230dfcdef4c27a5658c69cbb

SHA1
3f7a1a3458761ffdf99a57bcf65a55bc80a4e06a

SHA256
886c599ca5335f0b56b289fa2c40dbbda26a3970b799aaa2eef1aa6e7a6aa422

SHA512
d9726039c875b59740f311045cee8ca6e7fbe9e9d5eb358824fdc8ea06c2c1326d28931b56b5a4e16179024065bd18e1d4368597b8c238d0414cd97706899f15

Download Submit
C:\Users\Admin\AppData\Local\TempCWYDT.bat

Filesize
163B

MD5
b3e2da4d0f0bca5323ddacfb1a1d59d0

SHA1
55c36644b5ef5554b9ab448deb38f10be86580f1

SHA256
ee1a4370894c20f42f99dcd07e4e04d5d86dd6b8d42acdf06f6ce729d2ccecdb

SHA512
ca991a7f076f9dfed242f0592968bc74aecc3a9db647492d6ee3c671e1debbf708cf4b856b68fa866433a9926e748062b84d48c76d50fa2e9ea3d2dd6883dbd3

Download Submit
C:\Users\Admin\AppData\Local\TempCWYDT.bat

Filesize
163B

MD5
4ad639d92feb2b0734597282841c06c9

SHA1
72195d7d8ea1fbcc18617a110dc21c52d112422c

SHA256
49ae090e08b3456db252d3bb8e8cb71f05e8b2f269b1a770d22cd58feaf3e4e0

SHA512
a9800a30f5ac4aaa0bb335155ffb49f65ef0c8a3aba4eaea2db72ffc282982ecad2987d3706494b1d1179ccf6905c84a45c4a4ed44de279059cd61ed7e8c880e

Download Submit
C:\Users\Admin\AppData\Local\TempDESAO.bat

Filesize
163B

MD5
5b8a64d8a40c0ee634f051917d11e111

SHA1
e803fb652a18a07cea05c4174de8361269e8193e

SHA256
0f7ddfe9ea42dc3c0b9769896b24b77eb92e5aa47ea797462d56e89242db8c22

SHA512
183d901404e67e2b839a50daa7de077716297d5c818407897c297dba7133d2c9ad15f74b75592140233a7e4ea2dd44fe6a69727ac02680ce585feb55503c3eae

Download Submit
C:\Users\Admin\AppData\Local\TempDXAMY.bat

Filesize
163B

MD5
1f1d8e37cc450a99ddac87c7cb1f9a86

SHA1
031098a964f57adccfbc899b05f332bd80dbc259

SHA256
8ff70b00b060797307632716f7cf8022ca98950d439be373e5edb3a805f03891

SHA512
b87f0443f3710186636c4dfbb59e0b4f6b680a4e01f2c1b342025dedac022616d98e8f0f73ee8d974799ad7ded018ede6d9466a2375710d1899d4070ca341692

Download Submit
C:\Users\Admin\AppData\Local\TempEIJSO.bat

Filesize
163B

MD5
7a09bb9b03e0dbfad21b971a5f678e55

SHA1
e6859b9207901a0905d0a8451af0bc2a14650fdb

SHA256
e7b3c7a61d4fe1b3fde1a7b9cfac1bbf340778629f3a33153409ede89e909e66

SHA512
205b7c567bff8b961106a204f2d953a8a4083b04b0b4789c32a366704571ec8599e78e2e14b88628333dd17bd3e391324f7b9350691acb703a4068e06d3b5252

Download Submit
C:\Users\Admin\AppData\Local\TempEIJSO.bat

Filesize
163B

MD5
81d1c801572330023a9b9961a49d91ce

SHA1
e2c49b388a3dd7e9eeead137eeda3eda2e26ccc6

SHA256
6f97acc3812e7ee54073866de90ebc360ed880ebe753446ca58c6763657dbe58

SHA512
1a75eef4233c325497951380fe45aa81f29c92fb53162f9784c05e68637ea4cbb9b3e4e3fffce67039248381b76a8471993b75f72b1095f0da99be2224c098e5

Download Submit
C:\Users\Admin\AppData\Local\TempEXNJR.bat

Filesize
163B

MD5
8d1283bcd15a0ef53eeadc7d227c7312

SHA1
6b3e857ce23277dfbb366f5f3bd4899dd495bbff

SHA256
a1427421a05a1ce87d9a32b0141d7ca0080c355acf5401d1d19ac1cfe55a402c

SHA512
fb952d36114c7da520fbc1e0fb40833d25f6df6287b318ded6d50c400f297e11760f2a9b28f9d79c9fbb0c737c12f7724aba5604e0464bfe852ec393dd1fe812

Download Submit
C:\Users\Admin\AppData\Local\TempEYNJR.bat

Filesize
163B

MD5
5a2d7d2fdf8d93d974d5b1e5e9e8b3ab

SHA1
b73cae44242128fcf54c491ac6d0e9a8fcc0b95a

SHA256
1a61b4e919fd369fb247a817b852f0a7bd734baaecf59f66651740439822c7d8

SHA512
8e701b26d3c19db47f9d86cfe05df722218d706b3c258557c240d2c6e9b5ea528a241eb7c4eb1be11606e9379d0ef2884839f0d4f9b591d9457e37443471a37f

Download Submit
C:\Users\Admin\AppData\Local\TempFOKYX.bat

Filesize
163B

MD5
918d95f0ca208449a1cf6f3f326bdc29

SHA1
67f6e06e60958a451016a8cd88aa23433b402155

SHA256
7a5bc9b0f7c9b56aabd6b1457849a5f30869d75f29999f3da83908120d6035f8

SHA512
2d5cd38353299cf78a04129ffb471e4d318748aee647c6d4ae2e3e0e68141acb457b23b90fbc9e3bb4ca8815b48a3dc7bf76d19ba6a62d6d8c6f22cb78179f57

Download Submit
C:\Users\Admin\AppData\Local\TempIFOAG.bat

Filesize
163B

MD5
2e0537b478482c13261112cb052c8c6a

SHA1
88f5db853365ddadd22fb3c52b29e9c9bbeddf49

SHA256
b6ef31c334db3f388c7c12ab83ef61052e551ecaaf4924ec753f36b30472431d

SHA512
402a606a25521db8d7ab36c1a69711ef2f0f985d4c0665daa9d060b6740b0870f81b29bd49dafc70aece65f62edaf49cda93a1927acaeec29a1462ba6ee8b5ec

Download Submit
C:\Users\Admin\AppData\Local\TempIPUFD.bat

Filesize
163B

MD5
784a5098d84059764c71be0f253fcd67

SHA1
a2798ebf53f4b0e163bee7cde37a17e3a53fd9f2

SHA256
ab5aecabdf1ed8d35319c4da21727a26fa53da3a7fb12149385947a7c1e13194

SHA512
1fd5a3615cdba9028b13ca7d3ea0f4287a9adbeec3d6e7f599e3cb873909468043cb2fe2026baef78249a78d906d785dbb90e5d431d5a5ac23e733fab2d5b498

Download Submit
C:\Users\Admin\AppData\Local\TempIREDQ.bat

Filesize
163B

MD5
384e41522b504170d1950cdbc35d07e3

SHA1
d805652e07a7918d5537154f440733313f4425fd

SHA256
a1e14a5643f993b311db480306b771900781e68fd81c160f0bf055c2be43b151

SHA512
ed4352c07bc76657b0a28f5b911809c7aa5df163c09f64f874baa3fa0c728347a052bd1ec40f74edca6bb1694ded57551de2589cce949ee41b4b138f575c43d0

Download Submit
C:\Users\Admin\AppData\Local\TempIVCSL.bat

Filesize
163B

MD5
0ceaecba6d224b19985117798cb4014a

SHA1
c7251d70455f2f98098249c15d3b35296edaae55

SHA256
6e5df34435e5de80cb5a8a6c74f913214223e3aad5d87d996491532ec1db9d4c

SHA512
f1ee1572a6fe43c0c2a0d42ddc6d1cdf8ea8acf901c52c8bed555f059f7f9997aa2e85c1aef57c0004919f20410ee20b451350e50ced6b68785b21b0127729ea

Download Submit
C:\Users\Admin\AppData\Local\TempJQKPA.bat

Filesize
163B

MD5
5c23d7339f3f06273a5fc1d77bf6fb7b

SHA1
91e275080ee26af31dddea14f4c560a25eab23e9

SHA256
ba5f49ef25c9ab43c0a75b7030069f643d4195f874e4b3da2ebb7905248a4592

SHA512
69e4d9fd97a40dd5d6350ab7b5a2d2cf30c0a5b60714d389582eb6a1c587cc4d2b2bb2a69bcee843f5d51a8f4df2de4488f5318f9a4c2aeecb2e285596c0f456

Download Submit
C:\Users\Admin\AppData\Local\TempJUSRV.bat

Filesize
163B

MD5
d242d4bc82350eace790aec420c8ed34

SHA1
691be745dd6083bd645e06259156f1ca58395c50

SHA256
2df716f631758daed528fe5776672d12751e38636542c0955d987920a71bfe0a

SHA512
72ebc76fcb6110ed5f242ef3135f218c40fd54f129d73f257ba0787f77f9aa95482cd4541b3f9338a14853a6e19bb747e7514305a44fb18c3f032d5a25a10fe1

Download Submit
C:\Users\Admin\AppData\Local\TempJWAAX.bat

Filesize
163B

MD5
958326a6eaaa2b5cd37bee2a39993320

SHA1
ed10b19f19678d77b0bbed05c3ced2c37008296d

SHA256
1f1dee9c0fab62a9a98087b7c3287ab828e03ddf23a6cd3ef1ac3461bcfda714

SHA512
3beb47a30c353cf2afb14dfa32b9b0bd79cd8b06e8899e63ea55bdc311e10d7f941802bd2716454d699d7853ec0f872985cc5a9f284c70036330698d1c0ad18d

Download Submit
C:\Users\Admin\AppData\Local\TempKIURQ.bat

Filesize
163B

MD5
245ba9a7cfd5403568462b909d25db86

SHA1
9bb498b1c78a4f04e539d63b2ecf05b1d032ffd9

SHA256
1811718ef2619128ce6f7505a4e899c4155a9d635c011135c2e36fcc8737caaf

SHA512
4a99a39a59a75ccda78e1e31aadd7541a084f6109c46077ad67aba110f3f9ff32ba76f8c16dedabdd332730496b4254115ca1354b36a395780b1054928081af4

Download Submit
C:\Users\Admin\AppData\Local\TempKSOXO.bat

Filesize
163B

MD5
090a59c0660d2a9aa20174a68b2c87aa

SHA1
c8b63fa0d9a493948d1fb8ebd6aedac3f5b16c26

SHA256
39b5ab49578bfa0b316ce8a98462b1359d803e6709054e4c6b9c900810365dc4

SHA512
e6a0b9e38ad4b47da4a78755015abed80f1194aa244c78570998a8118708fa8f0cea4f702eee743beea51e86ead1f24b9ab221001ce1656fc81e9746b8cc3551

Download Submit
C:\Users\Admin\AppData\Local\TempKYGOF.bat

Filesize
163B

MD5
e639a21732428a6804f84269cff210cd

SHA1
029a2178793c32275f5ff798a606aa958b6396be

SHA256
a33e500abb1f551387331580df3838caaca99741115a5710465a72313477ee81

SHA512
43e6c1d60fe8a0645cb25ef78d6d57f94e536c5e9e0cca277ece4b6d98f4cfaf2ca5f7eec5f2ba5bfd5a7043eed64bb27d9659c51df828a4abe89be5ff01215f

Download Submit
C:\Users\Admin\AppData\Local\TempLHQHE.bat

Filesize
163B

MD5
f814f4259a2f98d4da28c79ed3a6bb4f

SHA1
b36d0e73e50229d7ad8821238034a6bd95cf482b

SHA256
eae0bace75f623e11d6b7ef774140e65632b6e3f4df9cb6f90138299c79aea68

SHA512
badd7876a8498ca1aa06c486d73d702210adc70aae2e996340a842443823ea76ac04c457d379d422ff2f451eb0ec2739fe13d4952b70a18dca85540a79cf7654

Download Submit
C:\Users\Admin\AppData\Local\TempLHVUG.bat

Filesize
163B

MD5
4ec0633640840b7b24e9f6cf20dad497

SHA1
f42f41ef03ca7150f5fcbf927f72afe828f5cc17

SHA256
120f71c3e1029941579c91591865b0b5390b374dda358cdffe65a7190b6ad926

SHA512
29de741b27415cbe79a53b0e04560c83f173e9aa9a6591b2e69bda035ea28f08573a2619ba401a9ae28ca81658e3bdb5315edc2a0989364138a6a532c16ce787

Download Submit
C:\Users\Admin\AppData\Local\TempLPQVC.bat

Filesize
163B

MD5
79a1d87a1e1512991e1a49f1fedbea4a

SHA1
128b1b8341249b13cf6d83a39cac4626c8154c5f

SHA256
c9349eede47b987b3b2c39b6399ad30c13d5ef079ed0cc1e98c9946d6a3d4b05

SHA512
36f05c7c927ceb66985a5651a6215455aa088add39fee67e7c70d6196fdda063ef09a3959e57e4ca85e7884bc90179377681ff4d0dbae2cbb514cfde9d01e747

Download Submit
C:\Users\Admin\AppData\Local\TempLUQDA.bat

Filesize
163B

MD5
0887f8a053b6634da227e398c394d81b

SHA1
7e302400941306dbb1fb3a489a23add27b1209d8

SHA256
2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c

SHA512
e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.bat

Filesize
163B

MD5
02588bde156f4fec5f0df3d0ff8bede1

SHA1
34461a5ce0789fc448f493a9e6a1c583a0d1a89b

SHA256
e619e4dfcc93453be75b64b7938e54164a7f979fbeb92de6221ad7f9c6a2d0d0

SHA512
56790994e090fa5cf5d4c5eea229189c7cf591ca0554a1c463c0e1f8ef18aa376fa2e53078b417a5bc7063d606d12743113585cefc6b1b232be14fe7dc161c73

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.bat

Filesize
163B

MD5
1cfefe403db7d69c71d212ef734120c5

SHA1
6ca4d27050faf006098e65c3476c809e78500414

SHA256
242c3886eb4dbc6bb2ed532a2b61da79faba7a61066a0702ae0e7327e37a9586

SHA512
534f6c719c8e3f163570f3a09770457ce1695abe8451fe252279fd7a760cc2f833f189f944b1f8674aa0e8e3b2aa0550a8b3e8fa7d3732f3dc6bb9685c298182

Download Submit
C:\Users\Admin\AppData\Local\TempMPRWC.bat

Filesize
163B

MD5
f798dd8dcaee50bb6e1668dff7c99437

SHA1
899ad0923d144cb38291faf0a0f49454b50a8004

SHA256
c5e9239f099482c6e82f1ccd144512c90eca95aecec29af105f1a3fe91046494

SHA512
ac8c05ce522124ad9fd608510f7d99a0a2e6fed831ee0f0d94a20727bd65b5e1feff625ec81908ea232cdfebc6d3ee1e4f15b3a5d01f1e73430e4a87920a895c

Download Submit
C:\Users\Admin\AppData\Local\TempNWIOT.bat

Filesize
163B

MD5
5385ab3f2df8744a0cb4999c9577fb04

SHA1
26fe6b76c6a71cb798a0ac87e6b3ab5e76a56ca5

SHA256
272d1cba893caecc15ad2b2f99d7f16f68f6698a4886d181b8edf76a24a73f83

SHA512
1199937d96bb3622ba3f69f5ed15aa5656b68f81e5ae55b294f02648920a765a780ee03d0637ca6b578fbda2ac411c53b2e456e9d34afa08da9acd1bca8b4d8d

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.bat

Filesize
163B

MD5
cc94ad97eefb901f6e89f6474a0466fe

SHA1
ca2e8da446ae825fc068f31fe89b3556df3072fb

SHA256
dcc3f61968e33e9f2fc7f2b3842f161c7b50a483424bd5b86711e18cd4737850

SHA512
14c31094612cef776a184bac82ed4e47d7941ce291111ce8ab48992c80ee4c7c4c6f25caa3a1485e6b35e1722ddec6fc686369b8b63bc578bfe76cbd0c051c0c

Download Submit
C:\Users\Admin\AppData\Local\TempOVLJN.bat

Filesize
163B

MD5
cf95fe0813601aad06d04cddf6099776

SHA1
9c65e8c1dd65d5b1879180b13a7147a336755ec2

SHA256
8f7145662cd11c3071ef83a03522248ac6418d9b33037d925a3a1ce91943ae8a

SHA512
9d45b45413e5f9113ede89a5fe5e319201d331e6fa4aab68531e4d8232843e2279e61574257ebb62037ffb2f3c1d3fdb1908e78ee1a0c2c9e6ba05fe16a81d27

Download Submit
C:\Users\Admin\AppData\Local\TempPTUGH.bat

Filesize
163B

MD5
7e3d6b79c4623bac6e8729c4d1c584c7

SHA1
cc511f2f19f11eb4115f4c3dd9f7c3dcd47a159d

SHA256
eeea9724f822b66552e1f5b8ec0a6cf84c0e201ee11ca98fb64b054f0cb07f3e

SHA512
ecb7151b7a4211472717a3e54cb0daac80c0fe2ec1343922ad89e428bed982c73ba70e9f7cea7a07080dbde90b5a4127b62ffeec0110817c2b17495729b92cce

Download Submit
C:\Users\Admin\AppData\Local\TempQBVUJ.bat

Filesize
163B

MD5
878f9cef61636cca20cfb70db6163294

SHA1
6af0e6d2f4839baad8de028762aaae888e12e698

SHA256
224e5d724d4f06b25b986fee6169b27ae18dcd8060982a5842bfa7a22430dda3

SHA512
84b6f14411541b4043692c395b4167e6d619573e1495a2aea63063ff7439e91c5034f75e664159462c7540a1a646560b6af8645a6033756dd804924819ccd211

Download Submit
C:\Users\Admin\AppData\Local\TempQHFQO.bat

Filesize
163B

MD5
e74d0892edc8a5bc5d298f25a14a1b47

SHA1
fc49b63f79c74c58c277dee59c98901a6329c98f

SHA256
9bcde95cfc955d53e25611fbb444c68dbd0fe074eadcb7ff38b7292db1187784

SHA512
fab51c6f244465a0f1ffe1c554d76a4090f024aea5ecbff0ccf9bae00ffd51b1f4f115d206a048553a59958435431f45b355abbc2d2d01743083538c1a032f26

Download Submit
C:\Users\Admin\AppData\Local\TempRALSW.bat

Filesize
163B

MD5
a4632cf3c2d2f4a77663abe67fca07ca

SHA1
625f55d6b33c8fd0b995c4d6df34ef7cba904c7b

SHA256
ce9c0e5de128c535f7037a23f7359d301c60563d8af71714e6a384c052bc0157

SHA512
c1915001a0770eafa84fa7f38719ea42b80ce63bd145f298402ab891e05fc1803a56a2e5fb2bcebc58245c55c9a75ea9555b7a0d9cbb5cd2503afdc03aed5241

Download Submit
C:\Users\Admin\AppData\Local\TempRCVVK.bat

Filesize
163B

MD5
6bf0a86608244f93ed32d2fb3e80b603

SHA1
ba4d7391e38e21bb0837ea23c25fd62f62a80e57

SHA256
42dd1712f8c777b0acff84ca6ab46891d743c3cdbe875da70a2551c8d0239d93

SHA512
7196de843bd953314c238fea2c59a7cd85766485a68531f7d60e030de9ee2bd29e12bba6d1bd6ca895ac3d8222f133228f53241035e57431a1940e76d13be081

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.bat

Filesize
163B

MD5
f041eccce7f551790b2c0f141c2371ba

SHA1
180afe3a0774c0ed883589e5976d5fbaf2c281e0

SHA256
a05bd12817a17601f3763fbbb889159320bbd652b56ef34bb1f6105193903d42

SHA512
dbd390f540aaf5124445511d977a49889dc010c9715bf89fea123840304de65da6c0da5804ea5312635bd35c6962110abcb0e19d2e5bc8a773cf8d0d6420acc8

Download Submit
C:\Users\Admin\AppData\Local\TempSEMDH.bat

Filesize
163B

MD5
605da9a343eadc577bcd7979be442669

SHA1
b3caa6859da31ee3b6a511297c2ea4f425ca15dd

SHA256
b7aa10e4746e5fc201080bf1da970b621030600ab4f3675d324bde17bbeef667

SHA512
fe9ff161239d7dafac5a62399a1dbbfa05256b6b6b504fe4d3c3f209d9756c3d1e78e712ce58a04e26818322d05168459fc584e54c4d37f69db42fbc2e56de38

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.bat

Filesize
163B

MD5
188df0165b88e92710b2dfd28f60e38a

SHA1
0c22203e39030479aa2fc6cd1ced2cfa909db766

SHA256
8609b544ac5ab107c17ecbd7cc5922aa2c7b179a7e01a0d840ea7f1345017d55

SHA512
cad8fcf2b2f5268e7aac8e7a0cb78fd78ef7411630a030a3725e818e7aeffb5bae285c37448f4a797c836015a0018075d2b3035e938dd4fa7369d412ffc4b32d

Download Submit
C:\Users\Admin\AppData\Local\TempTFMQC.bat

Filesize
163B

MD5
fc4ede3ac88659716179932f05354afd

SHA1
30f93bd2c161cacf756284de2a64b2267bc7f8d5

SHA256
1c49dc9eff86784b8998c98ca8f90935f342324991d8d91593345ab1cf1d4d27

SHA512
dfc462d5f56201d066ce741360633734682e5258c5215cdf60e5c7e3b2fa2f42c921b62499dd85763cc1d257668197fe655f49fc081dd6c64b5db56a0c311e0f

Download Submit
C:\Users\Admin\AppData\Local\TempTYKIM.bat

Filesize
163B

MD5
d6c294e6681b6ed947cd0025c2ceaf19

SHA1
eb4c2dd273775666d2bda0086805bd5d93f4f0f7

SHA256
674ca72e2f46c3e4d64ffd731659d9a183b71ad9bd6f2dffb4a63da0995189e0

SHA512
bf3f172d1b8d9316c76d0f2feea7f7cbdcbf7fb3e4376041589ceb866605d1a8dbe57fe2f0c9a3f0c0e3d457b19f259ae625dab51d8571b2de056e3f72eff378

Download Submit
C:\Users\Admin\AppData\Local\TempUCQPB.bat

Filesize
163B

MD5
cbb7deb4e2af021eeac97b1a44959f05

SHA1
00b6281a9365e699398e9d15edd638467b7ff9d6

SHA256
54ef0311365fa4d035ef3cbf567a91b2b7f559f732275147a7548874340d97fe

SHA512
eb59a3db2c2eb3344651d8fecf14dc7ad768ab3c02dc41c336594b320a474515fbfa6459f70ef70deb3d3b6fd96e644cc708c90ba3958978a19c7dc81fdea8b0

Download Submit
C:\Users\Admin\AppData\Local\TempUFYNW.bat

Filesize
163B

MD5
8e2cdfcb68ab80a91b19acd0bf1e498e

SHA1
2f13701b6e7e1bcb042b14225fa04bcdd22052fc

SHA256
f8f5b95e5d6dde02b4a18f9ef2395222de0c20c221e0bbf558d1eae0c4d98368

SHA512
b460f9d9df74d6aaf66b7b2a103481fa7b089d3092ddbab5c5b0c2a9ac750f35bf4c7ec56b8b19d70cb9e72663065c6433b885367e3fb0b06da94405a85b183f

Download Submit
C:\Users\Admin\AppData\Local\TempUGHEN.bat

Filesize
163B

MD5
19533f508961b0780627edc1fdf90410

SHA1
80ca0f088961ff1317609fa0e6e63cef17442f71

SHA256
38867ea08b2d4a289f0b24838fd415f99927ff195b726ddab0de0edefaff3ebd

SHA512
429d780aadd8af18292736368b0c18f0fcb794465c2ecceb76bf33349828bb1c0fe0c84c0f98dbe1a0c1305b1e9281fca12f33dce1e9594d16ec92e98bf249d3

Download Submit
C:\Users\Admin\AppData\Local\TempUJXFN.bat

Filesize
163B

MD5
6370a47a98628e0c6859e19ee10ba133

SHA1
4a03619873cd606ebdc7db3a257f36177cf0faf4

SHA256
d9b4c13c13e3dbad6ffb332cd360034d54d41efb73c7a6e0c8a8d6ec1a92fe5a

SHA512
e610c8dd6382620cdc7add92a1de7c0f5c7a71d94b9c101642d60a1701076d89a86c6828c1ccdc5ec6f92d8042b0c998551d262daa684b0df5b8d4d55a095d0f

Download Submit
C:\Users\Admin\AppData\Local\TempUKYGO.bat

Filesize
163B

MD5
f35b7bb9bb86ab700ba9e73bfb391d19

SHA1
e55abdc58eac5ef7b5687fc02187fa61ec5e6f92

SHA256
ef61452ee5e0790947cea7131098932b7d0c066721114d42ca80c6fdd23e44c7

SHA512
a49d63ee61e75663d4800c0baa812262870c010a49df0449ba2ffbacc6c0a69c956ecae9eee18e7d92211d3b096f4551b84e05a6a85b1169fcd5dc77c64ba9e5

Download Submit
C:\Users\Admin\AppData\Local\TempULJNI.bat

Filesize
163B

MD5
d453ecefc82bbc0c5563b926abf68d94

SHA1
89dbece71a1ab4272952a2415783b9e22ee8ed81

SHA256
8c1f00b0e5ccd96d0d9a1b2e8c8acb16cc19629d7059039069ddec8e28c5783b

SHA512
d813cf2b52e5f1ceeae18d8c60c892ab2b7943ea7ab6ef0d8b2aaea2ab4dcf332e89b830c691a6fca6fa384749fe26a6af44d52cd947eb233cbf5fa7f556caea

Download Submit
C:\Users\Admin\AppData\Local\TempUNTFB.bat

Filesize
163B

MD5
55ff2439e156a0ff03a9d6e0282547d9

SHA1
c6b50e05b61142e96bceb4dc23bc39135d03e874

SHA256
9773f08e4711b15c1154e787098a067a142f6669527c8c81c39f40fe5e91b3fd

SHA512
ddac90b0effa803a7a15c8a4ac19af2436d09e60efcc602e2222cabdd07323a2c2d87727d9fc98107e5cae4b7cd7fbff7a7b3d40da27eb482a7ad3e1350a2041

Download Submit
C:\Users\Admin\AppData\Local\TempVHEJE.bat

Filesize
163B

MD5
117e29283f8804357e133f979a7bdddd

SHA1
c584c5160203c45243483a609331314c10f19cf6

SHA256
c7412baf4fdd04651be09a0a73b0ced28e2ad3917e3d76590ad9201b642df7ec

SHA512
07984dd87be19e06b9f6a9376143d78872403b9ad8d8ae81fc2dc8c8ae2190844ea1b344e82d9f7020f17b568c75249ee9bd7232256adb3dfef8b1cdeb9de698

Download Submit
C:\Users\Admin\AppData\Local\TempVHIFO.bat

Filesize
163B

MD5
73db002764babcbcd62362fadacd4184

SHA1
572f87040c07b280282e1de7fd88d742586f5f1a

SHA256
99547a3b05ed530155791dabbc6d6543348e3f78c5ed4de26e1ba4b46bc2103c

SHA512
7853398b91faa00d39808a1d9af6531eced55e1cc5b31016a3a737b9fd2782dba6a35bc22889fd07ae816165d6e7b8698d36c374db5d6d223652d78fa8cbf97b

Download Submit
C:\Users\Admin\AppData\Local\TempVKXIH.bat

Filesize
163B

MD5
1d04dcf7878702fd18d7e6ed7562894e

SHA1
7eb33af482be5164ce41ef0314274bdb945898f7

SHA256
12fac302f2e1efc661afc1594b5e5ab31298e3ac7cca736909610a7d48203890

SHA512
90194afa6724fd1ffe21cda8776505cc7b5457813b0bfd230f5679d75de2477e28d2491956e19588c55d4f97da897a8ef687290a0e8077ee130fce7696df5c42

Download Submit
C:\Users\Admin\AppData\Local\TempVLXIH.bat

Filesize
163B

MD5
38582d0b8684e515acc8a0b855142358

SHA1
091d9a23d9ea9a7fa0a7583fc3233521f038d3f8

SHA256
86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776

SHA512
b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633

Download Submit
C:\Users\Admin\AppData\Local\TempWALYJ.bat

Filesize
163B

MD5
0c9f6009ebcc74291ac4b9e09f99ac2e

SHA1
abbda8e0660c4ad21a07b2b31e63493ec31a549d

SHA256
feaa08e1430d4598f816b9fe05efcaaed3133ac42a699535dbcf9fdbc67de2c9

SHA512
9dce802654bbe1ec0d868879c04d9e76c7fcdf4e4b23084614e961ee68b20e5f52090e6adfcaf314f107fd127996a76e3ce4e63c9ef435d7a4dc2ce441c6d71b

Download Submit
C:\Users\Admin\AppData\Local\TempWDTMS.bat

Filesize
163B

MD5
163c18c7c7e3f8e9365139d9dc0793f6

SHA1
805bda875bef4f99ee79aef80feeef5775d0a83e

SHA256
b6788867123cd3836460365e17adb5ad16332f458f2b976f80b4fecae2b3f2bb

SHA512
ff6902cf03b1dec2465bc165d9476e3b2c87d669ef2d382068b76e650effa0d60b4d39e3f25739548aaaf71087ab08b5b32d8d525f0f26c15d262ea66c704754

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.bat

Filesize
163B

MD5
e5ce57e5d30e26845277d501a8c1311f

SHA1
7000a2c08a8b046d6d781967692733156a2aff16

SHA256
6e226e0033a8817c210108feaaae68b2b0ddbbc60e66151efcea4d19ad3d98df

SHA512
af1ca4eac827acbf4f5ed0edf2b781dbe4aed93ec308117fb6328241df795e5f7698ab9e6a82fdb66982d9a6e033ed8788b69240000027a21477bcbfebb11073

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
ba84db195f7d472229e4051ea0002f24

SHA1
d4d7b780d5273d1ec9c7fcdd6bef49c2696b6619

SHA256
91347d6d3afdbd3df151cdb3f91f2aaecfa09cd10ec6939ed211121d84b06dd7

SHA512
a05bffc253cc8028a9865c41670890a9cd966f5dea22c035d2cc991eb8fd573b924540b65de414f1867e3a9bed490eb09af16f3aab2fecd94563a03252788984

Download Submit
C:\Users\Admin\AppData\Local\TempXSQTI.bat

Filesize
163B

MD5
d598d22001cf112776f3b6e5ade9ec7e

SHA1
ec5500804577173786b48eabe350b9b5783c3bc0

SHA256
d083c235fc5c28428a4df9e925770887271b4513895d4d8a351aefc72bfc75bd

SHA512
f1219ed040aa87038da614999410e505ec0d9c578afa4d3c2fb75d97a6dbb101f03e5e85bcb5203e2d689b38c77ddfe43f5234c9d89fe5eecc23368721a80dbd

Download Submit
C:\Users\Admin\AppData\Local\TempYEIYW.bat

Filesize
163B

MD5
6874dcbed2aeb9e95bef731e0fdfdec6

SHA1
385571331a9cf5082939025f394c302acd89febc

SHA256
3c82ab4fa28c6b4e2d5acf59598979ee3a74b649bdd834b9b09d722e31a4fad0

SHA512
0cec8690cf05b9bf5c7e2262637b29294a64e5d4969f60af8dcb8cb5bb3e3b944d168413ba3694565dc654d2e54add4b9bf4c00dfd55fcd57118ddb34751f9c2

Download Submit
C:\Users\Admin\AppData\Local\TempYTRAA.bat

Filesize
163B

MD5
f53795e4859874c208df78a6d246d915

SHA1
514aca965e1cea221874ba8028db115976162745

SHA256
5d1a398bb956fd4d3bbb107344e6d363b4bf74eb21b0041afd75c342c1c3d644

SHA512
0c8b83c36e09033bf06189dfffc1253ee3ab1dc378c20697a68e6a3f0da50acaa24310076b21f435e13763d6ae5a21d56745944cdd37f3ee0a053c7b0a097eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDGWSTBO\service.exe

Filesize
520KB

MD5
9e170e8eb69e4ca7756adc08f6ceec58

SHA1
bfae701d67a9ff111bfa3c2154d1cfad81ea250e

SHA256
c1aaad6aa45e779e90b92ff5a83d0d65af46c854bcdae7ae922d1b981867abd2

SHA512
119c4454bb0ec8ee031f1bed68ec56c5eaf96468e5e19bbb40d0b06801fe4166c22674d5cbcec6ada4070f1d0696727aa5e63e6faa1a3b8ce255244078c54d56

Download Submit
\Users\Admin\AppData\Local\Temp\AIRJFATYKLIQCJN\service.exe

Filesize
520KB

MD5
428a73e77c17eb264cdefe987b64614a

SHA1
bee5d879ac424b80c3a8bd630d634cf63c52791d

SHA256
111f8ca562db93fc6cbd9aa01c2f921cc8664afa080f0b24a0bb88ecc3878efb

SHA512
2b0b8a6f19f5957abe7855edc2173ac15e0d65fe00069077e8ef15a803a1a86d6fa232a950e4d6ad3866337749cf5f6b2013ca8b3fac0224d003e0673247c0ca

Download Submit
\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe

Filesize
520KB

MD5
5668f1afd276f654cd73fa5e04d717d5

SHA1
b4d70cffe9156a1b265627ea21c9ab5f9bc0460d

SHA256
c1c0fec50675bc6ca2578d8ad6a48f279c2ae41babd4ce708c8260138b9df55b

SHA512
5f791ade30d4cdde6032cc6f2ea989610223d10b3a70ef122d41ad2840dc56b19851052e9cc9c94391fefaae6bc2c37e21f126b48dc9e6f2622002855f205f9d

Download Submit
\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe

Filesize
520KB

MD5
d08675e6136afa8f30b132e3459d95bd

SHA1
13789f05d5838dc55a9b7baa01c88b327f94fb23

SHA256
d0ea620be5dd9b2dce476328968a46bce2b604221cda6783933541d089956f36

SHA512
07dd2ccf4ddd7ed3b75eb7382a45414c704b466f649adda9466c2087cd4b4b4b69701882fa3144f7beb48b69f4b40ed62f446d926c9a95491465661d8a26280b

Download Submit
\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe

Filesize
520KB

MD5
29ac5a18af9ecea5e5b9fcf950915f9a

SHA1
5e6814554f8b8d4e21fef6b26ea404f1bef61131

SHA256
b11b3cdff676dfca2946e1cab4bcac7b1486274a508ad14ad2961c44bdfa01a6

SHA512
1cb34b4944f6b8082e73eec85c644f0a97fbf3496bf74acd547bd491545d0c4058ccc18ef94d69fb0c221d00934530c66c7ee9b3baeae23532ffae339f4c5fee

Download Submit
\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe

Filesize
520KB

MD5
bad0568ba598df4070a9c61e71dea2b2

SHA1
cf0109da5b0dc2ab9cf65f85d8da9818da4dbe96

SHA256
21c9c3a0aae8175ad4c33840fba933b3b735f576673247291c7818c1e859a8eb

SHA512
097ac7d04ca26ccd54a95bcf50a069bb6db243ddb15060cb634b2bae748ca1aaff1c9e41fb9c78cf189042a71007e8cdfdcb77d131d1c899b418ef465440f39c

Download Submit
\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

Filesize
520KB

MD5
8f5fbe5b15a75359e786bba6ae17fe06

SHA1
95cacd8e1a730bb297a8c1a9a342f6733c42767c

SHA256
69549b1d4e6785935402e09e20b0d85eb1b0abc1aa5949a37fc7d4a4a8489d4a

SHA512
d1d9f8d6ef16d462d759bfdcf7d5564070e03e9682cb59bd212bdcd858d454ef7f6cdff798699f2b49805a19561c7d0c060e8dc4cc6bc7f937afcfc4a9d2bc09

Download Submit
\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe

Filesize
520KB

MD5
ca871ad07a5924cd97e8f00461ea1260

SHA1
0e4ddc3166b17ca7571119c734ffa6416f22b575

SHA256
74dd3d9edb5945d941b43623fa0f702850d8bfd3d509d02f34c4e984fe8b680e

SHA512
5f6735248bdf9780e2c400148382ee014f4e824509a0156a3b4d02ccf997dc835a856a78a73038f58ca555ebfc8aaf35c92eb9e1903e3ea517868adacad1f3bd

Download Submit
\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe

Filesize
520KB

MD5
40d4e94fd1c2b30224d0c48044ecfd67

SHA1
9ae063dac07009d6313d8a42ce61091c7caba39f

SHA256
4de30b085eb6fb838ebe3051a5bcaa2dbd51e33c1228c4f1413b98d19f525c4a

SHA512
f6952c5f59584c5812fcb0f0aea99e6f50e342374e61600c6a0b0e34ceaa8cbdb045bb01611474dbf44b10259f6ca3121067eb3125663b87ba72c549a7f5bd6c

Download Submit
\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe

Filesize
520KB

MD5
3196be035f6c43d7fea836fe780d8812

SHA1
0b6ac150801d1268440fd1b6734463dc720b1379

SHA256
c77c491e4301a3d9c3d1d22dafe6fce1f583c2260be5c39358e263396b1ca7bf

SHA512
e0f23d9c89998182fd56fcd6e904b020ea0fdf014cdd5a23cc25d3bab9f7af74bc29c60eb261895dc8d6083d94fe7a8e8a234bbe455edb8f87d9b24b9b64d5bf

Download Submit
\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe

Filesize
520KB

MD5
874fd2500c7f5d88246345064b617436

SHA1
34a07267ae9f341d9ab0ad7fd0a5d2489f3fae6b

SHA256
66946e5b762eb3071780e6056558c8fe31032b8d1a99ce675da1456d497839cf

SHA512
cabeadd128614294b6e8567d91cd87fcdadaaf19d536d6600655143e062d97f62aaa3c5782149be67864e98a74b51bbd3cc620757e93cfa1beac8b8c6bc2cfec

Download Submit
\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe

Filesize
520KB

MD5
8a3575c29ac3e609116b05785ff1a23a

SHA1
d510c806982edd0e45a89a1fc6bf6b11e107e1aa

SHA256
ffeb74a0745da250828add61dbe2f618f6b830c5f3c50c4fc77ec728ba10c99d

SHA512
d8f70076133e5f7a8af1e70df254160e3304e7fce946a78d435583c8757494d17d4e159e2129cbbab6ad54ae815f5e6ea6cc4056eaf5477eb2785e18352158af

Download Submit
\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe

Filesize
520KB

MD5
a68fd5e57ce9c649f0cd3f9f7c323916

SHA1
49b11d5a68fa07ba6d324c71acf8f2c78b7e32d9

SHA256
9b0c0a92e4309e941f215af480c9a2cc06729cbe0c974d74b5441fd796b5c02d

SHA512
22e1aaec1d412d9b28aed4bcdcdd34319ec5ddf060735d0454a78425d61db28051f6d1d30d0cd2ba50ebb2a1da35c4c4c6a0e5566de4deea827f0d58a64080bc

Download Submit
memory/1788-1561-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1788-1566-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads