blackshades | cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/03/2025, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
Size

520KB
MD5

52addf8bd42614efa69dc85209d6e760
SHA1

755a0bd27dfff5247bd8af2eb3de71d8dee93837
SHA256

cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2
SHA512

7ca4732063b2f5420d40ea1a1235d31aa1cebd5d07bc4270c96d76d3508a1c4d5a2142bec4e9d9baf99f52cc95c1ac298715e8374542a9a34b02d44f78396989
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXg:zW6ncoyqOp6IsTl/mXg

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral1/memory/2440-1578-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2440-1583-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2440-1584-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2440-1586-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2440-1587-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2440-1588-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 64 IoCs

pid	Process
1624	service.exe
1192	service.exe
1348	service.exe
2900	service.exe
568	service.exe
348	service.exe
276	service.exe
1040	service.exe
2684	service.exe
2828	service.exe
1908	service.exe
2908	service.exe
864	service.exe
680	service.exe
1340	service.exe
2284	service.exe
1552	service.exe
1892	service.exe
2944	service.exe
1272	service.exe
2780	service.exe
1052	service.exe
2028	service.exe
2644	service.exe
348	service.exe
276	service.exe
2452	service.exe
2720	service.exe
2608	service.exe
1932	service.exe
2372	service.exe
1056	service.exe
1492	service.exe
916	service.exe
1324	service.exe
1680	service.exe
2396	service.exe
2880	service.exe
2604	service.exe
1868	service.exe
1504	service.exe
2032	service.exe
640	service.exe
1044	service.exe
348	service.exe
1048	service.exe
3044	service.exe
2416	service.exe
1292	service.exe
2964	service.exe
2988	service.exe
2232	service.exe
1500	service.exe
1772	service.exe
2040	service.exe
2324	service.exe
2848	service.exe
924	service.exe
2416	service.exe
2924	service.exe
2016	service.exe
2952	service.exe
1968	service.exe
2440	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
1624	service.exe
1624	service.exe
1192	service.exe
1192	service.exe
1348	service.exe
1348	service.exe
2900	service.exe
2900	service.exe
568	service.exe
568	service.exe
348	service.exe
348	service.exe
276	service.exe
276	service.exe
1040	service.exe
1040	service.exe
2684	service.exe
2684	service.exe
2828	service.exe
2828	service.exe
1908	service.exe
1908	service.exe
2908	service.exe
2908	service.exe
864	service.exe
864	service.exe
680	service.exe
680	service.exe
1340	service.exe
1340	service.exe
2284	service.exe
2284	service.exe
1552	service.exe
1552	service.exe
1892	service.exe
1892	service.exe
2944	service.exe
2944	service.exe
1272	service.exe
1272	service.exe
2780	service.exe
2780	service.exe
1052	service.exe
1052	service.exe
2028	service.exe
2028	service.exe
2644	service.exe
2644	service.exe
348	service.exe
348	service.exe
276	service.exe
276	service.exe
2452	service.exe
2452	service.exe
2720	service.exe
2720	service.exe
2608	service.exe
2608	service.exe
1932	service.exe
1932	service.exe
2372	service.exe
2372	service.exe

Adds Run key to start application 2 TTPs 63 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WVJKFEGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUDXNRXDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXWMWPOQCGLYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXTOBXIYDIXYVFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRUFJPCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\KIMAEOTMCCEGUCQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\EAOUMCCEGUCQPBJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLJMYCHVUG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWUYMCQLJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTKPHYPDNE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\REMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWPFPJHJWXES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DXTOCYJEIYWFRXN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCOWOB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVWKWIGKYCMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QVRFSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPKJPLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJJVSPTOWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXSQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPDYKEJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CQLJYOBOQLEHISO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVQTXVYJOTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYURCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XENXVFBMFGWPTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHHBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPCKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWPUNDNHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSPJEETURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONIRYJFAQJKTWXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSKBLEYDFVSSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYVWIOVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TRVJNIGXVLLNIBE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVAXLXIHLYCMSKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXIUTUQOVQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BRNXOKJWDMWTEAY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLAURMVGWBGVWTC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HYQMHXRCRBRSPXK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDXUOCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQANY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVVIJFDFVJQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDBJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGCQVOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JLXXBYTRAYUJXAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLLXUSWRYNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUNDNGFHYUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\NBOWCUYTPQDJQQB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAVARMGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNKJNBEAOUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEPRMKMCQXGRWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKIQCJN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HYQMHXRCSBRSPXK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\NAIRYJFAQJKTWYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUNSLBLFDFWSTBO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SENEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXPGQJIKXAXFT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAHTUPNQFTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVNJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYBGPG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FDOMKOCFBQVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNLKOBFBPVNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUVJWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXIGKFNBDVTCCW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPUHLGEVTJJLGCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJJVSPUPWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQNBNYVBTXSOQCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGLDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\PQMLYFOYWGCNGHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\LYHITQOSNVJKDKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQFEFAFBWREMG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBPFSOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCWLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMIUROS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDRR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKJMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\KXENXUFBMFGWPTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOYPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQJKTXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLBMFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRKLUYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OMQLSHIYAHIQMVM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJDXNOLUGMR\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2116	reg.exe
1608	reg.exe
2424	reg.exe
2068	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2440	service.exe
Token: SeCreateTokenPrivilege	2440	service.exe
Token: SeAssignPrimaryTokenPrivilege	2440	service.exe
Token: SeLockMemoryPrivilege	2440	service.exe
Token: SeIncreaseQuotaPrivilege	2440	service.exe
Token: SeMachineAccountPrivilege	2440	service.exe
Token: SeTcbPrivilege	2440	service.exe
Token: SeSecurityPrivilege	2440	service.exe
Token: SeTakeOwnershipPrivilege	2440	service.exe
Token: SeLoadDriverPrivilege	2440	service.exe
Token: SeSystemProfilePrivilege	2440	service.exe
Token: SeSystemtimePrivilege	2440	service.exe
Token: SeProfSingleProcessPrivilege	2440	service.exe
Token: SeIncBasePriorityPrivilege	2440	service.exe
Token: SeCreatePagefilePrivilege	2440	service.exe
Token: SeCreatePermanentPrivilege	2440	service.exe
Token: SeBackupPrivilege	2440	service.exe
Token: SeRestorePrivilege	2440	service.exe
Token: SeShutdownPrivilege	2440	service.exe
Token: SeDebugPrivilege	2440	service.exe
Token: SeAuditPrivilege	2440	service.exe
Token: SeSystemEnvironmentPrivilege	2440	service.exe
Token: SeChangeNotifyPrivilege	2440	service.exe
Token: SeRemoteShutdownPrivilege	2440	service.exe
Token: SeUndockPrivilege	2440	service.exe
Token: SeSyncAgentPrivilege	2440	service.exe
Token: SeEnableDelegationPrivilege	2440	service.exe
Token: SeManageVolumePrivilege	2440	service.exe
Token: SeImpersonatePrivilege	2440	service.exe
Token: SeCreateGlobalPrivilege	2440	service.exe
Token: 31	2440	service.exe
Token: 32	2440	service.exe
Token: 33	2440	service.exe
Token: 34	2440	service.exe
Token: 35	2440	service.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
1624	service.exe
1192	service.exe
1348	service.exe
2900	service.exe
568	service.exe
348	service.exe
276	service.exe
1040	service.exe
2684	service.exe
2828	service.exe
1908	service.exe
2908	service.exe
864	service.exe
680	service.exe
1340	service.exe
2284	service.exe
1552	service.exe
1892	service.exe
2944	service.exe
1272	service.exe
2780	service.exe
1052	service.exe
2028	service.exe
2644	service.exe
348	service.exe
276	service.exe
2452	service.exe
2720	service.exe
2608	service.exe
1932	service.exe
2372	service.exe
1056	service.exe
1492	service.exe
916	service.exe
1324	service.exe
1680	service.exe
2396	service.exe
2880	service.exe
2604	service.exe
1868	service.exe
1504	service.exe
2032	service.exe
640	service.exe
1044	service.exe
348	service.exe
1048	service.exe
3044	service.exe
2416	service.exe
1292	service.exe
2964	service.exe
2988	service.exe
2232	service.exe
1500	service.exe
1772	service.exe
2040	service.exe
2324	service.exe
2848	service.exe
924	service.exe
2416	service.exe
2924	service.exe
2016	service.exe
2952	service.exe
1968	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2580	2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	30
PID 2504 wrote to memory of 2580	2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	30
PID 2504 wrote to memory of 2580	2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	30
PID 2504 wrote to memory of 2580	2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	30
PID 2580 wrote to memory of 3032	2580	cmd.exe	32
PID 2580 wrote to memory of 3032	2580	cmd.exe	32
PID 2580 wrote to memory of 3032	2580	cmd.exe	32
PID 2580 wrote to memory of 3032	2580	cmd.exe	32
PID 2504 wrote to memory of 1624	2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	33
PID 2504 wrote to memory of 1624	2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	33
PID 2504 wrote to memory of 1624	2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	33
PID 2504 wrote to memory of 1624	2504	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	33
PID 1624 wrote to memory of 2828	1624	service.exe	34
PID 1624 wrote to memory of 2828	1624	service.exe	34
PID 1624 wrote to memory of 2828	1624	service.exe	34
PID 1624 wrote to memory of 2828	1624	service.exe	34
PID 2828 wrote to memory of 2148	2828	cmd.exe	36
PID 2828 wrote to memory of 2148	2828	cmd.exe	36
PID 2828 wrote to memory of 2148	2828	cmd.exe	36
PID 2828 wrote to memory of 2148	2828	cmd.exe	36
PID 1624 wrote to memory of 1192	1624	service.exe	37
PID 1624 wrote to memory of 1192	1624	service.exe	37
PID 1624 wrote to memory of 1192	1624	service.exe	37
PID 1624 wrote to memory of 1192	1624	service.exe	37
PID 1192 wrote to memory of 1908	1192	service.exe	38
PID 1192 wrote to memory of 1908	1192	service.exe	38
PID 1192 wrote to memory of 1908	1192	service.exe	38
PID 1192 wrote to memory of 1908	1192	service.exe	38
PID 1908 wrote to memory of 2348	1908	cmd.exe	40
PID 1908 wrote to memory of 2348	1908	cmd.exe	40
PID 1908 wrote to memory of 2348	1908	cmd.exe	40
PID 1908 wrote to memory of 2348	1908	cmd.exe	40
PID 1192 wrote to memory of 1348	1192	service.exe	41
PID 1192 wrote to memory of 1348	1192	service.exe	41
PID 1192 wrote to memory of 1348	1192	service.exe	41
PID 1192 wrote to memory of 1348	1192	service.exe	41
PID 1348 wrote to memory of 1288	1348	service.exe	42
PID 1348 wrote to memory of 1288	1348	service.exe	42
PID 1348 wrote to memory of 1288	1348	service.exe	42
PID 1348 wrote to memory of 1288	1348	service.exe	42
PID 1288 wrote to memory of 1936	1288	cmd.exe	44
PID 1288 wrote to memory of 1936	1288	cmd.exe	44
PID 1288 wrote to memory of 1936	1288	cmd.exe	44
PID 1288 wrote to memory of 1936	1288	cmd.exe	44
PID 1348 wrote to memory of 2900	1348	service.exe	45
PID 1348 wrote to memory of 2900	1348	service.exe	45
PID 1348 wrote to memory of 2900	1348	service.exe	45
PID 1348 wrote to memory of 2900	1348	service.exe	45
PID 2900 wrote to memory of 2956	2900	service.exe	47
PID 2900 wrote to memory of 2956	2900	service.exe	47
PID 2900 wrote to memory of 2956	2900	service.exe	47
PID 2900 wrote to memory of 2956	2900	service.exe	47
PID 2956 wrote to memory of 316	2956	cmd.exe	49
PID 2956 wrote to memory of 316	2956	cmd.exe	49
PID 2956 wrote to memory of 316	2956	cmd.exe	49
PID 2956 wrote to memory of 316	2956	cmd.exe	49
PID 2900 wrote to memory of 568	2900	service.exe	50
PID 2900 wrote to memory of 568	2900	service.exe	50
PID 2900 wrote to memory of 568	2900	service.exe	50
PID 2900 wrote to memory of 568	2900	service.exe	50
PID 568 wrote to memory of 1472	568	service.exe	51
PID 568 wrote to memory of 1472	568	service.exe	51
PID 568 wrote to memory of 1472	568	service.exe	51
PID 568 wrote to memory of 1472	568	service.exe	51

C:\Users\Admin\AppData\Local\Temp\cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
"C:\Users\Admin\AppData\Local\Temp\cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempLHQHE.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3032
- C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe
  "C:\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempOULIM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TLAURMVGWBGVWTC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2148
- - C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe
    "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
      "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1348
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLPKSG.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXTOCYJEIYWFRXN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCOWOB\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1936
    - - C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCOWOB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCOWOB\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBNVMG.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CQLJYOBOQLEHISO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBIWER.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FDOMKOCFBQVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLUYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "
        9⤵
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCRBRSPXK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "
        10⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKWIGKYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        11⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONIRYJFAQJKTWXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQQFO.bat" "
        12⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJJVSPUPWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
        13⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SENEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVCQ.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNBEAOUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
        16⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASDPOPKJPLBOWF\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNYVBTXSOQCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQRWC.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYURCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        19⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVJKFEGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        20⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKJMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
        21⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
        22⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCJN\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRUVHI.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PQMLYFOYWGCNGHY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYK\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPBJAE.bat" "
        25⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KIMAEOTMCCEGUCQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLOQVB.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXSQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
        27⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGCQVOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUJXAF\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUJXAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JLXXBYTRAYUJXAF\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        28⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTOXOD.bat" "
        29⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYHITQOSNVJKDKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQFEFAFBWREMG\service.exe" /f
        30⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\RJIQFEFAFBWREMG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RJIQFEFAFBWREMG\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFGEMF.bat" "
        30⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXUFBMFGWPTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPL\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPL\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVKXIG.bat" "
        31⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAHTUPNQFTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHBPXK.bat" "
        32⤵
        
        PID:340
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYVWIOVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        33⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDXUOCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
        34⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLLXUSWRYNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHEMFJ.bat" "
        35⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMFGWPTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHHBVCSOPLK\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\WQJPWHHBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJPWHHBVCSOPLK\service.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGPLYK.bat" "
        36⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TRVJNIGXVLLNIBE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f
        37⤵
        Adds Run key to start application
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
        37⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLKOBFBPVNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLVQE.bat" "
        39⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBPFSOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCWLBHPGFQ\service.exe" /f
        40⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCWLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCWLBHPGFQ\service.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQANY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
        41⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempADESA.bat" "
        42⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVAXLXIHLYCMSKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe" /f
        43⤵
        Adds Run key to start application
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YFXIUTUQOVQGTBK\service.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOVKKL.bat" "
        43⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMIUROS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f
        44⤵
        Adds Run key to start application
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKNOYU.bat" "
        44⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIQCJ.bat" "
        45⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQJKTXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe" /f
        46⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "
        46⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCSBRSPXK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVKXIH.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f
        48⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
        48⤵
        
        PID:320
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NAIRYJFAQJKTWYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDFWSTBO\service.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDFWSTBO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUNSLBLFDFWSTBO\service.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQQFO.bat" "
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJJVSPTOWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYSGN\service.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "
        50⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPDYKEJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe" /f
        51⤵
        Adds Run key to start application
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBESYK.bat" "
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EAOUMCCEGUCQPBJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        52⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPCKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
        53⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEHJSO.bat" "
        54⤵
        
        PID:236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUYMCQLJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBKVTR.bat" "
        55⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OMQLSHIYAHIQMVM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe" /f
        56⤵
        Adds Run key to start application
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
        56⤵
        
        PID:344
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        57⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUUC\service.exe" /f
        58⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUUC\service.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHPGE.bat" "
        58⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXIGKFNBDVTCCW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUUJSF.bat" "
        59⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBOWCUYTPQDJQQB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe" /f
        60⤵
        Adds Run key to start application
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
        60⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLGEVTJJLGCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
        61⤵
        Adds Run key to start application
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
        61⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIJFDFVJQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe" /f
        62⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "
        62⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXIYDIXYVFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe" /f
        63⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "
        63⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe" /f
        64⤵
        Adds Run key to start application
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLEYFV.bat" "
        64⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BRNXOKJWDMWTEAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
        65⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        66⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        67⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe:*:Enabled:Windows Messanger" /f
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe:*:Enabled:Windows Messanger" /f
        67⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        67⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        67⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACESA.bat

Filesize
163B

MD5
c6dadd9daa4f7839b639405d6c0aa376

SHA1
32622e34687bedd75b616bcb03689ec3878b6d8c

SHA256
3d80e6c36247c550ed9a5d8a98864bea7a158176df8af3b06125d1866ec5eb41

SHA512
6b2d45c53d65da5d58ea7cac29a4c8c08c77c8d510fe1b29568ed41c59205a4a257a229d0130d60fc01db033348de17126ef3f0f4c70cda74c07d5df1942e26e

Download Submit
C:\Users\Admin\AppData\Local\TempADESA.bat

Filesize
163B

MD5
ab4493fc2c1a77dec0585784890f7f87

SHA1
bef445e109af500653871e73f3066083dcaff2f4

SHA256
1367aa8ac3d6b39403c157dfa98d4b968a4170eba85f1ac21e8c4c74febe2fdc

SHA512
c6f00ab34a529b8a6a33cfddc3c61878eb600cf2d818634441bc264a144769a7e1a70f458e76bc1e68d83d8fb2d1d16311b2efb7875bd86252bbc6be9fa59361

Download Submit
C:\Users\Admin\AppData\Local\TempAHVCQ.bat

Filesize
163B

MD5
4b0d872f3f416957a182ff7e52c309eb

SHA1
0f1b526a0543465b9e3dbeda4d433788776401c9

SHA256
6432bfed5b2ad0c9a8af3893a8ba1adc4366ebfb2bc5c0d373404ddac44baa88

SHA512
4655e8922a7735416c318b9fcbc22580b512c35518ca7ccc8085fba08adb232deb54b6266167f54a7911ae83310c9dc563da8189d836a2ee6d393e074749beb2

Download Submit
C:\Users\Admin\AppData\Local\TempAHVDR.bat

Filesize
163B

MD5
06a13623bf31ac42ab9f880594ad5d69

SHA1
4a32695b81feb51390f1bbab64b447af09609b2e

SHA256
cb2897426277a36eb8341deab91918531bb508625fe952493ab70094d586303d

SHA512
4720e903bd7bfbe05ee4931e847ac71c349aec96892c309d8baa80900e9760634206dbea03b6bd1152448eefce2cbcd5a06b4d18ab66d27c21d00cef1d886508

Download Submit
C:\Users\Admin\AppData\Local\TempBESYK.bat

Filesize
163B

MD5
992511aee7020acff3f193d34455de43

SHA1
b7267bf6e38ed3d437f7cdec32a532b95101594b

SHA256
06c30e7548f55b82ad5d49a16885cc546f76f5ecb5c8ad3422606456dd76c61e

SHA512
c44253b8f8575d51c41790a281fc3bac2826d24552ab375fd034bb3696017b856cc12e3147df649c7013efbbef646421df5d6070174755021f007be44527b90b

Download Submit
C:\Users\Admin\AppData\Local\TempBIWER.bat

Filesize
163B

MD5
c1a60dd581017c63616a4875db6861f3

SHA1
10f16f3ef7f0d1ebdfcf870588dd9c33eb7d25b9

SHA256
1d18a3335b6e05e50ec1a09481db154f2841ebf83d9c10c219426f4cc92d5ce1

SHA512
46f22974cfb419eb2122217149ca3b450b5c07b7b1447c76174da47647695067aad4b9c7509d63d8f259fc04db2923ce28b445f77b65894e9a83526cb620c6e5

Download Submit
C:\Users\Admin\AppData\Local\TempBKVTR.bat

Filesize
163B

MD5
42716b880ebd6c9e9ad942eeb2797743

SHA1
7b8dabb78760ed960ff16d5c09a01e3030628dbe

SHA256
63ca14baba9312e8cc507bf86aa40d452dc3149141700dc47cd015e6c7b81cbe

SHA512
351b36f61bf69a4c7a871801cd9a7051a39b2a38e944f9fb76be8eeda12324f0f6bae47f77fdeb119e94667889dad2eabc7cfeb27df5995a2955638e90d258e1

Download Submit
C:\Users\Admin\AppData\Local\TempBNVMG.bat

Filesize
163B

MD5
360b29502abc3f05c6bf73f15efa430e

SHA1
2c86ca35231c0a088ad4746f28ccdf8f3d93f3fb

SHA256
e76e084d095073a028bd442d391edf9a7440b491f05e6584e101fdd7b146b0ef

SHA512
88b4a6dab3654364f58475bcbeb34c8bad47db187a4f55296fb9f433ea26fe5555ef6ac21278f86f3ba5269da0d35a5b8d96f7d5986425701d2eddcef89eff31

Download Submit
C:\Users\Admin\AppData\Local\TempCAJXF.bat

Filesize
163B

MD5
dd9b85c1af6e757ed070222ec926d5fa

SHA1
3a3315571ea00bc351bcb25f1771fb38de381a6c

SHA256
cc1528e64456e553119a25e753b1f1bf04ff3006b4c32805d0607193f2a840ec

SHA512
c7f1f4c75a3211f0a023c7a8a5040415545a676b7b183a4814de9f7b305809285fcdf789f27f3f9a0b7b139ccd488eb17bf3a7183e32e084f1310488dd8038a3

Download Submit
C:\Users\Admin\AppData\Local\TempEDHYU.bat

Filesize
163B

MD5
8924054e4f27b0fd309b5fac7a84bea3

SHA1
8610aa8a5c41ae32575e599cc85ae8b9d5b28af6

SHA256
2dceed0b5c0fc3e203aca5b5876d36d3676cf51c876edc26acd18c529109aab3

SHA512
3573c6ffbbc2c7fc342918b1ec0e081ef0beb3a9d478388c53a4a1666d37f782167dcc7d1634478bb3401e92edf33737012966ec13dc1486b48748d1a156a6cb

Download Submit
C:\Users\Admin\AppData\Local\TempEFOKY.bat

Filesize
163B

MD5
1333e399943e4112c292480711a14a9b

SHA1
863f0004610aea85de2ab4e512cff562ac0a7dfa

SHA256
382240bfcaf4afbe58b148f62bac857b6382af41e7facaff3b4b85e0fb9458ef

SHA512
32506265f04d6240dea72fdc86a323af0ddfffbd4b471430e95cf04d53af5076bb7b25522a527f01c972b3746f6b9486a6d54b91829933494fb99fb9a95798dc

Download Submit
C:\Users\Admin\AppData\Local\TempEHJSO.bat

Filesize
163B

MD5
d71caac55aa1186948d84be277df94aa

SHA1
15a20007c6fbcf500db03da7c8a96879045573fd

SHA256
eda0ec387142d5a4d652ec8f812922f6fe1f402a150830130503e517312cc1ae

SHA512
9ad5d508cc6169dba6c35c2f7419763e84d5e9ddeb35cd5c8583c29cab1eb8bc9e36cf70fab9df620e22a21a1d80f7ea6b0adf0d6d7ab82e4a9431d7f2efed38

Download Submit
C:\Users\Admin\AppData\Local\TempFGEMF.bat

Filesize
163B

MD5
f1e7351a8e653205da4c2802a1e4f591

SHA1
b3beebb77e199fbb82191ad237473237454a9d4d

SHA256
86d077d73bc1f3df6d6813c44b8212720a1fa116c3186c8c1184c6bd5505987a

SHA512
6446410482fbdeee267608a490c3142748c84b9998ecec835ff7a0c412389afbede43998fd489b565bb8c83c231ef58f9c482017a9a715432ff1c286f4750736

Download Submit
C:\Users\Admin\AppData\Local\TempGBIWE.bat

Filesize
163B

MD5
99d1d0644020f5f96153d93a2d1b6b8d

SHA1
92977c3181e55715985793471f97b4394488b501

SHA256
82eab578bf17da5917751c849aecdedd7abd4ae92102611ed9a1b03840ebe6bb

SHA512
8a95fb0fd1240cbd26d9082aee2a02da19204bb70b97680269243c2a64416b2be91dfc7024e220c04e49e2ba7ec1487a89b53424b24bb97003f6cdd938b189e4

Download Submit
C:\Users\Admin\AppData\Local\TempGPBHM.bat

Filesize
163B

MD5
9e578c30d5abd782192c456c0842e749

SHA1
b6d0203ff08a568627ea690ad5762f1a4c333113

SHA256
c05d870d95723502bb6fa7614405ccf842932240675b4c4f539a3b66740d5f2a

SHA512
23301b106ca4f3c463daf119ea2949c9a2d8bbca9a3430f55e2056a76d289a1c06b1a221527229c9b4fcfc2ba55045c2da972d7f2b01bd9317afc35193c440cb

Download Submit
C:\Users\Admin\AppData\Local\TempGPLYK.bat

Filesize
163B

MD5
54b0add7046d8fe6728b7dc102a8766c

SHA1
c1a6c691aadf54cdf5c7ab6a07bafe1908f3d9d2

SHA256
8e5a9af2d8d7074cabf9630c1bb541090ce132da858c5977ddae06441ea212b4

SHA512
16d7497e6e4225d9348610e887f0b6da09489a62e00d7f6b01755f4636a7fdec5dd1276ffbbf471bbef7b70cf9a1e4843b8c49d4ec5daa305d7c011b162bd6f7

Download Submit
C:\Users\Admin\AppData\Local\TempHBPXK.bat

Filesize
163B

MD5
988a9a1dd2014ac865ad41e01c8aa11a

SHA1
4eed443a0fb6e5ef34014f004894de09c20ee7d2

SHA256
15d38228aeb7f96d7cc9762fffdcb10aff39bfb5101cac7fb1a7544fdf45c965

SHA512
b6c638e508cbebb357becca55393b47f8241c644b6c8af1810ed9fd47c26da7dd0d8e557c1376858e66054cabb658d0a81ccf6f88afc96f02e7e88468fb99e19

Download Submit
C:\Users\Admin\AppData\Local\TempHEMFJ.bat

Filesize
163B

MD5
fde81dfc68aae5ee5e02a4ba764b7124

SHA1
5b6a236d975d05b0054abf41db7daefe3289474b

SHA256
41f5f20decfff229eac6908be024acb7b69ed01505964dcf0784ea9ac5887241

SHA512
78621df33fc962beea746e34e64974f5787cef655e174579eb0e04cd8df414a5ac9d21ee6b2d58409c2fe89d18515564042d68ae8e0ad307e8af4062452285bf

Download Submit
C:\Users\Admin\AppData\Local\TempJACDR.bat

Filesize
163B

MD5
49bbf6c8688591d689bd71bf51c1e28c

SHA1
d6a6cfb52ac5375af87b7b1e44c2eae713ce23eb

SHA256
1ebfac99ed6747ce86a48ed9ffb7c793522755c7e0a0f8f470efeec173164203

SHA512
dbeb4151828f843ff90476cda49adc77fc5be03bed169b38d638e75ba1d8be6ede1945df5759cfff5c6abf0d545624881baad33650355c256f6f4b56884cf046

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.bat

Filesize
163B

MD5
c2892a62dae2e334d742aae0252fc46c

SHA1
48be623003d4d3a01f8a86a6ada1b25fa3cc537a

SHA256
c364f94b6bfb2f67e0b220b87a884a01382faa065c2ad6135c61dc097991de7e

SHA512
6cbf066215377c1503de0cafece6602c6d61a0c9ceb70133a763cbdd09591424070c5bf1d95da484c30e39771c17ef9438a5cd3e902124ef5adc26dd227132e2

Download Submit
C:\Users\Admin\AppData\Local\TempKHQCI.bat

Filesize
163B

MD5
73d37ff4d258d589a7b1a779d892b8c2

SHA1
9fd2b626a9089fb4e75440af96657c53bbfad5a8

SHA256
96913125da57922f4822e21f7a4f0a4582067e0330a32f8436c6d497026214c3

SHA512
94cd247d530e0e1a1add27721d195b5a5a1358fd8ecbea9cf8a93937efde42afeb42bb9d72a66b46bce4c1e8db6bf9855479d513e2bb90f13d7830434b933ab7

Download Submit
C:\Users\Admin\AppData\Local\TempKLVQE.bat

Filesize
163B

MD5
50e7f36ab3e04923563d851bde070e90

SHA1
07479992af65dfba5636055635f7abf31a575e9e

SHA256
076f12c0fbf387a3992cc35e619f20319ab0599caef6b5d3bf4e16fe3b9c668d

SHA512
adfaaffca2db061b36017f211d7e1ab9cb7300a92d865a6958a7643595d9dd4cfaa8b2ddba7821937ec6027d4db4e9fda53b047a1087322992be200d232b6770

Download Submit
C:\Users\Admin\AppData\Local\TempKNOYU.bat

Filesize
163B

MD5
7a997d0a008b3bc8c4b77d679847d8a1

SHA1
78023e99325fbec86f90a1f972ac844854e027a5

SHA256
abf801046072d130ffc8f28ca10101c46602553c317c917525323f4581c6f6e5

SHA512
da46af3e3e73842650b5343b0ea24d1d05b0a1f0bac45134fb3503c3d40868d32ca926ee175537c5ae37801f242c7b88c7039e28fdb91a5768d79926e4c14f8b

Download Submit
C:\Users\Admin\AppData\Local\TempLEYFV.bat

Filesize
163B

MD5
dd2be92eecdcfda1311055163fdb8dc5

SHA1
e63b573029f737a64e631e30bf3817cea00495d0

SHA256
b1dbf5fdcd8d79ba31aa14d457c243b16a81785120443a72cd4b7e44db29a6e3

SHA512
4c9c34e4129aefc8f7027b90333765830e3f443b95e9b37ec5aeafbbe79778e3ea7a26bd0d8dc9a75529e26c22c0fb524366b5bc02abf752df2e8819a304a235

Download Submit
C:\Users\Admin\AppData\Local\TempLHPGE.bat

Filesize
163B

MD5
aa1f68047651ea720dc491065c68fe9e

SHA1
14b00a26e5e9e81bdd99db99a7a51c476bd652fc

SHA256
d9d53b8f23bfd4d55847065872a4f0854c830b246327b9d0def6d8fdb9521ec4

SHA512
50f50bb90bac9cf253ea2b04e8c96ba929db4e83257f66d03cac4237b0b854c5e99da20cb7096cffe9b46167f84ea418ce3040857a1345c52173f3084f13b088

Download Submit
C:\Users\Admin\AppData\Local\TempLHQHE.bat

Filesize
163B

MD5
f814f4259a2f98d4da28c79ed3a6bb4f

SHA1
b36d0e73e50229d7ad8821238034a6bd95cf482b

SHA256
eae0bace75f623e11d6b7ef774140e65632b6e3f4df9cb6f90138299c79aea68

SHA512
badd7876a8498ca1aa06c486d73d702210adc70aae2e996340a842443823ea76ac04c457d379d422ff2f451eb0ec2739fe13d4952b70a18dca85540a79cf7654

Download Submit
C:\Users\Admin\AppData\Local\TempLIQCJ.bat

Filesize
163B

MD5
2d229fa3c14f0c8d9866a6efbf21505a

SHA1
7efb14342e9792a320ac35174a8e14259cf6eacf

SHA256
fbcc9da87db0aca6c47e0e2441daf7411538a73c4161e16cc2fc0b280116f8ed

SHA512
d1b6fb61e178219c4e5ad00143fe486d2b640ccae0474650630e0b32d52ccbb8ef413e87777f943b943c63a873199b8ef53cef614e11de4d744dd609fef897df

Download Submit
C:\Users\Admin\AppData\Local\TempLOQVB.bat

Filesize
163B

MD5
fc48e1fe49f4bd23cb827ae8284d89da

SHA1
d6b4317d714d959f1d8f65368c8eec72599b4aa8

SHA256
d22e6f839c2ac55fb1dcc232e38fd364e9d8a323c9a634a1d120c5a359b841af

SHA512
9f2274b859c43745f28ddc8139922a1d3dda60b01fa0125309dc6dcb425c996b3a1fe9eb502d3705a18a303177bb90190feb5e4a20c891ad38d8227bbeda7962

Download Submit
C:\Users\Admin\AppData\Local\TempLPKSG.bat

Filesize
163B

MD5
ad3b9b3baf42c97979ce98707ecca5fe

SHA1
247a6a879536f963b7352de903454734c13a7b1c

SHA256
a090a36b407af555985171f951f68b149f4caf54ed56347a88e424be957f3643

SHA512
c4415d507c4d3f9fd81ccc2bcf22a7740119b12546200fca04aace8cea2d756b709ef2e0f0fceb0f94a20b432439a4f16fb3e4a69da17094cf816c10bff36b48

Download Submit
C:\Users\Admin\AppData\Local\TempMJRDK.bat

Filesize
163B

MD5
22edd2e5b814b8a48238457e9eaa458f

SHA1
de9135a97c6e976de887c1acc3c3ac55ac6344dd

SHA256
0c02ada924e44b30e8d742287f0df8685fde155925f0dc44257ee33eec9cd0a9

SHA512
c40434c243412d6201a5d7835d06472744eea06c65d2e5ec9d07df0823d09250659dca0eae55ef3175c77eb1bedf65b344fb8618213d8f874e3fe057f97d3bb1

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
1fb1de7f08d19eb546f006bc99945a17

SHA1
54e4e017cca6cfc2726e1186cb467ebd6a020d1a

SHA256
2edb2a1b80236c6dff48d12e5e4b6663fc1e28bfdb69a6c74197762f1ec4d624

SHA512
13a5befc18b000ba4ab1cdd93e4e921f73905a5e01d24aa9150c8ef2ce277d9a44f8ccb166116cd50a36912a6b4d4fe8208e2d8ab4253ca9007b11c34a12f94e

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
033c9d9af7265975620041d538c5ad79

SHA1
4545e285f2945b9afdd79a27607fb949adbb69ad

SHA256
9cb2e115ccd62291710df35e8203f70435cb3d32b38085ab5fc91452b1bfa785

SHA512
282d8a0c0091a0e6eacb5cb6dae73669aafe8eb6344a6df4800b85206f592f5cf2c01204bab0bcea4f34c9bea5cba04d48d88c97537af74ed8b17562ac917c1c

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTH.bat

Filesize
163B

MD5
132d99bd9fe3ff7634e8d036f664bb2c

SHA1
69afb8e482599e8b360fcc0aade71224f5a3c1d8

SHA256
4c53b53588f7047490fde9a58c2e44691d59744746ed638cb54739ff654f6bf0

SHA512
c8ab0cecfc18665b884d79c30763bc766f6c2b03c0f90a86e3e0e6ad5ba526891916a170fa72e23aea37ca640b8532990f30f3c6712d6ee1dd7e9e1bb9db2a2a

Download Submit
C:\Users\Admin\AppData\Local\TempMQRWC.bat

Filesize
163B

MD5
765e174ecc5788f320cdca9040b3251a

SHA1
66178e1ec5d0cc494a2eb0846a8d381bbaaff67d

SHA256
c3c4416a4e02b0fca96d8e32743fffbe057b7f0be955e1e5d616d76e35e43a5f

SHA512
423aea6b6224a6636185f824880621dd17037b3248facd0ce5b246bf2058fbf1bd8ac81de9da11e2cd55bc070d3e3639ac2060e738bf297ec57d8bbecd4970ab

Download Submit
C:\Users\Admin\AppData\Local\TempMVREB.bat

Filesize
163B

MD5
49fa937e5f529a13e9d5e1c30fb0419a

SHA1
ddd8bb49a99feb0d3a07be4550679b555973782f

SHA256
f5bf3dc61637fb37c711af12011af119a2d071f532252666b963eb629bbeb1df

SHA512
a5f8b13d814443e8aeb2f9460da8f3839a3c0db9cd0ef92317d926e4a09fcb263ab61186b6cc19ce26befbed1915f66030191292951985e6aad22b2bee156442

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
136b7fb3d1a7e4059c007d2c604439d5

SHA1
b46979b4355b2954b017ad8a50440895cafbcd21

SHA256
a81439c6b3bb3671f81542571a09edc46c19a71eb9310643271019f400f0c749

SHA512
201845d3f30dbde37cf26898934b003190d004c8408db9fee10f76aec96c5ac12f0ab6b2e565f5952bc9e96ed3c124a8d390aaf8f1bb8220e66e83ce72240bb0

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
351119e46f798c1415001c88658bfaca

SHA1
690217c27eff4dcd537c066043fcc631e8b2089b

SHA256
5de0e56c154157dcd309b2f2112f7449347d3be617e07f7153c9c45ea0ba86cf

SHA512
769d08eb6e49d2e9b7abe512dc6745b0c2daa06144cc879b97a364337b290147b1ede38903a55d003f9546f356f4ec880bc0146c572da400f73adf64dcd8eef9

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.bat

Filesize
163B

MD5
cff95e52eb49a782a8095b477328d9dc

SHA1
8159a286587152d1d9f22d3b54c1a4772a6b0dfb

SHA256
75cf70941ac3afa1da1e2501f2bcbed4b1941fb01799cd07142c27ebd1ad1734

SHA512
f4a82ac66feebd26cc4a852e8c14f272a20be5f80fbe47f767c931e2d7b75313ebe22988092a1b3df6e533b8350092d16934b02c3015211e86a2b593b4f2faf6

Download Submit
C:\Users\Admin\AppData\Local\TempOULIM.bat

Filesize
163B

MD5
9713655dbe150150885b6d437e3f63bc

SHA1
b189ae1cbeae56e11906f3a0a2797e70fbff0e15

SHA256
05bea3d8e220f3a8c6ef1edd359ece593d99d945cd938145a5c7be8f8459a3b5

SHA512
bd25b1a0323f30b16a5311a8f960063b63357a975211996812e3892083bae24784dbf5ad4921934b60e483170eeded25780e299ea6112a9be5443d8160340125

Download Submit
C:\Users\Admin\AppData\Local\TempOVKKL.bat

Filesize
163B

MD5
8323965818f85debfb172d9a268c4811

SHA1
c91cc9eea86b28f38f6a2965b63ff5fc50e7d6d6

SHA256
a5655e6b0225a35464a7064d55bf29a4480351fc2ff82c2a6b4b54f7204f66bc

SHA512
b3c2cb2c1c81aadf297de8077fd0443cb3f630d210c6a6e8e21fd61136f4f1c95c9923067a51659e3d35e6f9e320bd9d4273eb00b69ade1220be0f609f318a81

Download Submit
C:\Users\Admin\AppData\Local\TempPBJAE.bat

Filesize
163B

MD5
3ef69a09be40b3e80b97c5870b084fb4

SHA1
690a3bfd953f418005ed3bb3c1e81b96609dd90d

SHA256
b418edfc57f97972e6eb96b7b1bd00ae53989f034840d6dbcec3c67399a54efc

SHA512
5405aecd9a8ab8c0e826ecd0a4892349a2b9e5fb7fd9d3681f5d3a10c481790f11fd8f4e0273cab67e8e2c76f9d7cf4f3c3a7649677ff5749fed36492ffed82d

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAU.bat

Filesize
163B

MD5
b6e7e717427b9a2a0cb73db79e705a84

SHA1
27812bd748e98425f675803b8f176a4256f194ed

SHA256
b504483495d7dc2be123b22b234915a5fe61a07a357a00b56f2b57222e3a63ce

SHA512
47677f7e8dfbb53cff8c626d252772dc3910b82133864bba34838c246bcf1050751a5ea87fc5f46d8d7068109c8d1d09dbf1fefbadd163c2d97f9f7d6fc299d7

Download Submit
C:\Users\Admin\AppData\Local\TempQVGEI.bat

Filesize
163B

MD5
25d58e59e5f0199fa80a35602afee372

SHA1
c1946530066d2d33386c6dbe7b82823e00b87df9

SHA256
8acb3f0b5914016fbab1a8606596ad91e3dfcfd1dc7ccf15c02a7826f9e29e7f

SHA512
08e1ad963524d909a2f20f30149249ed9bd32b85252c887b489ecd1c0aea39707ea422d65bbd7b8ec780efa52f686856c421cea99414c4ac5c5a7713fef79470

Download Submit
C:\Users\Admin\AppData\Local\TempQVGEI.bat

Filesize
163B

MD5
9b23d0945c2235796a7507cbe3a50f35

SHA1
c00ee7a67de1706da1bfe60d4686a6d6893a0183

SHA256
75bc426758e3fa1d9b8008f6a22912755ef4e3e1479d3b9a65aa92bc04cc6977

SHA512
1fae5ccd80e6ad24ce2697b1bd7f9d2c148250167514a21d3308b180d250fcceb5d76140d4a073346a9c776b139bb6000b8df48831ce7b85d17a7aece10d98cd

Download Submit
C:\Users\Admin\AppData\Local\TempRUVHI.bat

Filesize
163B

MD5
7e55e95ba8a9d425effd5e858ae50b9e

SHA1
2bf52f3c4d7b89dfb67cc54fffd58d8105c564e5

SHA256
c73c7672d86dea8feaa34a6f467d0089f735c6478e7709e7e7528d538aa2813a

SHA512
b4eeade682a6d2f081bdd761cb8427b8bf5d5a06e2be2e5f81f64c5dba0f5015614a0e59fb4803cf83a9980e044163540d7f4767b43255e92d6133d9a368364b

Download Submit
C:\Users\Admin\AppData\Local\TempTOXOD.bat

Filesize
163B

MD5
6b2a0e8ebd1add8f406b2efbf60bd173

SHA1
20d3acc9ac5635a259eb74295b1fd256b39b1fd3

SHA256
d6e0f1784db5c90089741a24df6a7bfa18fdd6dc14ff24bae2b759872ec258bd

SHA512
3a6ace254cc080c0ad76aea5b2edcd312c6d110ed4f46e4d91489c06ca01b6feca560f88cf5704147547a31dc20a566f45011d77b21e2e33c21783f5a92c8afc

Download Submit
C:\Users\Admin\AppData\Local\TempTYKIM.bat

Filesize
163B

MD5
ab9ed2379d2677b094c01e1e5edc2dbb

SHA1
edd55b70767b067d515200017c17c4739e8b847d

SHA256
ccd5db2945ada5a0f9659c3bb7c7e1f45664b761db8b75380b190f53ad920b12

SHA512
2d133f54f55d84ce796113fef6e42f485d64f71d28bb8a8dcd49c5c8b552a5a9d02c3e0bbea042dbc9f847ee37141f6591209c77040695396f72208eef229b67

Download Submit
C:\Users\Admin\AppData\Local\TempUFYYN.bat

Filesize
163B

MD5
5d4766d585a46e424bddf87c4fb7828c

SHA1
151c92e29ec5dd2581dac5b1ec770fa79b033060

SHA256
b83f02b0cd1bb935ebe846acf2dc9ccbf711359be5e3ce1086636c5c2d36b4f2

SHA512
c6192357d9fe819995a28c570eda130929305c69d3926fba584a2f776f321381072df4e935eced4dc0e759669fbe0f27aa4f4204d1e5104473eafb742d19f499

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
38097e1b24f57471d24680739b536973

SHA1
622ea50ee17aaeb4bbcbfe0c10fb7f98271f536f

SHA256
266ef99301ba6db3b9454e9ea1af017104a1c29bf47860034da22bf82ae516a2

SHA512
a19a94c7654377f18fdaebd1abc35e9f280cd2b042fa87f59203f462db6c6b50795aaacd27c98c6084a3d5968e6f98a01e5581aa4edfb595453027b555adc727

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.bat

Filesize
163B

MD5
b22132539dd436d0b5e7e9332b303beb

SHA1
816341d0d9bcc592a70cbf867c7ffc44b75c0544

SHA256
1f83c1c4e9fe62a8c51b5a794de6ea2a1b46fd3caa7e303c13b398f4c75a3058

SHA512
31ac6658660f0ac369b201e3ce563658ef64a9b1f53307be642acf7efa1c88ddd6ee9208a5a3c2136a60c5717eb63f4ff11d66e1df1ff932a26253493e0c47b1

Download Submit
C:\Users\Admin\AppData\Local\TempUQQFO.bat

Filesize
163B

MD5
dd3e6fbc02f40835dbc768b11815a199

SHA1
328c63c8133ff819d7dc13cf50a28ba4ee448fe1

SHA256
b439756e6792b899008e1ea7df6f71800a3c6ce715958fdcbf79155fc6d3ebd6

SHA512
e04c1d21232600c820aea2337c70906daabce11a912a70bec512631adf309dc45212c67315155119604fe9438eec145144876bd16278b420f1e1faec8972a371

Download Submit
C:\Users\Admin\AppData\Local\TempUQQFO.bat

Filesize
163B

MD5
27ff039d38045762254339ac930649c2

SHA1
ff4084040a1a798a39f0e3a3fbdcd2ccf4c4b303

SHA256
c67cf4c7d760f4ada63e9f3c5a9e5c5b65c15221d25ad0d38a19b607d3e6bc0a

SHA512
bb4e2e7847d75d72f61dccbaa24970edf6a4f4a17190b658b95f32eee95481ce8a267da8850decb48de33dfa9690eaad84eb02c9d87ee4be9ca17bbf1be89b67

Download Submit
C:\Users\Admin\AppData\Local\TempUUJSF.bat

Filesize
163B

MD5
28d39e899b213141f4e55448e7e6e480

SHA1
67f735c37c4b7b5f28185fbd1ad75d03dcbd42dc

SHA256
8df2b17e2831545135260ddecd6650ea34fbeeb193590bbb46de6f48d7c150ee

SHA512
bf83549a9ad1bb4e6a853c55b0ff6d6cb8b9670fb8dcdd348fd496d55a2fae962601e47c3c39fbb1dd147b341bd770acdb9e8217807b7da2db4a8b2e82304819

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.bat

Filesize
163B

MD5
f286a997dafd3f45392758cd25adb9c7

SHA1
dd9863ba8a55910f95341ac38268e7bbd6c27330

SHA256
5e6541f54dfab8ef75e8af742526b73008d832be582cac12e866c730228ecfc1

SHA512
68071827c9ea291a46a5931c8a87d56a0e1122b46b420173919c818bd47ce3caa4a273b161301890cc48fba61b5867a8461cffe2ad7edd796a808d8238e3355d

Download Submit
C:\Users\Admin\AppData\Local\TempVHNSE.bat

Filesize
163B

MD5
01a423dc9819ee71e3d9625b2dd40190

SHA1
20d2a4436f8afa87aa2abc177c739fce78b45b50

SHA256
70c9d210307f850d4ce4186ee292a4cacc82948c3298b1b627b7022a6ff31e6d

SHA512
cabd65183e8f6c3d8c2e5580147ce83671f7f0ef4eddafa396045e84fa058fc3d0e005cd7b83360b687e908973964ea8cea50cf6b44dfd93c07784f90e5052fe

Download Submit
C:\Users\Admin\AppData\Local\TempVKXIG.bat

Filesize
163B

MD5
0fda120ae11b33d9a1816993c242a626

SHA1
a83eb953720e0e0b363c5d396145fb371a7997ab

SHA256
7586c79acf6e2b2ec29b4c2e05787eb946325e228949234a90282f5b0554a401

SHA512
c709203aa504e1dea00ed657590392ab291b80fc1c5b42e33df26d6769550c08d782fe1b709951c72a639f639051667b3a4244b8c2e49445d7e6c1e8750f23a5

Download Submit
C:\Users\Admin\AppData\Local\TempVKXIH.bat

Filesize
163B

MD5
1d04dcf7878702fd18d7e6ed7562894e

SHA1
7eb33af482be5164ce41ef0314274bdb945898f7

SHA256
12fac302f2e1efc661afc1594b5e5ab31298e3ac7cca736909610a7d48203890

SHA512
90194afa6724fd1ffe21cda8776505cc7b5457813b0bfd230f5679d75de2477e28d2491956e19588c55d4f97da897a8ef687290a0e8077ee130fce7696df5c42

Download Submit
C:\Users\Admin\AppData\Local\TempWCUYT.bat

Filesize
163B

MD5
30e8fdaa6b3040f4afc9fa2b82cdd361

SHA1
f36f66e8c59e4516c509575456f9392fe6a92cd8

SHA256
fa345111a2b398e6eed8970c9cc7a6f7d10b31d2d2d2ec675248862e38ad4e0c

SHA512
f3ba4a384e50f5cb163892419c2718fe1f44e145b9c3a01d48a59fa9b97dad1508ffbc9f4ba92c8fbb359386c2b537ea8ac93de9b1f8ae370098efcdd2a82d64

Download Submit
C:\Users\Admin\AppData\Local\TempWNLPK.bat

Filesize
163B

MD5
ff8ddf6bf9e22f19b440a0e65f61325f

SHA1
53331dec6261ef73acac458313d465931ee3550f

SHA256
1160ec43828e119e2e55a60e06399eb0f0306ca90f26d2a460e41cb53c5cccef

SHA512
1ccfc853c063d1badb315031ba3852095e033142a62d79a2bf0ca8bc817e7aeeb23900689c51df694ed340da803eaae03cc56e4effcb3c53919f60c912a5ce31

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.bat

Filesize
163B

MD5
2d88b6f973244a550fc52969ff4731d0

SHA1
c2ee94c917051b866b4e86c4a9172cb5bd55fcbc

SHA256
725fb8315a8dcc5fc12d0de6a3a0e307b80ad030920bb41897555c0948b4372b

SHA512
7c09587a68a3813cf9554294c66cd27828ff4852dc1fc2d66aa792da3f78716b4e626b749ce0264a0148093c1400b6a1f8120777d76f1408f295854d6e8fb693

Download Submit
C:\Users\Admin\AppData\Local\TempXSSHQ.bat

Filesize
163B

MD5
f3b42914968cb6bfb7e2ebb1b1441177

SHA1
b40ecd05d4eab43f1415ab212340c841661ef940

SHA256
0fc1d74bf17c4801af7a623a3ddfe043f995ae267e39424a5b773d7ed90291ec

SHA512
5455396a725d5feee1babe8f7226b9414e2b432adaf5065f34449b58dbfe68c00f83d8f1ff9f79ba87e9744a6f23264922c7626cd7d5e5150205b187a5a580ad

Download Submit
C:\Users\Admin\AppData\Local\TempXUASW.bat

Filesize
163B

MD5
7e4e7d02803059c71cf90314f2ff9e88

SHA1
7846624dd2d9b3ef07f0b0e2802ca432c262d2f8

SHA256
cc49825cd568417fd4c799987cfb409a1898afe82c0342e03a90689e0cb0b08e

SHA512
bbcab9f2d87632e3b43a9fb95514da2144045ab719ab1e1dc5bc56732bc882c039d6c68248eb369b0fc75a11e3ac77c953ca8176e01e85f5fb4aa198e0e88ebc

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.bat

Filesize
163B

MD5
c2772bee63397964fc1f25ee8bbbbca3

SHA1
48e44c0cce80ee73c63a25a3a8009b3fd528b67a

SHA256
32a4d5b5dd10dcf83cd9cf00cb85f0c7cb7da4967d6d50ce0b706bd9f2ee31af

SHA512
708b5d55de48c769733ff60926ddbfe69db79880452adb0716b6d2f86306ee1b24c9f31c677bd8d5b780e2cb1a71baa9443a28783417a2e0a9de08a40bdf6d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe

Filesize
520KB

MD5
dedeb826cc750433d658b1d532a49847

SHA1
337fa74ce74683b24302a000121fe429d9fdc1cd

SHA256
553a84cce232e3c9a91b433eced42bdb4b507f0dfdadd6a01926e30dd07d6eae

SHA512
e1b4593533e517bc795c5c8ab2f1a01162fb6e06f771d66a46f21815d1b6ee1c57bcf801dc6761c43f3ae1f1024abdb0898b483b488b22e0a54570610aecb2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCOWOB\service.exe

Filesize
520KB

MD5
095354e2688b6d291587013395715b16

SHA1
5585fd207ed7e4ba9a99990897cb530b61a082b1

SHA256
11f6b06e4491df1dc692d6669d109b6b693ef0571c79b9eeee4b0ecafaee6af5

SHA512
3666f1bc7069896ac1a15d1b61dc948d40f220abb7bc1372d83ebfdb550db7ad989fe0b9accc5464d56676b9f92eb60a57af6c9634bd788463f72b2986dfc1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe

Filesize
520KB

MD5
399cd4a9902cdc62db925c85efb8633e

SHA1
e4e4620bf89c8cfac717563d9c3ae371a58d9170

SHA256
e2172c35443e0a87e2aea3646aa7d908d77e00fbdedc1e440a3196c886eb344c

SHA512
bc9612fcdca8d81a0e2a846ed640587fa0336d00ca28b03db6a0419eb4d8518ca88af6c3e6243f3961e71deae57cc55f6ec79f7b24460200a89246a091faddc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe

Filesize
520KB

MD5
1b2b74083fb98b7c345eb5975ce91edd

SHA1
9cd3e3373427c585a5cf85337e7df8bf9527e4b9

SHA256
5087d7be7469a10368edb143f3ce964c03d2d9b8daed2e34de384324e4f92b86

SHA512
59e28b2e8ab35106607297c007c17adcec3004cd097ad50ed87c719ba93f715c9850815e468b58a1178ac336e25d2a0adb36b414a118375c99c59cbde8a80546

Download Submit
\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFVSSA\service.exe

Filesize
520KB

MD5
8a3a23c017c330d167bc6514882f94fc

SHA1
eaae82b51bacb19197669e88ec7ce650bdbaf67b

SHA256
4d59a71a842e42beba7e8c9ef21ee9513d1d42a5b4771fe0fc8006c5350f01f9

SHA512
2701fb5b82a4b853123724dddf7a48af255739cc0e30e5f255192001834efb37171adf2d73a9c5d5cbf07f6f0c683350b09faabe3e1dd823d1ff93b71cd080cb

Download Submit
\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe

Filesize
520KB

MD5
5f3ab09dba75a86a5159b8379984c385

SHA1
71e698315b536ec1eb6bf5e0b5eb40923c1880ea

SHA256
7cf3029f5bb4e4c4d2e88ded89b25543c559304a4b4d6ca044565913e308e692

SHA512
38261be90d204c564a13b394c3ee5404094c158bc3af8e567657aae61ea29a8885f2093aeacf0723143ddcf09f6199b9c48b4b9140cdc65876e1b408277340d2

Download Submit
\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe

Filesize
520KB

MD5
2101b5433e8d51140d8d2d8a404d3ef9

SHA1
d9d61e844cfd89df694af9c4e313f7c6ef66ab7f

SHA256
f991122e7213b5a9975e6c22e5726173afc8b67e1e208a5edec8b700d765ebf7

SHA512
7c5e6cc653a1a2c290b9ac882b21e531010ff401c1fd402bbcb363d370f63f21c904941439976d18862a13d1479c20af2a0e28f9db7ba019fb855ce9ccc1a500

Download Submit
\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

Filesize
520KB

MD5
c24fae180ff735e6e992639e4a531f29

SHA1
1d89ec42ff061faf8af3a226053e24da36e32b8c

SHA256
5659c5370997ceff884d37e92d4fdeb099caebf56c54daaaf9c32ff80700a71b

SHA512
5b11e838191aa63613cb52a79bf5127bcfca1e09af093f56d94fe747a183f80e1678e0d4434c0a0fc327c6e133c1733401fdf5235c00bdae930f42deba2f3b73

Download Submit
\Users\Admin\AppData\Local\Temp\HVQTXVYJOTAGDSR\service.exe

Filesize
520KB

MD5
be534fe01395ddb868773b3b1606e797

SHA1
cf4ada74ac612e6e0821650c2ce015f207c830ec

SHA256
0e57037937663cad9695cfe3d12f29f5ffb614d276aa7108504cae8316157f06

SHA512
4f9d1b5551fd9593c3094676e3039dbb06eca94a59e517e5099fdc11303a3645c8bb989abdf1fe935c34059e0f0699b83a5552caf32ae05d3c2f9096d516998c

Download Submit
\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe

Filesize
520KB

MD5
7e071b65ab6fb2025293b5f85270eae8

SHA1
fe29b6aa00283716fda1821e1439dd333f3f1a9a

SHA256
bb9696b55ddb43bf930f080b5be194808bf657a1ec7f0ce0764dc4ee7cea1403

SHA512
7f5e480a04e928f9a06bc555a9558a39596577ab29d2837e1763ad262fab6a2d0a3afa959f36f0f519162e177af43f530f5a7a1c3f04ca979419d4e1d401e0ce

Download Submit
\Users\Admin\AppData\Local\Temp\JCRBJSPJEETURAA\service.exe

Filesize
520KB

MD5
4a588b1c1df8810a3a7448596663ac29

SHA1
6dc76718b9907cdf988e31ae993e237237d382d7

SHA256
6cd6f28f86d6c53077789a6e38534269b44896b4dd84ae12a008372144ac41cc

SHA512
7b5c2b54a220c9956aae037ed6b69d83f6c1232d7ac5747ed80654a015d76bdc7b6ff4e13044cb6e5a3838d702a289dfb496e13200409630d5c2d79524231b1c

Download Submit
\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe

Filesize
520KB

MD5
262583d2d1a2dd5a5d4f5dbb57b108b9

SHA1
07c8b5c9d89de08e837ccd5e849586654301eccc

SHA256
b696c7a6fa3db68baf69e2d5985b7b4b982b41f14f980b2cb50a729d5e7dc39d

SHA512
60c455b51692775503fbef14c810f9324aaf799d758030edeafc45044b3da88dcbace5498246c977a37bfb049cbcc5b37d50c156a8cf8bd140f3dbe25a0db76c

Download Submit
\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe

Filesize
520KB

MD5
d0855833c0ba7bbca794b25273252a14

SHA1
765c01ded951c50172c4fde0fd5732ae19d0140d

SHA256
b49d16648e2cb01a1ea0c17276b2a03786479340de15cb012e5564d65fc8ad6b

SHA512
1ad31bebfaf4e3a839937cf153ac5c9a8a1b5a4481576e3bdad157cdbb3364c3f0f2d1bb187c6cc2dbb1d39b218a3a5a4e0b369d7bb50812eafcd3c80cb5ca39

Download Submit
memory/2440-1578-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2440-1583-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2440-1584-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2440-1586-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2440-1587-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2440-1588-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads