Analysis

  • max time kernel
    117s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 08:36

General

  • Target

    70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe

  • Size

    520KB

  • MD5

    1c96dc41eb8b5aac201f5b8025961950

  • SHA1

    79f518a4ce5b3a17b08e416569cbd04172dd296c

  • SHA256

    70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67f

  • SHA512

    46586a0bebdcd04c8dd02dc0d0785c523adf50c1ea54118933b267db4b07391973b45a58d3701e790cf70dab4c67ef33c1e2d12982caecde2b57d9fd8b568830

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXV:zW6ncoyqOp6IsTl/mXV

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 6 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 42 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 43 IoCs
  • Adds Run key to start application 2 TTPs 42 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe
    "C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAOXKJ.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTHTEDHYUWIOVVG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3164
    • C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe
      "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2904
      • C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2060
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
            5⤵
            • Adds Run key to start application
            PID:4624
        • C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
          "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4300
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe" /f
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:3984
          • C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
            "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2336
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLOPVB.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4012
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f
                7⤵
                • Adds Run key to start application
                PID:4088
            • C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
              "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:100
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4304
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYAVPDKFJXGSYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  PID:3196
              • C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
                "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4192
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1880
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
                    9⤵
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:3828
                • C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4772
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPKDHI.bat" "
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:264
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDXVUYLBPLJXOAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe" /f
                      10⤵
                      • Adds Run key to start application
                      PID:2140
                  • C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
                    "C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:2940
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
                      10⤵
                        PID:4580
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
                          11⤵
                          • Adds Run key to start application
                          PID:3928
                      • C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
                        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
                        10⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        PID:2524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYNWJ.bat" "
                          11⤵
                            PID:3280
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSGSDCGYXTUHNUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f
                              12⤵
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:3004
                          • C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe
                            "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"
                            11⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:1156
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "
                              12⤵
                                PID:32
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFJEMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe" /f
                                  13⤵
                                  • Adds Run key to start application
                                  • System Location Discovery: System Language Discovery
                                  PID:512
                              • C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe
                                "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe"
                                12⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:5036
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
                                  13⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2340
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MREIEBSYQGGIDAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe" /f
                                    14⤵
                                    • Adds Run key to start application
                                    PID:3504
                                • C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe"
                                  13⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4300
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
                                    14⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2104
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDPTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe" /f
                                      15⤵
                                      • Adds Run key to start application
                                      • System Location Discovery: System Language Discovery
                                      PID:3360
                                  • C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
                                    "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe"
                                    14⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2008
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYLKX.bat" "
                                      15⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3740
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTHUFEIVWJPWWHB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe" /f
                                        16⤵
                                        • Adds Run key to start application
                                        PID:1616
                                    • C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe"
                                      15⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1848
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSGNIM.bat" "
                                        16⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1992
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KOTABGESSFHCADY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe" /f
                                          17⤵
                                          • Adds Run key to start application
                                          PID:312
                                      • C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe
                                        "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe"
                                        16⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2260
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
                                          17⤵
                                            PID:5072
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
                                              18⤵
                                              • Adds Run key to start application
                                              • System Location Discovery: System Language Discovery
                                              PID:3592
                                          • C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
                                            "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
                                            17⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:216
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAPXPJ.bat" "
                                              18⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:116
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ESOMRDQSOGKLUQD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe" /f
                                                19⤵
                                                • Adds Run key to start application
                                                • System Location Discovery: System Language Discovery
                                                PID:2564
                                            • C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe
                                              "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe"
                                              18⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of SetWindowsHookEx
                                              PID:4716
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYNW.bat" "
                                                19⤵
                                                  PID:4908
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVSGSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe" /f
                                                    20⤵
                                                    • Adds Run key to start application
                                                    PID:960
                                                • C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe"
                                                  19⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1244
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAMYJI.bat" "
                                                    20⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4544
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CGBJUWRPRHVDLCX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe" /f
                                                      21⤵
                                                      • Adds Run key to start application
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1708
                                                  • C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe"
                                                    20⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2268
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
                                                      21⤵
                                                        PID:4700
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
                                                          22⤵
                                                          • Adds Run key to start application
                                                          PID:2804
                                                      • C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
                                                        21⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:3488
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXFNEY.bat" "
                                                          22⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3076
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAYTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe" /f
                                                            23⤵
                                                            • Adds Run key to start application
                                                            PID:1056
                                                        • C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe"
                                                          22⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:740
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
                                                            23⤵
                                                              PID:4652
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f
                                                                24⤵
                                                                • Adds Run key to start application
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3500
                                                            • C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"
                                                              23⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2192
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNPYU.bat" "
                                                                24⤵
                                                                  PID:1548
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIWRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe" /f
                                                                    25⤵
                                                                    • Adds Run key to start application
                                                                    PID:2808
                                                                • C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe"
                                                                  24⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:2120
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
                                                                    25⤵
                                                                      PID:1728
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
                                                                        26⤵
                                                                        • Adds Run key to start application
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2548
                                                                    • C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
                                                                      25⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:3376
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNJR.bat" "
                                                                        26⤵
                                                                          PID:4908
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCNUYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe" /f
                                                                            27⤵
                                                                            • Adds Run key to start application
                                                                            PID:4156
                                                                        • C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe"
                                                                          26⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:3412
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "
                                                                            27⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5088
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGFHCAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
                                                                              28⤵
                                                                              • Adds Run key to start application
                                                                              PID:3192
                                                                          • C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
                                                                            27⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:2148
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
                                                                              28⤵
                                                                                PID:1152
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHUCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /f
                                                                                  29⤵
                                                                                  • Adds Run key to start application
                                                                                  PID:4700
                                                                              • C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"
                                                                                28⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:1908
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLUQDA.bat" "
                                                                                  29⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3828
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
                                                                                    30⤵
                                                                                    • Adds Run key to start application
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:4896
                                                                                • C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
                                                                                  29⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:4280
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEJYXG.bat" "
                                                                                    30⤵
                                                                                      PID:2008
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQDAPXOCDYUPCYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe" /f
                                                                                        31⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:4976
                                                                                    • C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe"
                                                                                      30⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1600
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIQHBL.bat" "
                                                                                        31⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4748
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LGEVTJJLGCDNJXW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
                                                                                          32⤵
                                                                                          • Adds Run key to start application
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:5060
                                                                                      • C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
                                                                                        31⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:1548
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
                                                                                          32⤵
                                                                                            PID:1732
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f
                                                                                              33⤵
                                                                                              • Adds Run key to start application
                                                                                              PID:4684
                                                                                          • C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"
                                                                                            32⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:32
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLMJSE.bat" "
                                                                                              33⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1064
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQPCKBTLHCSLMVY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe" /f
                                                                                                34⤵
                                                                                                • Adds Run key to start application
                                                                                                PID:2356
                                                                                            • C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe"
                                                                                              33⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:4612
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
                                                                                                34⤵
                                                                                                  PID:2592
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
                                                                                                    35⤵
                                                                                                    • Adds Run key to start application
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:956
                                                                                                • C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
                                                                                                  34⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:1188
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYAUT.bat" "
                                                                                                    35⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:4648
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSOQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f
                                                                                                      36⤵
                                                                                                      • Adds Run key to start application
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2496
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"
                                                                                                    35⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:5012
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKXIH.bat" "
                                                                                                      36⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:5016
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f
                                                                                                        37⤵
                                                                                                        • Adds Run key to start application
                                                                                                        PID:4596
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"
                                                                                                      36⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:5068
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJJWDT.bat" "
                                                                                                        37⤵
                                                                                                          PID:2648
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGYXUVINUVGAOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
                                                                                                            38⤵
                                                                                                            • Adds Run key to start application
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:312
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
                                                                                                          37⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:2008
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "
                                                                                                            38⤵
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:4032
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSOJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
                                                                                                              39⤵
                                                                                                              • Adds Run key to start application
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:4384
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
                                                                                                            38⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:4748
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLHPG.bat" "
                                                                                                              39⤵
                                                                                                                PID:2300
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LSWIGKFNBYCVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
                                                                                                                  40⤵
                                                                                                                  • Adds Run key to start application
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:432
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
                                                                                                                39⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:2192
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBUJXF.bat" "
                                                                                                                  40⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:3924
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQVHEIDLAXBYTRA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe" /f
                                                                                                                    41⤵
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:4160
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe"
                                                                                                                  40⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:3108
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
                                                                                                                    41⤵
                                                                                                                      PID:1492
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f
                                                                                                                        42⤵
                                                                                                                        • Adds Run key to start application
                                                                                                                        PID:2120
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"
                                                                                                                      41⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:5096
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
                                                                                                                        42⤵
                                                                                                                          PID:5088
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKPWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe" /f
                                                                                                                            43⤵
                                                                                                                            • Adds Run key to start application
                                                                                                                            PID:4544
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe"
                                                                                                                          42⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:4760
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJREDR.bat" "
                                                                                                                            43⤵
                                                                                                                              PID:1648
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WBTXSPQDIPQYBUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /f
                                                                                                                                44⤵
                                                                                                                                • Adds Run key to start application
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:1496
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe"
                                                                                                                              43⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:1288
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
                                                                                                                                44⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                                PID:2468
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                  45⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:4596
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                    46⤵
                                                                                                                                    • Modifies firewall policy service
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry key
                                                                                                                                    PID:320
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                  45⤵
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  PID:244
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                    46⤵
                                                                                                                                    • Modifies firewall policy service
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Modifies registry key
                                                                                                                                    PID:2268
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                  45⤵
                                                                                                                                    PID:4104
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                      46⤵
                                                                                                                                      • Modifies firewall policy service
                                                                                                                                      • Modifies registry key
                                                                                                                                      PID:2336
                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                    45⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:5016
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                      46⤵
                                                                                                                                      • Modifies firewall policy service
                                                                                                                                      • Modifies registry key
                                                                                                                                      PID:2076

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\TempAMYJI.txt

                                            Filesize

                                            163B

                                            MD5

                                            016472b5ff8b2e7c4dfd8c682023930e

                                            SHA1

                                            2f079833f22d53b327b8e2194513f3c97ac02fb6

                                            SHA256

                                            d78348bc794fdb36c93970519aab2dce2dc4b40d1942a758f34d610c58f33a97

                                            SHA512

                                            18eb250179cc497252429fffc882d658e6b072835d6a620209da12afc0155394850a093ea0f935d9b6c02b75ed609cb012870b14cbf9b30a3bf9503b24bf09aa

                                          • C:\Users\Admin\AppData\Local\TempAOXKJ.txt

                                            Filesize

                                            163B

                                            MD5

                                            29321513607c0c119c775f76237d6d7a

                                            SHA1

                                            9748598691bfcfc190c7926dba03a77bb0298d22

                                            SHA256

                                            f8d9b22ed6509c63cdfcfd687d2822abc0eb7ea94498da8ff146fff4dd92c6bc

                                            SHA512

                                            3626c8a267a07a9ffd407c897ff38eb8c9bbc75183568d6651c1066feba919d5e506f6f05bad2fc8e25781ec5d4536c1abb04e63090d7446db1b0d9a52e2fa8d

                                          • C:\Users\Admin\AppData\Local\TempAPXPJ.txt

                                            Filesize

                                            163B

                                            MD5

                                            80cf7932020e9b5016495e4b020c6887

                                            SHA1

                                            fa0b1fcf5ec01feb2bae82623b0c5aa7703ceec5

                                            SHA256

                                            6c7ad0abef65a55ee46641824b177a82ed725ec7d8dadbe76622b232b2273652

                                            SHA512

                                            68a58ef747f0442584dd7180c2b45fc0d332f36fa41416298907d85be7d5ecf23fa706e289a49e44308d1e663df6996822267b4d4b6860bc459bd7c88e111fb8

                                          • C:\Users\Admin\AppData\Local\TempBUJXF.txt

                                            Filesize

                                            163B

                                            MD5

                                            3ad4916c06e2d08e999c89860267d573

                                            SHA1

                                            8e6331e4b1ff713fe532cbc208a4264fa630aeb0

                                            SHA256

                                            b53498f2410b619ff7a7a9bdefbbcdba03eab7899458b91820792ddbc7e62e20

                                            SHA512

                                            9b787ffe1c510b0c69afa87bfdb895894fd9ea916d0d3a5e44e40017f03827bcc107c43b2a9d9c8ed364bf47f9330bd49f94e96d433631f103621c05e579bc1f

                                          • C:\Users\Admin\AppData\Local\TempCWAMY.txt

                                            Filesize

                                            163B

                                            MD5

                                            4ccca2d921a9ac73b28b6b9184427516

                                            SHA1

                                            6266377f1d89239073b37acc6b7f568943359209

                                            SHA256

                                            1f98e0c82803e42487e3c3043f77058742d13e42276b0e7eb93cc8f692eec01f

                                            SHA512

                                            f1d2d4c76aa1d103c00cf85c9f87664d7cc622d2d0e95caad7e86a44657c9bf29210aa31e5e49108a70d9f4d4a50b84bc1905cb1fff6b79d49f01121ec6a4300

                                          • C:\Users\Admin\AppData\Local\TempDGHQM.txt

                                            Filesize

                                            163B

                                            MD5

                                            0a642b13e305d30ca155412d35b152af

                                            SHA1

                                            781496d9955791faa48807abc37e66baaf0169f5

                                            SHA256

                                            1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797

                                            SHA512

                                            de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578

                                          • C:\Users\Admin\AppData\Local\TempEDHYU.txt

                                            Filesize

                                            163B

                                            MD5

                                            b0e3f78dd578c1827bffd537f7263b0f

                                            SHA1

                                            866ca32b655e01effdd00b4526f5756a5a6df846

                                            SHA256

                                            da7a574d162e97a70dbce195f1ab7df74022ad3ef406bf41325a0ab8c5554018

                                            SHA512

                                            73a574929bca426493fbebdea7a601429811a25462d827b9c0011529ec14a7831b005af48b66cfde904ad8c37c055f48c06c0a077a0e7b5a67c960bf62b86897

                                          • C:\Users\Admin\AppData\Local\TempEJYXG.txt

                                            Filesize

                                            163B

                                            MD5

                                            73053e23ed5ba3072ad1cc61295e8261

                                            SHA1

                                            f38fe651f708324bb06c21fc99be059e2de7e663

                                            SHA256

                                            3ad189bb0eef99337f1df10f209508a205446a5ab7aef7a6812041313632e385

                                            SHA512

                                            6b26af6d8b8ae55a33c4d2353a91258f9e5734d0732355490a7210db03eb9f43b97888fbfdad19e951072171a1d1f6f05cfc747d14720c88295fde5ec8942463

                                          • C:\Users\Admin\AppData\Local\TempEXNJR.txt

                                            Filesize

                                            163B

                                            MD5

                                            15874e9166b9a49fcd62435843b07430

                                            SHA1

                                            2654aa23dfb896878702f52586eafb8f39831a72

                                            SHA256

                                            4122df0cdb9895f48a3e278c65988c3c6c5197d6a6cb09d32217ef89100a43d6

                                            SHA512

                                            428a3b68e17e2404592e39b8eeb056a3d17de12296ee1a0b788a0e489de3d7e6d5273aba85afdaa143235b3c776e79fd520c22aa30e3fd9b6ebd32dd23837b5c

                                          • C:\Users\Admin\AppData\Local\TempFYNWJ.txt

                                            Filesize

                                            163B

                                            MD5

                                            df01f4a40aee87b7ee5954293fa4b573

                                            SHA1

                                            a740458aa28514b7e90142f52161a4d18352a963

                                            SHA256

                                            d3a10ba0ec2363628cda14010da7e80f4c1724eb857831f644c9c7db39a88522

                                            SHA512

                                            0b310096fbc962bc77e251d7081fc474c271599e8c41b7e2cd8e822b3dfd5b70aedfe7604f11d1bc7365e29e3ca6e4b53fbe7b8322fabff3bdf8c640e6222809

                                          • C:\Users\Admin\AppData\Local\TempIACQM.txt

                                            Filesize

                                            163B

                                            MD5

                                            1725034dce64e5b21bf9bb34f976d7f2

                                            SHA1

                                            a6a51a02e2e4434a8dbe3be66f59ee9e9198e035

                                            SHA256

                                            6b7594806abe8ee858a0469b3bd160e6066e3c8ee725cf7dc6a3e9af9c119caa

                                            SHA512

                                            9ba942b7912e4f69c72238317d4cb8a1d57c39e193d9523ecf106b1351fe804c67cd5a7473b4faee9da769902a8335d6046ec6b3516c8d699a0b50c62f2055e9

                                          • C:\Users\Admin\AppData\Local\TempIQHBL.txt

                                            Filesize

                                            163B

                                            MD5

                                            9ab7cd71891560db437de792cc8e89df

                                            SHA1

                                            d24b02e2f1b4ef681a14d8b47bc182e0447d274e

                                            SHA256

                                            9bdf3defc869d9c7c1bd75f76494f556ad93d962b6f42fcb89fb40ad71398b80

                                            SHA512

                                            21665fef517a55d16485e68f385d4e3081d8b3b53365d4dfd1e6b874ea183a03937f8f29471dd55102f38a37f8dccae2f8c9a11b9ef3ffb824abae2376724591

                                          • C:\Users\Admin\AppData\Local\TempJJWDT.txt

                                            Filesize

                                            163B

                                            MD5

                                            cf2241bffc3e3a6c62f7bb879c8d873b

                                            SHA1

                                            9bbe1c96f7400b540aa9b0b5db830a5cc44b2d84

                                            SHA256

                                            c3c1dcea2cdc75e2ae9a319fbdd56f25f89dd24f67aa59e076196d3c948c4226

                                            SHA512

                                            032432bc43f2780531c3e9b15cf30628cc15f4ccd85c8ff27a0ed7f6687deee9bbcf0f088af769c79b22529708e6bf9cef29bcf50b6ccbd0baa0770ab0cc8cd4

                                          • C:\Users\Admin\AppData\Local\TempJREDR.txt

                                            Filesize

                                            163B

                                            MD5

                                            5fec7328af99ecb08c5f2ae5a5353c1c

                                            SHA1

                                            e45990b8c428ce291e6dfbb0e3c9f22f9d421cdb

                                            SHA256

                                            f6ca5177631ec299a33eba5241e28f45169fc69bbb8b6e085f9486bb495525b9

                                            SHA512

                                            957ced51998e63ecd28c2fc9530c855495dd3594cb0e4bf4a20400cfac82d673818e9fa64e71fc8d2d33d93e1cad0e98cec54bd824236e34f5d29ba903ff4526

                                          • C:\Users\Admin\AppData\Local\TempKNPYU.txt

                                            Filesize

                                            163B

                                            MD5

                                            2eb2f361f855b94606ef7e80eff0bf2a

                                            SHA1

                                            3aae294038096ac207ef9b6850651299e3e4922c

                                            SHA256

                                            d45f39789853899fe4feb550aa2ddbe4c77d309342a7b578d0566c016116db51

                                            SHA512

                                            01de80786d23d61ffbc6d8e2f14a4044ab05d7dde4ff463cef9b232db01c8f4e322ed294233e8059bf60b5275e0d3c99b1c0fbfa2faca10f1799f621840ce2e5

                                          • C:\Users\Admin\AppData\Local\TempKYGUT.txt

                                            Filesize

                                            163B

                                            MD5

                                            d612c52e460fe347f03804b504fe08b2

                                            SHA1

                                            c5e6e2ba2df4fc978d564c07e208e6647177b1af

                                            SHA256

                                            1eadbe5eea3a0c6fe9bb4281d38f4c12141dd02c87b97cbece76fee8b9af2dac

                                            SHA512

                                            1dd02bbd9d0123ddacf2aa2303153c82ae0af66021f23f9fdbca4d21aa64787f737867e77befdad1c764706d8b9f7456657ea64652d8bb1a920676939cb68ef3

                                          • C:\Users\Admin\AppData\Local\TempLMJSE.txt

                                            Filesize

                                            163B

                                            MD5

                                            35509e2b03676f4fa2ad6b3d194846c4

                                            SHA1

                                            a346fa6c96e1186bb0dd1e3188c302ae136cfbb8

                                            SHA256

                                            a60d2d437ce08dc8d030a70e52d182e4f2fa67fd5f2be1d78ac6eeb9615344bd

                                            SHA512

                                            c737fc6ffe178c970f97e3d261154af7a67fba8276b995ebffa5c19faa00066c4cb00732a7466d5e370206af7e8013dc7eded5cf9b15bbd8e250b07da5fc3007

                                          • C:\Users\Admin\AppData\Local\TempLOPVB.txt

                                            Filesize

                                            163B

                                            MD5

                                            5fa3d09504478c861ba80b6d0fa6765d

                                            SHA1

                                            cfc7a0e9ecffdf8a8c3406c73cfa4caa889198f7

                                            SHA256

                                            f3ec550714854be007e6baa6d6543ebea691ce45c543147ce4a639bb94d79866

                                            SHA512

                                            32dff33bd9d142c4e57c6be68456bc5b39e7d92c01fc98cfd700008ea4600b5cd0805a2cda45a2aa685bc91989e557a776f8b35225fd723b4fa19ca36b119d91

                                          • C:\Users\Admin\AppData\Local\TempLUQDA.txt

                                            Filesize

                                            163B

                                            MD5

                                            0887f8a053b6634da227e398c394d81b

                                            SHA1

                                            7e302400941306dbb1fb3a489a23add27b1209d8

                                            SHA256

                                            2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c

                                            SHA512

                                            e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8

                                          • C:\Users\Admin\AppData\Local\TempMHQHF.txt

                                            Filesize

                                            163B

                                            MD5

                                            5a25b81aed74b167ea51919cf873d2fc

                                            SHA1

                                            56b2f2e5184300b74b0e947721dd445ab94b5fc1

                                            SHA256

                                            c94980ad5bb0ce23cd44cd7ec3580a7fc7f4104201304ab657e3506921f5c05d

                                            SHA512

                                            a96b1a46f7957df8ea087efaaf0fbb2b6045df6b371cd56e5b4f475e0c0adfbc2c3dfb3d2fc85041202874bc4a58d6e28eb98f8dd08ea2203dc1cda217d3f0b1

                                          • C:\Users\Admin\AppData\Local\TempMPQVC.txt

                                            Filesize

                                            163B

                                            MD5

                                            01005956b2e2f9618ee5d54677a17f9e

                                            SHA1

                                            d06659adf8a2855ee3ad04156b940a9563c9dc64

                                            SHA256

                                            ee05376f2a67ea7274259ca95873248ea3ee11b830ec3c4337651ad369e0a20a

                                            SHA512

                                            56de6a0800e4b55ff3bc177e923cc78f83c3254a186d5b876c4085c203f4d4b40785e8609e44074873823e1fa2b6970c8c30d677f1701b53c77efd33daa125ba

                                          • C:\Users\Admin\AppData\Local\TempMQLTI.txt

                                            Filesize

                                            163B

                                            MD5

                                            b6b840ff8307ee32791b0a11dcfc6c1b

                                            SHA1

                                            48ab0432da2073016e17dbd5475f8ad1df654ce1

                                            SHA256

                                            4ae54b9e9997d21ea0277357a399b36349def9b6f1ad5fe59d2ff90951aface4

                                            SHA512

                                            3b3d034efd66858153a7b032357ac6bacaf75be3d46c46f16f0a1471871aca13b8fa70690567f5af92617e9250086c76d664126ab8dca87c5d48b444224f0762

                                          • C:\Users\Admin\AppData\Local\TempOMQLT.txt

                                            Filesize

                                            163B

                                            MD5

                                            ef5edc187dd574db15bc13db15c29730

                                            SHA1

                                            f3b596b9657f17c374bf27f16fc9a6df8f4c44c9

                                            SHA256

                                            71487f836772b1b39fe00590cd2d3670db8827008d6032759d213851ae7848cf

                                            SHA512

                                            00077c646294c3abfd99c621bb844c02c9fb37f1dd17c740cb5258ed2f877cdd00d25f641ccb2c022182a79cc9013080024945a6c86dcb6e4dc114ca87708bde

                                          • C:\Users\Admin\AppData\Local\TempPKDHI.txt

                                            Filesize

                                            163B

                                            MD5

                                            cde8f82092a7c710b845f2a0f43cf7aa

                                            SHA1

                                            6d68571b4600c17966c15a5549e1b3325a267fcd

                                            SHA256

                                            3da7ecd2cdcdf8c57427e467a4ad2ff0e2631f67164a4baa8b27aa3f017b60be

                                            SHA512

                                            0f07b87ca6672ae2b6424b733b1351136bfeda19e776f68886ed1f93bdda2c38929f09bdb7bd882231380f11108839a54dbb5970be9a6a3d8c4a93492d13f5f8

                                          • C:\Users\Admin\AppData\Local\TempPPYAT.txt

                                            Filesize

                                            163B

                                            MD5

                                            8017c40b3b87f358920ddc3a7822801d

                                            SHA1

                                            d1707ebb4875777b38e09531e15d0cc1bb133731

                                            SHA256

                                            ae1c8c15c6aa20d60fc888d7e2067bfcee9d767bfe85da8c6922e998f4c2ed5a

                                            SHA512

                                            b9f5f59b6d2d8e5250737c461625785dd78e697c9abf87e5f94751aa0f07e1f62fca270c00202ec6af2b18afc052de611eba4cd126b5ce78c913b0d518ca9354

                                          • C:\Users\Admin\AppData\Local\TempPVLJN.txt

                                            Filesize

                                            163B

                                            MD5

                                            f3931ccf4bdf284ee5fb347c6e43bbf9

                                            SHA1

                                            f538a7c05c86b67b4989635505496f06645b6758

                                            SHA256

                                            aae5447814b780af09a0f1a0e4bb253dc6dec2fb60f5bdb4e9bc7b27c21f77b4

                                            SHA512

                                            64cc45490c27133d4599cf71ecb148c129b33e83229572c6da074334a7016f51c1fba50ecf66b401fc2933c08b8a0a07a7292bd86bab251655555b34f8471514

                                          • C:\Users\Admin\AppData\Local\TempPYAUT.txt

                                            Filesize

                                            163B

                                            MD5

                                            6a5d696b87c0b6fe1cee953dc16b18d7

                                            SHA1

                                            60c05a7bcfc30fe6820c354216d291b5bdd4401c

                                            SHA256

                                            99e1967b9d201e2b8d8f7a4149191c9e3884de073943f85c7bad42d31eb4a9c8

                                            SHA512

                                            07e185e1f14bce9e436858891a62d22489e4c1bacf7be01ed8b415ba03c05f5337bc0ffc052a11335ad5f0b60031126a1e398d0683ea1a461845ca104dcb589d

                                          • C:\Users\Admin\AppData\Local\TempPYLKX.txt

                                            Filesize

                                            163B

                                            MD5

                                            84973159198fc6a47d4ee7e2843c299d

                                            SHA1

                                            aa83110f2b15b6fb05ee0fd34a05edaefc9c5a7b

                                            SHA256

                                            77c3bd7cc0ea87c59d4aed7055dbf3365b89ef8845dfe2728e53c25b0bb26391

                                            SHA512

                                            08c45c8d5463c57f6da07399416b6a2bc8cae74c022ed462c56cadcbaf323eab43b4f8a06431a02b4c14e39c50ecb6a95513f54810047d798c8eb4eea4c7cbbf

                                          • C:\Users\Admin\AppData\Local\TempRSXEF.txt

                                            Filesize

                                            163B

                                            MD5

                                            9c69a49bc663b0a59d50e45155108d50

                                            SHA1

                                            44ce998eee7669f8c36f1c1dd1e32a7b3f5e0931

                                            SHA256

                                            4437fa602b8c9b981570ff66dc7f23bb13c5324b65586bee76ba92c5c32fe1d3

                                            SHA512

                                            d2ba847997fadeb9e8139f8127de763e994141682ffb0883933f7814d779a4bc48a2073a2df63e5b9150c6310affe96d07c0ef2a7c0457994f421c975f006b8d

                                          • C:\Users\Admin\AppData\Local\TempSDXWL.txt

                                            Filesize

                                            163B

                                            MD5

                                            06759fbf084239e9ee1c0f2ef4138a48

                                            SHA1

                                            1fbc18020db2d4cda85d756d957bf75f14fe7a05

                                            SHA256

                                            c100e9f8b8b4f04a07b4d309e8260245bf1a6b6506af1fb090c5b05e92b9bbfa

                                            SHA512

                                            46fa33c2ecc23586735c40232dc43dbfdbc6170bca5b11083895ecc0e82b458c4776cf05c74229fe9315b14d02d6d709d2e27c418f69afd77a73c833ef8768b7

                                          • C:\Users\Admin\AppData\Local\TempSEMEH.txt

                                            Filesize

                                            163B

                                            MD5

                                            4fff14f3f96afc630022f1cd49679797

                                            SHA1

                                            bf9f7d514150513bb4a169657ded6dee7e323042

                                            SHA256

                                            7fa849ee648206dcbe76d2ddab3ccc18de8e595a77ec3950629ed2b79cf60f2c

                                            SHA512

                                            4385ddce5bf79f94eb37b72c4917c247fd8204128be70229b16ff548ca47cc872756bfdeef94f911ed569345920ade5b740747be1f725f7c448853cfd1a0f32e

                                          • C:\Users\Admin\AppData\Local\TempSGNIM.txt

                                            Filesize

                                            163B

                                            MD5

                                            b184f2f6fceabf37ef0d7f80f6ac6f91

                                            SHA1

                                            04712f75ebb47c4456185ab2001cd3a9c0c709c3

                                            SHA256

                                            e7985ce90b7608b32921376f86821a7d5e63f2b8a30120e4c2beff7975a6841e

                                            SHA512

                                            c71fbd33eaff9ea012dca66f119b493c03011dac2adabd32b937f79b12913f39cbb6c1b9df7dc537e602c9f5bb127f7cc6884b18ec223724ba4ae63aab1e9ca8

                                          • C:\Users\Admin\AppData\Local\TempUFYNW.txt

                                            Filesize

                                            163B

                                            MD5

                                            808b10324ef2c9f3667a72caa4dfa7fd

                                            SHA1

                                            21dc798bf9ae600cc0cd31745caa77cc4fedaa2d

                                            SHA256

                                            3e0a9595d08e5c5dfe573208bcfeee5a3773e82dc0efdc9e15d9a91ed7fe0af4

                                            SHA512

                                            8cd4978bfa56dd1b967205e32c7eb027d6b106958a0bc06d12b579a0523647c47cd1054446e85f832336b73140f5be351d9ab8c2426127c5f52e6646b51a3d59

                                          • C:\Users\Admin\AppData\Local\TempURAMS.txt

                                            Filesize

                                            163B

                                            MD5

                                            8242fb5d6fa630c4073388efd1ffd44a

                                            SHA1

                                            08cae6cfde916d69ad71d6b49be42d24ccffab64

                                            SHA256

                                            63725b478c68cc24876a429fd219ee83d663c7628e8fa56909231cc6e4a6f566

                                            SHA512

                                            8f35c03bbcfda32266613552ae644ab96bcd1d97bd21d3cae80b8a465a58ffcf1051e8eadd2f01869d86a739936c77d24cf103b6703cb73661e1d70eeb225ec5

                                          • C:\Users\Admin\AppData\Local\TempUSBCV.txt

                                            Filesize

                                            163B

                                            MD5

                                            cf0710f0f5e21858095eb02d90380c39

                                            SHA1

                                            dc568d72b993c384aea74f7cdcb7fc4140f90f45

                                            SHA256

                                            0582f4f97298d78b0de11877baf24c7d8146262d615bade867d1d4fb9a4bdeec

                                            SHA512

                                            3187a9d1599d9104819d7e4340fb52bd3878f00b053080a5d11595bec8eae7fbb040820c3f4c7b8b1ac45e60f7a7add6edc62c55dba975206474d91cc2dfdd79

                                          • C:\Users\Admin\AppData\Local\TempVKXIH.txt

                                            Filesize

                                            163B

                                            MD5

                                            1d04dcf7878702fd18d7e6ed7562894e

                                            SHA1

                                            7eb33af482be5164ce41ef0314274bdb945898f7

                                            SHA256

                                            12fac302f2e1efc661afc1594b5e5ab31298e3ac7cca736909610a7d48203890

                                            SHA512

                                            90194afa6724fd1ffe21cda8776505cc7b5457813b0bfd230f5679d75de2477e28d2491956e19588c55d4f97da897a8ef687290a0e8077ee130fce7696df5c42

                                          • C:\Users\Admin\AppData\Local\TempVLHPG.txt

                                            Filesize

                                            163B

                                            MD5

                                            9d1a78b99bf4b3d346fbaa3c0ef3ca47

                                            SHA1

                                            944068cca2361487fd9d9c9079cbe17dd002e117

                                            SHA256

                                            8a0d3a21eacd041ae16f71c335c24e969f3106765424fd07ce2cfa5d3f58ff26

                                            SHA512

                                            9e6382e356871f8aef1057550e0942e242a82f9a147251c075a42f19b2f2e13bdff62e9f28cb0fc8e4644c2ce204be69571bad9e74d6ffc9c89d3a8a9c9d37a8

                                          • C:\Users\Admin\AppData\Local\TempWSRGP.txt

                                            Filesize

                                            163B

                                            MD5

                                            035f1c7ed9b27d9073d73906455a2fa7

                                            SHA1

                                            b6edffed330d3b9db173f4f7ab44438b8de0f0e8

                                            SHA256

                                            086f99f1b6aa48c8e62a088b99ec7a6ae9334ee35ecbac29cd73903cbda438c5

                                            SHA512

                                            838ebc31f4c26a0dbdc9ac895fdfefe7f1ee0e5674c75e7087c52e01ae1b45a1271e1149c24353bd036b49dd8b319328779e701370de2941b276241eb7710d8e

                                          • C:\Users\Admin\AppData\Local\TempWVRSS.txt

                                            Filesize

                                            163B

                                            MD5

                                            beb0003da9260463a7cb0e32e3704637

                                            SHA1

                                            a2e726a978203f3fd4c53408cb3ce429a516e816

                                            SHA256

                                            99f820126e97c2a537ae489f2904e4746b85b55bbd13e08ae8e20f74dabbea92

                                            SHA512

                                            7c1a9270763b66b31032096c6204b9a4873961943694b790ac71353f37a95d3347bc0eadc8571de416e22d65aa65c22c70d6ded61fd19de7aa84fc8732e6c6e6

                                          • C:\Users\Admin\AppData\Local\TempWVRSS.txt

                                            Filesize

                                            163B

                                            MD5

                                            f7c2b529214710d2bba1b9dac4bdcef8

                                            SHA1

                                            0341723ce1dc588132281d460b672d26556c9c99

                                            SHA256

                                            71600a0cf16a5798f7590d1088d945259ddf2dc2548b5b04825a70066f685691

                                            SHA512

                                            c0d55e5894c48b924681a5c4d5d7adde5a4f3b3caac8decf33e4cc604c41cedfac18e4d6174442b98aa590327492851a054cb291371b425c2b45f14c40ca4f2c

                                          • C:\Users\Admin\AppData\Local\TempXFNEY.txt

                                            Filesize

                                            163B

                                            MD5

                                            0e13ee2c6dcb5d6db9961e93afe834a1

                                            SHA1

                                            0f1a311cd3e6ab578813b39dbc0ea36efe53fc58

                                            SHA256

                                            7a9c0b88733dd6037a8413a2ef0cd1f5725c3c007b10ae056774c901ccfd4db3

                                            SHA512

                                            deaf2ca0f316099b683a3b139d65c10ab2f60eafb458bf4cc1ca9a62828b224dfa71688f26f4dddafa2920ad31eb7a1c891c2bad52cb37fcb48012d5271a8efd

                                          • C:\Users\Admin\AppData\Local\TempXGGPL.txt

                                            Filesize

                                            163B

                                            MD5

                                            2d88b6f973244a550fc52969ff4731d0

                                            SHA1

                                            c2ee94c917051b866b4e86c4a9172cb5bd55fcbc

                                            SHA256

                                            725fb8315a8dcc5fc12d0de6a3a0e307b80ad030920bb41897555c0948b4372b

                                            SHA512

                                            7c09587a68a3813cf9554294c66cd27828ff4852dc1fc2d66aa792da3f78716b4e626b749ce0264a0148093c1400b6a1f8120777d76f1408f295854d6e8fb693

                                          • C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            8a516acb00ce0156dc51a288b2c79034

                                            SHA1

                                            6cdf300d75e2c8328400ebf005adf485753c16ff

                                            SHA256

                                            509d726365d867e5141d9506379d5c7ae9bd825191136d43b3246f045ec7ecae

                                            SHA512

                                            0201c7c2fafd3d39f6f17abfba63754936711822420c39958d1a5dac134695a0dc2279fdc34cc6ff80357f1cac228c2a4fe1cdab775a03090ec81a9c64fcc8bf

                                          • C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            77ed43c054f23282fd3bb0137d6a400a

                                            SHA1

                                            a9a0e1cc62434eebda877dd7ea5371c9616da706

                                            SHA256

                                            3dfa8febcd173e5e4ba8ec6d8791b3ca86d067fe42626e3283f41c097b0b2895

                                            SHA512

                                            34d036d728b6f3cc1ebfeaf859043da4dc360263c8a9f4cd7082e043342bc3c0df28075c9fd255b90e1b952d3c2e8da843776df111146bce8d19fdc4f09831ec

                                          • C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            5d1b224a375961e4a5be0089a70bbd4c

                                            SHA1

                                            3c7b066536a51786db6c15b91bfaba55f6e2d92e

                                            SHA256

                                            106a32df8303288c3120a08c575d43c63db0883ba5997dbabdf21549a254122b

                                            SHA512

                                            0e9aaebaca7fdef09091dcf8b25fc0a88ae6f1847de2f4131f2f4d77ade2fbfd70d8ff2f289e2c3b8e75f38a66fd267061ef97039566b2c1accb559c3e85f316

                                          • C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            1610b4f4635fa595747035745c537d71

                                            SHA1

                                            d9a92ea76d5fb2cad19c9fce5b2854df0fc74996

                                            SHA256

                                            d6fa33608516811a2e7fd41324788e022de97b1ff720b8e4c23eacc1a5914a30

                                            SHA512

                                            f4e3c0c64690c93ad6c2214572f83d3793a85062ef447b98c39089342f22070471d7de5c491cf762addfa20fffd953d6c18d8f9f781ad877bd5b0b88341e0239

                                          • C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            e9002683034f1657e0d7fca3d03844f5

                                            SHA1

                                            19554cc8986e5f624be8846ec2b1194493c51001

                                            SHA256

                                            ed8befcd26b5764a941a2a1406056fc79548647310e1ee77051c7931910bf77a

                                            SHA512

                                            668e5100573a2e8b9dc4bfdc2f18674650705d0d31237ccfb064d77149e8b54fb1822fc50b5fd5e0a1da7bb4152882f10e21d546b01a85ff5488467908e8070e

                                          • C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            3e0c6dbc810ed5bf2c2788b62a2e6ea4

                                            SHA1

                                            7e33d008b0f44af7a2209c531deea1ac296673c3

                                            SHA256

                                            28b97e9fae4212e06edd11c27c7b6c19039db5a58689ffb153d1c8fc1612ec30

                                            SHA512

                                            c3bc294f9c628ce329e3fcf5f514f02e2d23699013670e171f1e27f4fea808e0b219794db9ba521c4b3a6a3380a38405f5d98d568942e3ab8f202f25ee9417af

                                          • C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            317ccac9879b345fe8ac4293631969d0

                                            SHA1

                                            6407976edd204c973f466a90d76070ceb03d21d9

                                            SHA256

                                            72f0aea8dee6ad3a3bafbbe77fb220d84d4f0fd76c5dae6e5f5ae1c14808e5d4

                                            SHA512

                                            19bcb6b0b350eb1cd646ef2c4db23072b1d6201b78aef7b65a7f4cb58c68ffdd3c0b9ce3f863075e678ee097bea627319f9393c2df77e452d0ec7e3ed1a084a2

                                          • C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            7c1ac2f6c07f40e9073c73df782ca1fb

                                            SHA1

                                            4b6fa31b1ebe4b2a7874cafa39468316634b1ca6

                                            SHA256

                                            f2b93ef6ef528f56942c8c24dc4e119d1df2711c26a1431dfe84b698788da5e8

                                            SHA512

                                            4e835e5ab2c2e7f1c0a37b516608a57a286977e5f60dc415d9857f631e1194a722aec529760ea4e9d49c849b771fa73cdaaba2e571d4287102babdbe893e4444

                                          • C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            b24255355b6ab0763d155661af09352f

                                            SHA1

                                            3857755c6e78430cacffc3cdf301ca22a81a2f63

                                            SHA256

                                            fc21753378c8bb183fd16c22bd611ea523aaec400f6a82c098b79cba9470e4aa

                                            SHA512

                                            24e1a6063e6897f898a7f7cfbb87d4985e02ad31dbdc60c2a0cdbcda260a7a09b80e8ddf2795815a0571af376b8c90691b116fd69612278c124d59e92117210b

                                          • C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            a17c0dcdcd8165a18577eed5259b829d

                                            SHA1

                                            6eb9cd1a2c6e5d1fa77c765460cfd1832097fe0f

                                            SHA256

                                            6bc76b7a4c0caa7b2aa1b6311ee06dac1661b53423ed7e296c1a70c6fc178c89

                                            SHA512

                                            8069324e659d1b22fe9329ebf78073ee3ba26f4f667b48ce09773d8170be87f87fde2382c2957078f7e50dbaeca4539100b31e8cb675dacd621b0c09b5d8464e

                                          • C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            74d1a45118cbff55a34b1d5f5405d78e

                                            SHA1

                                            e3ece577d20d2f0e41fb0af6e4d9a184e62d722e

                                            SHA256

                                            f2650975b1fe10b05ce43411ed3e3cafb59323b67eff891e9078a4b443557425

                                            SHA512

                                            2b255a06014ef5bcffa67947f24272dab0c4977c065c15d49f7cb45c87fd1fa2e2648a323f40c497b27b95fbefa60515f9eee07d2ada01a46df0b1828cb28d09

                                          • C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            8a4aaf848c64eb00082059da52aeb808

                                            SHA1

                                            9cac45bae5fdb4e29bd2bf3ffd442c75fa3b3e2f

                                            SHA256

                                            a82a32dd93e8e08076007db2851704c22e579e4f7ade3c69e816e277d1f9ef08

                                            SHA512

                                            6b50c4a9bf7d8ea6a9500ee252fb2189e03cd41552b9433b2901cdf6c0f56baa80b8fb1d6db387ae583a86864018b8b9683e5f60b4e09bbf4bec7320045c737d

                                          • C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            a5a23c228768ae9334922f61400ec136

                                            SHA1

                                            8e5da7756cdc4d41b79344b9404d78846386d11a

                                            SHA256

                                            acda3ae836590ffacb67a200e2201c8c659bf92db493d030916cfa58750addb8

                                            SHA512

                                            af8b58a98151f69f2e2284aa9d566519e22722609a0278a2cc0abc17b447d5c7de77ee8fa8acc66189ea9110ce518b2684e4a0215eea971e70aa69de5fe779ae

                                          • C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            a145d787210b8a90bdad84e234afff47

                                            SHA1

                                            a4d68fd48c1ec0f09da272865eddb85e2261d97e

                                            SHA256

                                            33f214185b2de10151e97c49120eb69a56f2aa589fcb49eb4d337dd5ca155041

                                            SHA512

                                            5f4faee44cf0f96b6a0564241314eded26e5b73fbdff9b848ecdaee53488b6ced43adf7a272b79633005a24f36d47b77327f7efca2fab50b905e14d7c7ec4fa7

                                          • C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            ec75969c15bbe407a6351147d6c66574

                                            SHA1

                                            9e18f4eeb3879b66a22f020a7fc56d654e52a3c7

                                            SHA256

                                            abf19e5ff0fd37d6b446f68a830934fb08f72694900c6ebc8f0e0f32c2169328

                                            SHA512

                                            0c32269f91168d0aae106e737f6dc88183be4ef4d8f417ede1eb6728ddebd80cfd0db151870f24f97be5e553ae92b2784c24320f3c1ce60a81790884b8afafb8

                                          • C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.txt

                                            Filesize

                                            520KB

                                            MD5

                                            5cceb9fe3c184c5dad5b1879d5e8a890

                                            SHA1

                                            fec62ed4e0db6938dd267d164954e38086476dfc

                                            SHA256

                                            8786280ba2c5fe174aa653fbcd4c382bd9bad0cdd3d1caac360b2174f1d7155d

                                            SHA512

                                            fac859b52edefd61ecbdb6e2d86f39a13f629214bc6612992e74e0a8d15663506356afab9051722c809bc1ac7cac69b217968cb983fadd75e04e6a1e5dd96da0

                                          • C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            11557f972413dc88698fe1a880427533

                                            SHA1

                                            74549fbb46486b667db540fda4ecb9e6f3515b49

                                            SHA256

                                            2e6ba94c9bf754c6b814df4b5a36d16aa1c9a30be533377b7f4eb0f0513f3c5c

                                            SHA512

                                            f227bcd9403a0f861ff84cf01a670c841d9b388ff02246170a6c922e2714f2b94f4e05902094be763cfc1ea18c5f9cc8c08447271d7fe6d1a42100b506681f25

                                          • C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            6e5e85540000a34edd68e4e5d00583b5

                                            SHA1

                                            c2a31b6afbe0468b94754065d9fa78a2bcf0dbd8

                                            SHA256

                                            54f1d57a086ff03289910c287df01bd35d0fa45c23fe59dbcee66672e25e6690

                                            SHA512

                                            3aa41f78292cc14dffd1eea93c3e4cb0e0fb84c4060d77be3edbfdddd11bf737a02eeeb81586132f675995dc73b318f94fab923083b371a0a79bcbc7a634250b

                                          • C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            43c401bf191dcdbbbaa86ac0c00f8a8a

                                            SHA1

                                            297a77b05cc38549ae91139bffd9a9cdcb3c34dd

                                            SHA256

                                            697d310f03c8a6c89f19aa28438143a96ac90c35749623f4497b9d745ee382ad

                                            SHA512

                                            fb016278d836c4140dddee3c606f4b2d7d77f9e81470fb49046c647ec247499844cdfadd2bc898848a23c5d9782c3310d5a65de655caa1aa367155b26fb5513b

                                          • C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            1a0ae144833f4a96d24b9336070250cc

                                            SHA1

                                            d1680a4aec80bf72cdcc42e931d902d87ac157ea

                                            SHA256

                                            dd61794156e3a776d59292668d5f4ad9a0411b13b0eeb3ead12799d96551147e

                                            SHA512

                                            2a3dc650d20d7e2fe06e5f5a519494e5544a1b4eb2601c7a69745206cbcb56bb2755aef3cf2b36e66e57bd56ca29a9cc05c6fd332db7cb7eeee06e2ced5352af

                                          • C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            c45f19fd3b4c0f17d480a9c79d9901a3

                                            SHA1

                                            c165b6735c6d7bc2c8c5ff315cdbf4fc1b95aa93

                                            SHA256

                                            d47227d315e9ddc8fd7bb8b06f6377b44e4833590245ea5af13b4be7beaf0136

                                            SHA512

                                            037bc39ef52879e00d39ee5baef6e9b0d2f2b92f24a36f44df5d465d274797cf2fbe6b0ee4348f11b660dab9d0fdf6d2d704684c402b718555bb21541e4d7d5c

                                          • memory/2468-1074-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/2468-1075-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/2468-1080-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/2468-1081-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/2468-1083-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/2468-1084-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB