Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 21:58

General

  • Target

    35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe

  • Size

    520KB

  • MD5

    0ef061308ce5237b1c4feb5ec4895e90

  • SHA1

    e8a728ead1cc3c2d931c6fc21ccd89fba5f0f220

  • SHA256

    35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6

  • SHA512

    79f5484feb40243edf020b3db170034a234e630634eba84f65828bb52d3722fa16de1ef7c0ab43ec21d5471f28525de9fdf23e61a61e6c92bf6f6d3847646760

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXy:zW6ncoyqOp6IsTl/mXy

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 8 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 39 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 40 IoCs
  • Adds Run key to start application 2 TTPs 39 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 43 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
    "C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3988
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKXBBY.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPNPFTAJAUKWHG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1192
    • C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
      "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCXBPS.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVQYNOAGNOWSSHP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe" /f
          4⤵
          • Adds Run key to start application
          PID:384
      • C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe
        "C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1112
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe" /f
            5⤵
            • Adds Run key to start application
            PID:2840
        • C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe
          "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRAQRO.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1224
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCHVUGOGXPLGWQB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe" /f
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:1368
          • C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe
            "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4604
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3412
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPFTPNSERTOHLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe" /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:948
            • C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
              "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:688
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQLRWH.bat" "
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:408
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWIQIRNIYSDTCST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:4868
              • C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe
                "C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4236
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSTFG.bat" "
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4792
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YOKJXENWUFBMFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe" /f
                    9⤵
                    • Adds Run key to start application
                    PID:2096
                • C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:5056
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
                    9⤵
                      PID:316
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f
                        10⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:1480
                    • C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe
                      "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"
                      9⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:1688
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIWDRQ.bat" "
                        10⤵
                          PID:1604
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DOLKOCFBPVOEEGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe" /f
                            11⤵
                            • Adds Run key to start application
                            PID:4924
                        • C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe
                          "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe"
                          10⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          PID:4260
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBXQVH.bat" "
                            11⤵
                            • System Location Discovery: System Language Discovery
                            PID:1036
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJABDRNMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe" /f
                              12⤵
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:4936
                          • C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe
                            "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe"
                            11⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:2720
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYJHLG.bat" "
                              12⤵
                                PID:3216
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKUFUAEUVSBNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe" /f
                                  13⤵
                                  • Adds Run key to start application
                                  • System Location Discovery: System Language Discovery
                                  PID:4816
                              • C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe
                                "C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe"
                                12⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:448
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSRDLD.bat" "
                                  13⤵
                                    PID:2044
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGCAQWOFEGBIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe" /f
                                      14⤵
                                      • Adds Run key to start application
                                      PID:1564
                                  • C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
                                    "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe"
                                    13⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2560
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHMJUR.bat" "
                                      14⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3828
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TAGDSRFGBACXSFN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f
                                        15⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:2544
                                    • C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"
                                      14⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2996
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAYDVU.bat" "
                                        15⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3360
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AYMNIGJYMTCOTDP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /f
                                          16⤵
                                          • Adds Run key to start application
                                          PID:452
                                      • C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe
                                        "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe"
                                        15⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1580
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVSST.bat" "
                                          16⤵
                                            PID:1468
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQCAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe" /f
                                              17⤵
                                              • Adds Run key to start application
                                              • System Location Discovery: System Language Discovery
                                              PID:3204
                                          • C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
                                            "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe"
                                            16⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2672
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBHMA.bat" "
                                              17⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:4952
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MHQXIEPIJSVXIJG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
                                                18⤵
                                                • Adds Run key to start application
                                                PID:4260
                                            • C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
                                              "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
                                              17⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1676
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTAWXQ.bat" "
                                                18⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4372
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VURSFKRSDWWLTGF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
                                                  19⤵
                                                  • Adds Run key to start application
                                                  PID:4360
                                              • C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
                                                "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
                                                18⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2720
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTMPQV.bat" "
                                                  19⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2856
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGTAKXTRBWICWYD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe" /f
                                                    20⤵
                                                    • Adds Run key to start application
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4992
                                                • C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe"
                                                  19⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4824
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGEIW.bat" "
                                                    20⤵
                                                      PID:4908
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe" /f
                                                        21⤵
                                                        • Adds Run key to start application
                                                        PID:904
                                                    • C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe"
                                                      20⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:116
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWHFKX.bat" "
                                                        21⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1144
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDGSTOMPESAJAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe" /f
                                                          22⤵
                                                          • Adds Run key to start application
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1112
                                                      • C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe"
                                                        21⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:5040
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
                                                          22⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2248
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOTGKGDUSIIKFBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe" /f
                                                            23⤵
                                                            • Adds Run key to start application
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4960
                                                        • C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe"
                                                          22⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2336
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYKHM.bat" "
                                                            23⤵
                                                              PID:856
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKTQLUFVAFUVSBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe" /f
                                                                24⤵
                                                                • Adds Run key to start application
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1204
                                                            • C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe"
                                                              23⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2512
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOLUG.bat" "
                                                                24⤵
                                                                  PID:3792
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WESRDLDVMJDTNOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f
                                                                    25⤵
                                                                    • Adds Run key to start application
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:408
                                                                • C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"
                                                                  24⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:1676
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVDRQC.bat" "
                                                                    25⤵
                                                                      PID:3724
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NLJNBFAPUNDDFAH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe" /f
                                                                        26⤵
                                                                        • Adds Run key to start application
                                                                        PID:4940
                                                                    • C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe"
                                                                      25⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2564
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSOWO.bat" "
                                                                        26⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4560
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe" /f
                                                                          27⤵
                                                                          • Adds Run key to start application
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1148
                                                                      • C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe"
                                                                        26⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:3660
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
                                                                          27⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:628
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f
                                                                            28⤵
                                                                            • Adds Run key to start application
                                                                            PID:3564
                                                                        • C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"
                                                                          27⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1592
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
                                                                            28⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1208
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLGEVTJJLGCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
                                                                              29⤵
                                                                              • Adds Run key to start application
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2972
                                                                          • C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
                                                                            28⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:116
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQWMKO.bat" "
                                                                              29⤵
                                                                                PID:3132
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBXIYDHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
                                                                                  30⤵
                                                                                  • Adds Run key to start application
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3144
                                                                              • C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
                                                                                29⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:4636
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJAUKW.bat" "
                                                                                  30⤵
                                                                                    PID:4456
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FLQCAEHSTPNPFSA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f
                                                                                      31⤵
                                                                                      • Adds Run key to start application
                                                                                      PID:1952
                                                                                  • C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"
                                                                                    30⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1716
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNOYT.bat" "
                                                                                      31⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:4360
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f
                                                                                        32⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:4528
                                                                                    • C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"
                                                                                      31⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:4244
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEABLH.bat" "
                                                                                        32⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4900
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GRPNRFIECTYRHHJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f
                                                                                          33⤵
                                                                                          • Adds Run key to start application
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3780
                                                                                      • C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"
                                                                                        32⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:2736
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
                                                                                          33⤵
                                                                                            PID:1676
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
                                                                                              34⤵
                                                                                              • Adds Run key to start application
                                                                                              PID:3980
                                                                                          • C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
                                                                                            33⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:4988
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
                                                                                              34⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:3104
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f
                                                                                                35⤵
                                                                                                • Adds Run key to start application
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2560
                                                                                            • C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"
                                                                                              34⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:764
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "
                                                                                                35⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5056
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFQXNLPKSGHY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe" /f
                                                                                                  36⤵
                                                                                                  • Adds Run key to start application
                                                                                                  PID:3740
                                                                                              • C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe"
                                                                                                35⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:2308
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
                                                                                                  36⤵
                                                                                                    PID:3536
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGRYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe" /f
                                                                                                      37⤵
                                                                                                      • Adds Run key to start application
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:3132
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe"
                                                                                                    36⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:4700
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDENJX.bat" "
                                                                                                      37⤵
                                                                                                        PID:2224
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URQUHLHFVTKKMHA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe" /f
                                                                                                          38⤵
                                                                                                          • Adds Run key to start application
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:4456
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe"
                                                                                                        37⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:1960
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "
                                                                                                          38⤵
                                                                                                            PID:2000
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCDOULJNIPEFXWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f
                                                                                                              39⤵
                                                                                                              • Adds Run key to start application
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:4392
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"
                                                                                                            38⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:3620
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUVSBN.bat" "
                                                                                                              39⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:3896
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BGLYKSKTPKUFUAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe" /f
                                                                                                                40⤵
                                                                                                                • Adds Run key to start application
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:2448
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe"
                                                                                                              39⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:4992
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAPQNW.bat" "
                                                                                                                40⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:4412
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BGUTGOFXPLGWPAQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /f
                                                                                                                  41⤵
                                                                                                                  • Adds Run key to start application
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:2544
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe"
                                                                                                                40⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:1044
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe
                                                                                                                  41⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:2792
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                    42⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:5092
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                      43⤵
                                                                                                                      • Modifies firewall policy service
                                                                                                                      • Modifies registry key
                                                                                                                      PID:1632
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                    42⤵
                                                                                                                      PID:5084
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                        43⤵
                                                                                                                        • Modifies firewall policy service
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        • Modifies registry key
                                                                                                                        PID:1140
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                      42⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:452
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                        43⤵
                                                                                                                        • Modifies firewall policy service
                                                                                                                        • Modifies registry key
                                                                                                                        PID:1516
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                      42⤵
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:2664
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                        43⤵
                                                                                                                        • Modifies firewall policy service
                                                                                                                        • Modifies registry key
                                                                                                                        PID:4212

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\TempAHHQM.txt

                                    Filesize

                                    163B

                                    MD5

                                    764c6f83e516d4ca1d3b7408a50f18db

                                    SHA1

                                    be1d7c04d9861a6e80d770bdabac26e3250094fb

                                    SHA256

                                    f527d9d42fc7734e28a29d59910815e1550b0c1cbc4efaabcc15b0580be94881

                                    SHA512

                                    d990134e94fb1915536f64dcc10fc5d52eb2720cf337563583b1d07750272c3c71eeb029c382baf0225c57995d35626ae39c3611b57803ec78466fdc8ffd424b

                                  • C:\Users\Admin\AppData\Local\TempAPQNW.txt

                                    Filesize

                                    163B

                                    MD5

                                    1aac6cd43898aacab093a3aba98719e8

                                    SHA1

                                    1e733ae851ae4110bac0da82ea01ab8276418e89

                                    SHA256

                                    2500182bf360be4c8df56bdda4eec8d53e534f645e8226fc327016e971dc742a

                                    SHA512

                                    5fc28e5de950c673b7739cd3f49f9ccb2cb852e210d21cd0aba750c5c287aab45cb8e49627f3938a92df87188df0360e711d9bcaf1230f294001b501f9281236

                                  • C:\Users\Admin\AppData\Local\TempAYDVU.txt

                                    Filesize

                                    163B

                                    MD5

                                    2f62b625ae332625dca4ed7d67dc38a2

                                    SHA1

                                    5fa5dedfe0592ba5a771de70f9ae19ac12826508

                                    SHA256

                                    8ad4f88b92eb916cd2b66856c0e3461b028dc27365552cbd0398ce8e9aef620e

                                    SHA512

                                    1ec2d2b97366d3ca58fddb6f89869d5493a7f5d18755676a35a46bdc9b7e0374f70aacf91664409eee4db6a05d2e6b3127af622b75474dfcafd9f453b687fbee

                                  • C:\Users\Admin\AppData\Local\TempBXQVH.txt

                                    Filesize

                                    163B

                                    MD5

                                    4d1ced3d4c8bfeae6ef98e0df0357e3c

                                    SHA1

                                    8c30c873839f10d7f2d5d5b5184683ea5644a472

                                    SHA256

                                    c62ccf24c2e11171b45ad618c44b49a6c74ee39b009a512ad00b243784b9879d

                                    SHA512

                                    57aaf7e80597ff4064ad138c34ca347f0ce392e0005e31f0971674de94276f0885fbf40ffc3bdc25ce5cfc0f7edabca5167a7690cfeca879da975835139abfd2

                                  • C:\Users\Admin\AppData\Local\TempCFHQM.txt

                                    Filesize

                                    163B

                                    MD5

                                    0b4aef119eee6cba80557dc852e615f6

                                    SHA1

                                    5caf597c92a9603eafb62d1a367cb13b545a5a2b

                                    SHA256

                                    4121af4a96eba577837cc540b5900cb709aed6ecedae3348084e308f1671d288

                                    SHA512

                                    b7aaa74e0963f2c73bdd0faf311d037f3e430dbd02a08826dd1fea5f570575ddc685da904b7f57a9db2250aeb7f1121d6a5220984f00dd4718fec10f5b3d98d9

                                  • C:\Users\Admin\AppData\Local\TempCXBPS.txt

                                    Filesize

                                    163B

                                    MD5

                                    e7ee6c5aae24ee6096f1655aa9b597b1

                                    SHA1

                                    d535a42928208a5532f0057784bb67d27c6c003b

                                    SHA256

                                    856aa70c17765c529408c2b368c9330558eaed4617b9ffa27eed16d6d1b8a787

                                    SHA512

                                    ebdf92a36196ac31c02386908cd13d2793c02214ab483b76e18d8f956f0e85663e11b659abd317c8a5f9daccfa3a19b15c78151cfd3f16b0921c50b433296348

                                  • C:\Users\Admin\AppData\Local\TempDENJX.txt

                                    Filesize

                                    163B

                                    MD5

                                    4cbb29ee9f4ef94b5b3f6d1f0f45f313

                                    SHA1

                                    3b880e04ff8f1bb6a2ce6016080cd506ea746093

                                    SHA256

                                    b4ad76192e42d67224f1c5c2b3139552e2548600e48b81990c647c4358a2060d

                                    SHA512

                                    839dfdba7e0ba017ee7904c96b34a8738333adcd1eb34109ab362b949acb81f79e4af2e31684bbf3ed2cf88bba611019c6174db75dbd8549972e59698d14a67f

                                  • C:\Users\Admin\AppData\Local\TempEABLH.txt

                                    Filesize

                                    163B

                                    MD5

                                    861776b76831523679682a5ae15fa0a1

                                    SHA1

                                    b6a477f907a8dc193dbb1ca35335cf9611829764

                                    SHA256

                                    a35d3629e48fd0a31867067c2c281d9b80830d422be91863fe5b69b65922d3ff

                                    SHA512

                                    56949061de6a4e95a7f0fa8f146de809db47a5aca19dff1400e87241800a4c947a10a0e12e5908889ce63d2302be4e0a910dc1db711ef3bfeef41e533b5dbe51

                                  • C:\Users\Admin\AppData\Local\TempFYOJS.txt

                                    Filesize

                                    163B

                                    MD5

                                    a6fd2f8c9f4c3b89660cde9a8798411d

                                    SHA1

                                    5e5225840746c55716f45aa65010d03dcfb72829

                                    SHA256

                                    e6fa6dab8769b1e03af0a5bcd75ff7de4c9855a060e61ec39a57a4f1f154ddc1

                                    SHA512

                                    befcd08692bb3937718d613a8a76079b64ac692b808c698e923cf5a339d0e85833d1fde91ca15142e676e2b2dcfce38e7a1894a2ba47c2cb2816ef906c168ebd

                                  • C:\Users\Admin\AppData\Local\TempHMJUR.txt

                                    Filesize

                                    163B

                                    MD5

                                    020907a59f8f3e52c210a3d639faeb45

                                    SHA1

                                    8077476d95955a43c0d85e293044ef0dd0ffcbae

                                    SHA256

                                    c34090bd775c7763dfd3517e707e5cf62793ff216243c94a39b04b7cafb7d940

                                    SHA512

                                    51a90c649d9932462ba3da28a656825fbfa8fc6c8c2b98d6098b67bd808b422a1fe340014274e63d04be58eb3816b2312cc6f5452cd728b6d944f65907ed090b

                                  • C:\Users\Admin\AppData\Local\TempIRNVM.txt

                                    Filesize

                                    163B

                                    MD5

                                    2a68604252ca51ebbea26597dc2478e7

                                    SHA1

                                    4ddd87e1cf3fce03d24f98e54c78afffa5fa1896

                                    SHA256

                                    bb71df9c9ef903936d6262469a5ab4af2a1ca0b39d03ea3c4961b885651febc2

                                    SHA512

                                    962578b93c55a25030fa80efd44497a9d2ed90133a30c98cb7c02aeeda8ad6e8fca751d568d5a718a0bd0b17406aab428d3ead3351a4e6cc9ad0d165dbc37e7c

                                  • C:\Users\Admin\AppData\Local\TempIWDRQ.txt

                                    Filesize

                                    163B

                                    MD5

                                    f7845ecb29b5c5b066c3b8367af46e42

                                    SHA1

                                    2ef667a4c16bb139d075b8b5e2a5ea62fea2dd14

                                    SHA256

                                    4eaa4e62c5b8b41d4312b43a9cb4f3eae0ec3e6025f96cebb91b053d2082dfed

                                    SHA512

                                    1a052b3e18da93d9a5b9d768348f2589fa716badbb692752fffa34ce045ee535d099f079b33e5879a447a9e212f226b78955c3ab760b1c113e229e85d2952768

                                  • C:\Users\Admin\AppData\Local\TempJAUKW.txt

                                    Filesize

                                    163B

                                    MD5

                                    2ac4cc5a4317bfbf945cd2d419f1dbe5

                                    SHA1

                                    e729666cbee1a78bafb451490c4d17a7338610e6

                                    SHA256

                                    867d0794c50babcb2c120e15f373bc98d7ffd9b0ca29f734b20d49731da940ab

                                    SHA512

                                    077bb3c7011abe236f83044468d7d4b769ab088484326ebec46fb8ffafcf00a8d0ea1548705caeb2c569319ad8368af4c69bc5baea1026a74f91ebad490526e6

                                  • C:\Users\Admin\AppData\Local\TempJSNWN.txt

                                    Filesize

                                    163B

                                    MD5

                                    ee8e024e3fa98ca90d73c83a2dc91f46

                                    SHA1

                                    1f1b115ccbc4e85647fdcc90adfac5afe6639ab3

                                    SHA256

                                    99fbe30c0f81cf6cef8df23964828c71485f996912067a132955bff5859b4b4b

                                    SHA512

                                    150461dc208fa543f2f8e058cc84b9793a6f6171724e22d7a41642e7fdaa97841ad9c4b2f7ae87295820ff9105e729295fd87eb048435df37d1a0a40d6b12d94

                                  • C:\Users\Admin\AppData\Local\TempKNOYT.txt

                                    Filesize

                                    163B

                                    MD5

                                    f485eb466d124afe4f05082cc3b835ff

                                    SHA1

                                    00bd1a4c37f772616c2e3f6e3fd4c53341e1d523

                                    SHA256

                                    6246d34daef7970b9cab9952ec458e097ce05455408db8ddb3589dab848a9f9f

                                    SHA512

                                    dc0bb4ddbfef6bd302503539ea82d43aa0bd338da0a46a4e63a2701a77e87bb41c6f447ac5504908c900a7f511d6c9e516395b56235c00f56ee2eb5ca12325af

                                  • C:\Users\Admin\AppData\Local\TempKSOWO.txt

                                    Filesize

                                    163B

                                    MD5

                                    aa842c27a669217c58e6de3659796b05

                                    SHA1

                                    3dfd6b999c27d1faf4b20931cd158e5bac351106

                                    SHA256

                                    67a4bf4a0b0dde05c2c8892f8a5bc44cbe99f54e613451a049b61dca2291e45e

                                    SHA512

                                    697f1b874d92c72fe8462b5ca2d6f3b085d08447da51c1ad281a68a8dc3ea670c19c3a9e4553c3f01435b5cd17feeb0f30d083743cb7b4e8070c4f329f3e3857

                                  • C:\Users\Admin\AppData\Local\TempKXBBY.txt

                                    Filesize

                                    163B

                                    MD5

                                    e87cbf5a4c1c669bbc412470c6c61713

                                    SHA1

                                    9c03cbaf1c8c661b93d9418cd07be958897eb1bf

                                    SHA256

                                    5e48044a5e56b995d5761541de8dbdc7f4432170f19653bfa78f44eeb04996a2

                                    SHA512

                                    a3634480eae734a55a6d9efb522afbbf1235c46de525874bdd4380d4b9f31f683236199cd10a8a0066dbf2944a7df9976419edd8c7f124a438055325859b492d

                                  • C:\Users\Admin\AppData\Local\TempMIWVH.txt

                                    Filesize

                                    163B

                                    MD5

                                    ed29e7a8f7dc432a78b96eca9a08642a

                                    SHA1

                                    c6adc5520e0f5dd0ac12a13cfe3fe8cc682c3ab8

                                    SHA256

                                    895b9882491838cef15eae8fe21e3478e07273988b817118c579641b93689190

                                    SHA512

                                    2547184dbf7373b39db0fd6fd81fa8c93e396ca308a3e3e5bf82bf13be5dad4cb8964047b96b4bfbae225f26831d95ff423b5edca6179eeceefc97f9d4f068d7

                                  • C:\Users\Admin\AppData\Local\TempMJRDK.txt

                                    Filesize

                                    163B

                                    MD5

                                    a5fb00a96087f06911c0397be1a8fc9f

                                    SHA1

                                    f782d32a877c1035746ef1e994c1165a71734cc0

                                    SHA256

                                    37be668259048c9a00752ef14ca65be4b765997e97b5fc9cd707cb16591eed61

                                    SHA512

                                    40c8a6d4a167be5e1ed6b97d5bbeba0cc85e78e0ffa3c0ccf315f51141bcd9457bf8cce9ea7b4cd2ba134732eb898ef9d1bb5081ec01d9d07a84dbbb2918fb07

                                  • C:\Users\Admin\AppData\Local\TempNJXWI.txt

                                    Filesize

                                    163B

                                    MD5

                                    351119e46f798c1415001c88658bfaca

                                    SHA1

                                    690217c27eff4dcd537c066043fcc631e8b2089b

                                    SHA256

                                    5de0e56c154157dcd309b2f2112f7449347d3be617e07f7153c9c45ea0ba86cf

                                    SHA512

                                    769d08eb6e49d2e9b7abe512dc6745b0c2daa06144cc879b97a364337b290147b1ede38903a55d003f9546f356f4ec880bc0146c572da400f73adf64dcd8eef9

                                  • C:\Users\Admin\AppData\Local\TempNOLUG.txt

                                    Filesize

                                    163B

                                    MD5

                                    e26d004c18e2ad99e2dd3784e74d29f6

                                    SHA1

                                    0d2cff5688897f03f6c9002fb2f52042d748ef30

                                    SHA256

                                    73a708e8b6c5dbd3dde02c9d9e232b6210254b16c28196a5bccdbdd8edddebe7

                                    SHA512

                                    df6610fd9840ae07a9a4c8de2af3f33c2bb0096e4558fab6bd4bd99b8cb9547be30352e64fb61e88a9ec4df3f5047803a0cf677924abfff095c1eb73eb9263b8

                                  • C:\Users\Admin\AppData\Local\TempPBHMA.txt

                                    Filesize

                                    163B

                                    MD5

                                    21e6280cb7ea4d89a081ff0b7dd8cc89

                                    SHA1

                                    3f55e805946697cd183fe5266de2ceebd50dd2f1

                                    SHA256

                                    416a0271beccc72b2e148c48d1c0593b088d947f5b11c679752694215b9d9163

                                    SHA512

                                    e22eafdebd455f1c841a9840e91de0e939106f192a2766588eb9fd43c91ad1cfeff729e158d7502f8af58ac153dd531fab7f185617717475e50c3ceba19543e5

                                  • C:\Users\Admin\AppData\Local\TempPSTFG.txt

                                    Filesize

                                    163B

                                    MD5

                                    3a26eadb4b0a35ab043a0e0e8e582b4d

                                    SHA1

                                    408ee48ffe56437014c6267d5113343cf0c36099

                                    SHA256

                                    124d26455dddb5942a78b80f3abbefb90d1213dd29b8c96c5bd2b36e4fc7100c

                                    SHA512

                                    5016d10ede767c67a07dfaecbbd728f2391aa954a1e020361f069f65becb5e9dce27199511a19a446f19fa39b975ac97c0f2bb686794e642f77601786a2a9fb6

                                  • C:\Users\Admin\AppData\Local\TempQBUUJ.txt

                                    Filesize

                                    163B

                                    MD5

                                    0bc5d2a03eb0e150f6c2e1c71a4b6ca4

                                    SHA1

                                    6517bcd5e3d3b9331e07c0f6007fec1a8e79f0fb

                                    SHA256

                                    c706566be3feba2adba77cba96e6fc5e2ddb1bd3cb1d46ad4603cde39d3d0eac

                                    SHA512

                                    cc27807ebf474e2cb006231aa877249298c8db378f5157fa0c5981275f85ca7c9bfe7229501ac11b616960c1ded92448a60b410de44c986ed1455e611ef70032

                                  • C:\Users\Admin\AppData\Local\TempQLRWH.txt

                                    Filesize

                                    163B

                                    MD5

                                    78982a697a138745537b353588a315e2

                                    SHA1

                                    d50fd40dbc4c3e587cfcd00aca7fe569ee8022a8

                                    SHA256

                                    12415d1a43e9408e7107066447b936d0fc3fda0973999cb5ec13a85c79ec6a4f

                                    SHA512

                                    1e77656f58f7ed2570f5caff57096bb0b4699de8a0c337f2761fef551ab80bbbe7af7385f2fad8fac7121a6f076581fb9f31ae84025df2c098e7b99fa54de5fb

                                  • C:\Users\Admin\AppData\Local\TempQWMKO.txt

                                    Filesize

                                    163B

                                    MD5

                                    0dc97faab010bf174db702381c9ba478

                                    SHA1

                                    a515e6ccf579eda7e6aaae83ab4117c18cb73290

                                    SHA256

                                    0a4fcae90e3b4dc146f1f7a0a9fb11ae9c7ed566fd6029eca327b296929071fb

                                    SHA512

                                    c1ce922250bfd779f2eb09d8745c712af490d93e2ef6376b8a7ed624be9758208b4437990fa4a0cb53e426e971e4696ba358556e23cc7811bea22818ae4af716

                                  • C:\Users\Admin\AppData\Local\TempRAQRO.txt

                                    Filesize

                                    163B

                                    MD5

                                    9e2f111a8fd658cb7feca04145462d86

                                    SHA1

                                    b21b5e7b6294ef801a3684bea27f1f0020ac1016

                                    SHA256

                                    e911e7848a55b97cbceb7a0be4437c9d2d79274edc4da0c193d9ef2787ed32d7

                                    SHA512

                                    1fc10863ca4ff04c6d90c4452ee29924891b798da8c9f8d8b486bb7bdccbae21a093b85c975955adc0dbca3e3acc02043babcfdcdc762f552726a474787cffb5

                                  • C:\Users\Admin\AppData\Local\TempREBQY.txt

                                    Filesize

                                    163B

                                    MD5

                                    5d3f8c9f7ed635f4e6fdebdae32e64d6

                                    SHA1

                                    463326b0e09f78fdcfe26e29ad3e802cf55a4f8f

                                    SHA256

                                    83e84c2e1c5aa7c04c1f9ddfc80399035abffb68ac7700ba12d18aacf7f89359

                                    SHA512

                                    ad44dad082d299f9b3bedc2006dfdc70445a8b3d460d68c0a9a8c2964d33d2d9419912c27e72b3d2a191eef1de6e1d7dc9681b1b5d9a3dbe756b288f50cde882

                                  • C:\Users\Admin\AppData\Local\TempSRDLD.txt

                                    Filesize

                                    163B

                                    MD5

                                    564688e1067a74eb742d82f3ed5f61a7

                                    SHA1

                                    9b80a8d9ad9b86a1074ff273837ec07e7946010a

                                    SHA256

                                    ec8a69291f2ec828092dd7002e415db9ff33dd664d202fab964adb0a9c04254d

                                    SHA512

                                    06d8c2f64397ec9449ae69a4b18608fad289711079d104791798f77a44d1809c642a9d655c166dd5ec372182cf38c1786e3fa9b1600491196c238bd5ed938ab6

                                  • C:\Users\Admin\AppData\Local\TempTAWXQ.txt

                                    Filesize

                                    163B

                                    MD5

                                    0f5f918e94bb2a4ad5c69674e5a6f128

                                    SHA1

                                    319e72171810dbd8ea09f1cb294a0baae761e514

                                    SHA256

                                    3c8a6def445c0ed7512ffd5f3177d84bce4068242ecc77e87407aaf50c44b0e5

                                    SHA512

                                    ec9919764e2f9f535ab22bcc3c9991ae4d7d9512e7587a56736dd8bf446cbe855ab26efee5b03d099c7644771d79d9b591c5f0036c424cb6510d712124af5d19

                                  • C:\Users\Admin\AppData\Local\TempTMPQV.txt

                                    Filesize

                                    163B

                                    MD5

                                    42bf80bf3ab31843555afd47aefc91ce

                                    SHA1

                                    e6550a0d3ba7d1ce5c3bf58bf5b6bc21354f37d7

                                    SHA256

                                    57995eb76711a6f8aec1ac8c785a8338fbf6157916c36398fa0bc9fff7807ee6

                                    SHA512

                                    dabe5436e1cabbd3b801883e6f6312ff623b256aa70634cee08495f68ec62899baf90fdd20cd7ceda54466f72def27f98c9acb7324004d920c1689638cc51828

                                  • C:\Users\Admin\AppData\Local\TempTYKHM.txt

                                    Filesize

                                    163B

                                    MD5

                                    e8e32524e36ee057c07930fb73c593f0

                                    SHA1

                                    47b1458e34d280a6ce43a992e8b5e47a5644cc29

                                    SHA256

                                    333800e64ecc52753e36c5a484d65bcdfc9e52a0e67fc14d19f2a10e95b91a4c

                                    SHA512

                                    578d39c6233f809442280678835cede9d6a73f8d3011d5e613508f6ceae34460b9e6dccc6e318f616e9cb6138e4071fe906b543d300bf48c339579c06f20d7fa

                                  • C:\Users\Admin\AppData\Local\TempUGEIW.txt

                                    Filesize

                                    163B

                                    MD5

                                    c6ad413703313815cb7b72e3d5e4d387

                                    SHA1

                                    702afd950c3d5cfbf13ea5e27932a792ef9c2e5c

                                    SHA256

                                    28d8d55a537d91dfd6c059ba0ecd06b85cb84da39e4a2ba1a9a3794dc8d61f84

                                    SHA512

                                    f1b5250a66c6b97546ed4caaca5cd56924a9471c91063e08758ac349350b28b5843b4b1831b425d3e9054609ae421923bc0354687fe7678f66702fa93cb79bb5

                                  • C:\Users\Admin\AppData\Local\TempUVSBN.txt

                                    Filesize

                                    163B

                                    MD5

                                    1863dc0be26821a12849a59d41f8efd6

                                    SHA1

                                    bbebbbcad37db8bf390c43674677db0eb38051a6

                                    SHA256

                                    68a9ee889dac14e10700a8cfdc0abd8475d073b752428c234d2c77b931746a7c

                                    SHA512

                                    ffcc7536fcdd0b35815416f1dea2a12db4efb754cf5b00594d280327750548c16fec53fb60650db6e225505c1dcb22f0aa1505d80938217ea30add2d443394ec

                                  • C:\Users\Admin\AppData\Local\TempVDRQC.txt

                                    Filesize

                                    163B

                                    MD5

                                    4d75596e64860e4261a8bf3fd26ed5c8

                                    SHA1

                                    25d4f10f75661e8baf02111f133e33c5d4c790e4

                                    SHA256

                                    48b30374461980efc713c3dcebd0d09f1b8deed3f30850bcbcba06e964797668

                                    SHA512

                                    1edd0d7ddac4c7c7f728be03fce86383c12af533fa05ea1fa5cfe90ce22343c877fd6c127a04a850c03afa92a9f03d75e0e6ce135cfcb52f67ba2a8eac4635cd

                                  • C:\Users\Admin\AppData\Local\TempVGFJW.txt

                                    Filesize

                                    163B

                                    MD5

                                    ac25c8c9ed6bcd533246820219581d49

                                    SHA1

                                    48d325f7a561d8de40e892dfc28e05bacd7a9637

                                    SHA256

                                    8c5c2f6e28be144dc065d86a1fc060648df942eea0b3a65289dad855126a4176

                                    SHA512

                                    9085d29aedd00a6be910a9b4b17484e744164ec6c3c8cf10cc70d2643bd2e1f69fe5299fba25b4a5fe56dc75f16830b4b884f3ddfa26f1741fa8322d5e0d0555

                                  • C:\Users\Admin\AppData\Local\TempWHFKX.txt

                                    Filesize

                                    163B

                                    MD5

                                    ba5f9b1988e932bc9725380bb429969f

                                    SHA1

                                    60f8bfa16f254a72a26689e7fe13913835968073

                                    SHA256

                                    7f2e5f8d2bf4846e862c605804ae53b8332bda9d1a6d16d0a625c9199aa3542f

                                    SHA512

                                    549192fea8b82c9b36c4b4c0a63ba084d979614d831e93ae0d649d914c25de615d483314f96ba87df612d290ab23fda51fc84f75064cfdf97a60980c88ab5d37

                                  • C:\Users\Admin\AppData\Local\TempWVSST.txt

                                    Filesize

                                    163B

                                    MD5

                                    7263bd0df17a5ae271fa59745cdde26a

                                    SHA1

                                    1c9d8b250257a149b67daaec96471871de9129a6

                                    SHA256

                                    7ffde724cf09f4918e391d1a352935f9561ca1afe0131db2504ea27c38fb07e1

                                    SHA512

                                    12aeaf2ab4867e8f1784b361c6d847302dbaf5b407716f0cb3af448e6478fcba19c13c95185bbc5d717215223dfe0dac392d6f4d0951c67d770461cefa8dbce0

                                  • C:\Users\Admin\AppData\Local\TempYJHLG.txt

                                    Filesize

                                    163B

                                    MD5

                                    0ca7594c784c080f3b7cf8d15a02526a

                                    SHA1

                                    9c6ea961890ff783136516cdbabfd8d3c667001f

                                    SHA256

                                    ae397b4f337d77e456a48b9618eb8c1f7b63da7c551fee05e5d3376e3f4ec527

                                    SHA512

                                    1d11e1ff9cb3801e477caae5c8f974cc27096e9b28419c5a5a9a8fb9a1b7afe8bc92cd3876a1c70e9e3b2ef500405dd361301e8c28461fb845a99607e5db77d7

                                  • C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    dc86c3627f7c51a49e0628c178e1f110

                                    SHA1

                                    d115506aa7abd92f609de25e8d84aa335f3610e0

                                    SHA256

                                    420ea4f5294309ff5aafd0ad24ed94079cdd01da7768ac6354db68d0b31fc645

                                    SHA512

                                    766a85c2fd96ec0203e9b5c8c101e7d958460c16e8e27575eb3927f362d58b2310a72e69523d20a4815188d537804619615896e461ae57e331e947d65ccf036f

                                  • C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    074e550432c16487a80e2af62e57305d

                                    SHA1

                                    78a6626e39af3635e145c97d005b294f5c1ebe19

                                    SHA256

                                    4942840995e8f4c495c51cb9f3f2c42c3b59782f4b1a578e5af1819a153eab16

                                    SHA512

                                    766b267181325d7bf705b12fb51f48b1a62a32fc43f9c1e9fb7bb305185ba5a208f6e9b5c6b29e4a234240617438cd8a4b5faa46a38bfd60441e82656a6b4e96

                                  • C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    345076bac10d15e064535ddb6564c99f

                                    SHA1

                                    ed1f89050c1c83b9ba760747104941fe4b79746e

                                    SHA256

                                    5c9302eb3a033a97cbb86ce374948d0791fea51de8dea90e75df8ac76590b03e

                                    SHA512

                                    edffd6b6710dfc462afff6bde089e7fbffe3bedcafa9003f773482853a84f6869ea9760488dc9ed928109fa9a15465b26af81e5bce93285fae6eec55467974ec

                                  • C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    c54f50c0606ea528b400fabae109b9a9

                                    SHA1

                                    bcb829372dc673e9d1627cf9b193e808480aa995

                                    SHA256

                                    75ed5bd2b7f39c281ae27e77304d342784fbc12356f6d285fd25912735123955

                                    SHA512

                                    9aabb9e3026465e05a672260bf1eb5dbea85eb252cc6b5bdc4105c841143581fb121365ea7465f41c015cd9791757178886f473e49cb3d85cb04d62a5d20c4ba

                                  • C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    ebd2f451c65cf113e5c0b7d34761f35f

                                    SHA1

                                    22729f7ae311171766c131c4e1d594f96cdc8d29

                                    SHA256

                                    8840e3cc06c6e285f03031a5bdf383bd26a81ae7bbe32f73e8c1569879ff93c9

                                    SHA512

                                    c49f794c8919427453f5fb4a442de00e87464b30ea7be65db805a7e6a029effa9dfd6c4a98962c3cb2ad9b513eb125ab48276a8c7ec2ff5e51fc15ca5f753cfe

                                  • C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    daf37cc382f1cf2ffdf6b6ce4f2d52ee

                                    SHA1

                                    ed8adfec5bd80f5eb31f99b88019a30c24fea903

                                    SHA256

                                    487763be96166fdd1be2f7d1d23454a959eecf844673b35a02d927c74e1c950e

                                    SHA512

                                    a0cffc6b1bff1aeed3d56720383ec55dfd69af9b81bd333daba0fa9573fcb27cc2c3bff66098e5532babe2b35df9683c09e9691c6e335474f9a09004d4bcc08f

                                  • C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    d44dc15d5e1727b1100b78713f3eb80c

                                    SHA1

                                    ed08f651d792a3db6252514f2df5c9242f6e5054

                                    SHA256

                                    aca1aa6b770b75f33e11e5cf14e75331ec3aa3696c229b42df39527f2b7343ab

                                    SHA512

                                    c5f7653017c0787978f23b9f22f25c28edc15088a1c689cc8c7108792e80d8eb60a3da6314e33161d3a864dadfd93a9b293a65aeb3787c4f50d72073c21b308d

                                  • C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.txt

                                    Filesize

                                    520KB

                                    MD5

                                    a2f397435534c0b6d0c38aa774fcc9ed

                                    SHA1

                                    46a5b4a5fb2ee1e444e3fe197e51deb46b669045

                                    SHA256

                                    79ee22f8aa537bf6c8a2f8174aa0e9c2f226832a7555f0ec83d1f5209fd80223

                                    SHA512

                                    f25e97ddd24c0564d02d706dad78a5911262cdd69e60d368350f1006d7d1ff52096e2f33c7bad501ae01b92ef9de6094ca8b4a4543b025347540caa43cd25437

                                  • C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    ef195115c3740bb26cc423d59fc32d3e

                                    SHA1

                                    58279232be3e5be0365497857762c86a6f5b9295

                                    SHA256

                                    9fc6c555d815b7dd40b1c743d174985dd8c558b690c77a299c0bc6e3ce0f2082

                                    SHA512

                                    272e2d16198b6452b6d92f52b98f6f8be0216000aa08b3e85badcf43ac769406c4e0703d79b54327f9fa478159be5f26ad6c140f9099c4fb4d590d2ae01554b7

                                  • C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    f389b385a183103f54dda35d317ca9e7

                                    SHA1

                                    d6dc4f44bd23df28700df28aaab7fd71a2f5c3ef

                                    SHA256

                                    1be46f310b22fe03b1ab7ea465ac3803fa0938ce1e9e3b324a12126472c4fd70

                                    SHA512

                                    59c1f92ba70323742880a3abeb2b2a0478e65530a428c981d6106640a970c0b39d1640c56fc554e70af67e3160772cef4f6a09606d68b65e17d6bf81a3b2fb3d

                                  • C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    fd804752348f4a138677c4eab498e3ca

                                    SHA1

                                    22611aae2a50f3129ccc5e040a155b1e390bc69c

                                    SHA256

                                    81796de1544b4128e71f91343028eff017f4eae592b5ca9d2c959593a75a8101

                                    SHA512

                                    e3c4d3c1d0e0e4c43037dfca793463fdb8f863d71e04a6779dc27a842c30dd98806740de4d348bcc6e4f6c1319cda72e1e8ce9f11586526361c06ebd35e4fc89

                                  • C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    242c2390cca813c446b17bcbaae8bff5

                                    SHA1

                                    b8673a1a5d3709dbe490e20d7d293b8873d62d3b

                                    SHA256

                                    ed601e9677d9a297f0ef1d07ebd56e6158f419e29a797f3463eacd5a01dc54d8

                                    SHA512

                                    984f8e51d7e4c8564c45ec1e73a0bf9f90bd16965029e76087ad336baab64be8b865a63885f045ed2d0133f2a6fb2b34af91b446b5c30f0696b025c73b4112ee

                                  • C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    f5acf5dca4b98ab8aa0dd17f18bbb81c

                                    SHA1

                                    48f55cc36a195507574006853eaaf8823453bf97

                                    SHA256

                                    0d10043f01c22ef16ccd5d79f89412ec92f7bc432acc5fef347ecace5e42f387

                                    SHA512

                                    518271e4244be7e4d88e3889733b1971aa0048e1c8b3653fa1f906e26944214ea4c8047ddeb87be307b0cb460f2f338fe5724928d9ed0b1eca0ae82545df7345

                                  • C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    8ca7f2371e097396e5982aa04e2e2f2d

                                    SHA1

                                    c3d8a4278005f1ef85c1b4c426b8417571601d53

                                    SHA256

                                    894d3209a44aa27a529200b92744b60cf5e2cb73ce41ccc796dc52c3e47a5956

                                    SHA512

                                    455ab08e328b7aee09ae192ee23ff564222dd6e57b6114bd77ecbddf3d37fc2b49bc94e947f524546ea8d9f79d514b71558436e3fadedce6a8fc4ca385929a43

                                  • C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    803dbca30856c5bcd62daa18b9f2e4a1

                                    SHA1

                                    ab566a807f9a0fcb0b8f79711e97e222ff3ae125

                                    SHA256

                                    14c01548ca07a5625447260ff0465e3d068027253958d716a9418a908c5967a4

                                    SHA512

                                    3c92f99c0fc8eb84495105a5d8b39e45d01adc3c0c40ababf19cbf676da4095a393f882c4f659790a072398861b3197074ff2708bbe5f02d47960ab2c9aa1904

                                  • C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    c1fdc9ddec83d8b14b9820963b4d1ef1

                                    SHA1

                                    860eec701aa457ec2115d59327ca40ad99a8d181

                                    SHA256

                                    dd738adcdb1ce4cf3e5c5c805da21906cf63fe2281ca36f6ead4e01f1bc12e47

                                    SHA512

                                    d7e8b75a281677df1edbdba8589e506e607232fb2fffd5933d60d7c7ec62f986222890342f797f133f28504e03bd4135e7aee649bf5547ea4b5b06cf0747acf1

                                  • C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    36f054bc93f1a0f84a7218bafd5570d0

                                    SHA1

                                    cd9ec80f70e3473fea51de7d7de63cab811525d0

                                    SHA256

                                    8d63d4fbd36dd40f0e9be7b294eca22c2b6850bbb6de1d91d54dcc2a8e062617

                                    SHA512

                                    db0294ebbfc59c59caf486d1341981a9dd085822f42a331fc149b39e9f31abb95588e8516671468365d88bb244741fa465b769c6867d3bf459c18eaf84aa4c12

                                  • C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    74a8eddd889093386bbe896a0d32e107

                                    SHA1

                                    77ff9a388200f8627f277270866bb7a741a90a31

                                    SHA256

                                    c98847e2b63696932fb16474d70300d3cc3aac96f8599a705f675085f6570e7d

                                    SHA512

                                    99cbf86662101fc0816534af17f0bc2143ce3141ec194a5a7a07e59f7f4c81177ad4b41bcff7e7ce23c54408f8efb981136439ef10d89796fa91d1bdf8faceb1

                                  • C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    8b0d3000758ed1b408b8e8fa4b9a91aa

                                    SHA1

                                    54932d80df76d17a3c52e6fbcd6be2db64dbdc23

                                    SHA256

                                    5c540c475e20f0ac4f9fcd90459b1affe46fb32bfc9617c0651870a1fe00f89a

                                    SHA512

                                    6f0763d1da1da95262b29b5734d1ca1cb44b57931de6f06d06a692351e308fd5f3d80ebffe12101fe5f740b6386cff28dd3029f1c69e1587862d51491593ef80

                                  • C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    8ee461597ef2dd2546a9eafb21aba690

                                    SHA1

                                    427034366961fa4d5da930903d804e47c1631947

                                    SHA256

                                    b3e57ec4d1b1169885f0a5087d8d0760ae894eb66df6265d910d801c1c268565

                                    SHA512

                                    a2398ebe47b5e73051808db1cc4cfeb407cd309af4e8a0ebbe4d86e3014f228429f83b9a3e44879d39808d804cf9973c8e5734b28f4c3b6c94926acdec15e8ee

                                  • C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe

                                    Filesize

                                    520KB

                                    MD5

                                    785053b902b7d9c552a8af49a51dab2c

                                    SHA1

                                    0d692041035d9550fcec8a523183c6e647d9357f

                                    SHA256

                                    06ce15160e9f7afbb7683ded16dfb0779c9c1c902a9d22b9c9584e65a4314e2a

                                    SHA512

                                    46b0578cb47beb8ea0727f3be8666d46f1a1d21e1ea24dd837e7becb10f54d4d7c29c3dd422dce8ea76cb80368956d0cf71913f0687537516754fbadc45fae5e

                                  • memory/2792-1002-0x0000000000400000-0x0000000000471000-memory.dmp

                                    Filesize

                                    452KB

                                  • memory/2792-1003-0x0000000000400000-0x0000000000471000-memory.dmp

                                    Filesize

                                    452KB

                                  • memory/2792-1008-0x0000000000400000-0x0000000000471000-memory.dmp

                                    Filesize

                                    452KB

                                  • memory/2792-1011-0x0000000000400000-0x0000000000471000-memory.dmp

                                    Filesize

                                    452KB

                                  • memory/2792-1012-0x0000000000400000-0x0000000000471000-memory.dmp

                                    Filesize

                                    452KB

                                  • memory/2792-1013-0x0000000000400000-0x0000000000471000-memory.dmp

                                    Filesize

                                    452KB

                                  • memory/2792-1015-0x0000000000400000-0x0000000000471000-memory.dmp

                                    Filesize

                                    452KB

                                  • memory/2792-1016-0x0000000000400000-0x0000000000471000-memory.dmp

                                    Filesize

                                    452KB