Analysis

  • max time kernel
    137s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2025, 03:28

General

  • Target

    919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe

  • Size

    520KB

  • MD5

    9206eb8d5e51fd81a3e93d8d4891c7bc

  • SHA1

    69a3a8df6c866160351ecaf2fb484eb779322174

  • SHA256

    919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437

  • SHA512

    ec628da1c0e425c1858cdeccb0928387463b9a4a337e006d8f1b815213d80d307bad9ce412ca2d13bab943e93cda976cd8bdfb33956d44a9ebd04a6bedeb383b

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXN:zW6ncoyqOp6IsTl/mXN

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 9 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 42 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 43 IoCs
  • Adds Run key to start application 2 TTPs 43 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe
    "C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFDHCKVWSQSIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2436
    • C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe
      "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOKXXJ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe" /f
          4⤵
          • Adds Run key to start application
          PID:4440
      • C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3076
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXIYDIXYVFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe" /f
            5⤵
            • Adds Run key to start application
            PID:844
        • C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
          "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5056
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRLEKC.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4260
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NFMMVRQFOBYWAOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe" /f
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2460
          • C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe
            "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4672
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIQH.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4576
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYJHLGODEWUDD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:1356
            • C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
              "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3796
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:5076
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSPJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  PID:4376
              • C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
                "C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1652
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:3156
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe" /f
                    9⤵
                    • Adds Run key to start application
                    PID:3676
                • C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4332
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIVWW.bat" "
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3972
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FQSNLNDRYHTXIUF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe" /f
                      10⤵
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      PID:628
                  • C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe
                    "C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:4752
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBIMA.bat" "
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1272
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NHQXIEPIJSWXIJH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f
                        11⤵
                        • Adds Run key to start application
                        PID:2172
                    • C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
                      "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:3388
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
                        11⤵
                          PID:220
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe" /f
                            12⤵
                            • Adds Run key to start application
                            PID:4724
                        • C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe
                          "C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe"
                          11⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2428
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
                            12⤵
                              PID:3964
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
                                13⤵
                                • Adds Run key to start application
                                PID:1460
                            • C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
                              12⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:1980
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNIR.bat" "
                                13⤵
                                  PID:4076
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCNTYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe" /f
                                    14⤵
                                    • Adds Run key to start application
                                    • System Location Discovery: System Language Discovery
                                    PID:4572
                                • C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe"
                                  13⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3048
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
                                    14⤵
                                      PID:1620
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
                                        15⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:4376
                                    • C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
                                      14⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:3008
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "
                                        15⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1920
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f
                                          16⤵
                                          • Adds Run key to start application
                                          PID:4692
                                      • C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
                                        "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"
                                        15⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Suspicious use of SetWindowsHookEx
                                        PID:4776
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYBNKJ.bat" "
                                          16⤵
                                            PID:1040
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DHCKVAXSQTIWEMD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
                                              17⤵
                                              • Adds Run key to start application
                                              • System Location Discovery: System Language Discovery
                                              PID:2472
                                          • C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
                                            "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
                                            16⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2848
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJREK.bat" "
                                              17⤵
                                                PID:4992
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRLLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f
                                                  18⤵
                                                  • Adds Run key to start application
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2172
                                              • C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe
                                                "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"
                                                17⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:3628
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
                                                  18⤵
                                                    PID:3240
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
                                                      19⤵
                                                      • Adds Run key to start application
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3456
                                                  • C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
                                                    18⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1188
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "
                                                      19⤵
                                                        PID:3624
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f
                                                          20⤵
                                                          • Adds Run key to start application
                                                          PID:1192
                                                      • C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"
                                                        19⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2116
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMKOC.bat" "
                                                          20⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:3460
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXBYTRABUJXFOFC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
                                                            21⤵
                                                            • Adds Run key to start application
                                                            PID:1912
                                                        • C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
                                                          20⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:4352
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSEKP.bat" "
                                                            21⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:856
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe" /f
                                                              22⤵
                                                              • Adds Run key to start application
                                                              PID:3508
                                                          • C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe"
                                                            21⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3676
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVORT.bat" "
                                                              22⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3012
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XOKJWDMWTEAYLEY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe" /f
                                                                23⤵
                                                                • Adds Run key to start application
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1752
                                                            • C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe"
                                                              22⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:4460
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
                                                                23⤵
                                                                  PID:3432
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe" /f
                                                                    24⤵
                                                                    • Adds Run key to start application
                                                                    PID:4392
                                                                • C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe"
                                                                  23⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:1836
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
                                                                    24⤵
                                                                      PID:4000
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe" /f
                                                                        25⤵
                                                                        • Adds Run key to start application
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1844
                                                                    • C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe"
                                                                      24⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:1768
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNGJKT.bat" "
                                                                        25⤵
                                                                          PID:116
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PFBXWANDRNLQCQS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
                                                                            26⤵
                                                                            • Adds Run key to start application
                                                                            PID:2252
                                                                        • C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
                                                                          25⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:3184
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAWVM.bat" "
                                                                            26⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3408
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PTOVKLDKLUPYPEN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f
                                                                              27⤵
                                                                              • Adds Run key to start application
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4824
                                                                          • C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"
                                                                            26⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:1104
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMRMTI.bat" "
                                                                              27⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1064
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEYAVQDKFKXGSYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f
                                                                                28⤵
                                                                                • Adds Run key to start application
                                                                                PID:4952
                                                                            • C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"
                                                                              27⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:4076
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "
                                                                                28⤵
                                                                                  PID:456
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPXHDOHIYRVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe" /f
                                                                                    29⤵
                                                                                    • Adds Run key to start application
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:4968
                                                                                • C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe"
                                                                                  28⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  PID:1260
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "
                                                                                    29⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:4908
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLQYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe" /f
                                                                                      30⤵
                                                                                      • Adds Run key to start application
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:3520
                                                                                  • C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe"
                                                                                    29⤵
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:2648
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
                                                                                      30⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1720
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe" /f
                                                                                        31⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:4848
                                                                                    • C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe"
                                                                                      30⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:4804
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRXJFP.bat" "
                                                                                        31⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3036
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNSLBBDFTBPOAID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
                                                                                          32⤵
                                                                                          • Adds Run key to start application
                                                                                          PID:4892
                                                                                      • C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
                                                                                        31⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:3208
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
                                                                                          32⤵
                                                                                            PID:4280
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRDSCSTQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe" /f
                                                                                              33⤵
                                                                                              • Adds Run key to start application
                                                                                              PID:1500
                                                                                          • C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe"
                                                                                            32⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:3988
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "
                                                                                              33⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:348
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFHCACXSGNIMJUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe" /f
                                                                                                34⤵
                                                                                                • Adds Run key to start application
                                                                                                PID:4268
                                                                                            • C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe"
                                                                                              33⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:2964
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "
                                                                                                34⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:4248
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUGVAFUVTCNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f
                                                                                                  35⤵
                                                                                                  • Adds Run key to start application
                                                                                                  PID:4648
                                                                                              • C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"
                                                                                                34⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:972
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
                                                                                                  35⤵
                                                                                                    PID:5092
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe" /f
                                                                                                      36⤵
                                                                                                      • Adds Run key to start application
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:4564
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe"
                                                                                                    35⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:3212
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
                                                                                                      36⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1492
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
                                                                                                        37⤵
                                                                                                        • Adds Run key to start application
                                                                                                        PID:1240
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
                                                                                                      36⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:5028
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
                                                                                                        37⤵
                                                                                                          PID:3944
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f
                                                                                                            38⤵
                                                                                                            • Adds Run key to start application
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:4196
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"
                                                                                                          37⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:1456
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLDXAM.bat" "
                                                                                                            38⤵
                                                                                                              PID:4264
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTECGBJVWRPSHVD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe" /f
                                                                                                                39⤵
                                                                                                                • Adds Run key to start application
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:3808
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe"
                                                                                                              38⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:4560
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
                                                                                                                39⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:4792
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe" /f
                                                                                                                  40⤵
                                                                                                                  • Adds Run key to start application
                                                                                                                  PID:4804
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe"
                                                                                                                39⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:4504
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
                                                                                                                  40⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:4808
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe" /f
                                                                                                                    41⤵
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:232
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe"
                                                                                                                  40⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:3556
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIWAW.bat" "
                                                                                                                    41⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:1892
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FRSNLODRYITYIUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
                                                                                                                      42⤵
                                                                                                                      • Adds Run key to start application
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      PID:1020
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
                                                                                                                    41⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:4648
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
                                                                                                                      42⤵
                                                                                                                        PID:4884
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGBQVOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
                                                                                                                          43⤵
                                                                                                                          • Adds Run key to start application
                                                                                                                          PID:1940
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
                                                                                                                        42⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                        PID:1220
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVRR.bat" "
                                                                                                                          43⤵
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:4164
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJMTDOTDQBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe" /f
                                                                                                                            44⤵
                                                                                                                            • Adds Run key to start application
                                                                                                                            PID:1620
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe"
                                                                                                                          43⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:856
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
                                                                                                                            44⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:2508
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYKIMAEOTMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f
                                                                                                                              45⤵
                                                                                                                              • Adds Run key to start application
                                                                                                                              PID:4292
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"
                                                                                                                            44⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                                            PID:4468
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
                                                                                                                              45⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:2932
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                46⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:1920
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                  47⤵
                                                                                                                                  • Modifies firewall policy service
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry key
                                                                                                                                  PID:4616
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                46⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:4364
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                  47⤵
                                                                                                                                  • Modifies firewall policy service
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry key
                                                                                                                                  PID:3808
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                46⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:764
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                  47⤵
                                                                                                                                  • Modifies firewall policy service
                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                  • Modifies registry key
                                                                                                                                  PID:988
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                46⤵
                                                                                                                                  PID:1300
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                    47⤵
                                                                                                                                    • Modifies firewall policy service
                                                                                                                                    • Modifies registry key
                                                                                                                                    PID:4516

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\TempCFHQM.txt

                                        Filesize

                                        163B

                                        MD5

                                        fb1de3a686fc82769c21e956f8bfe308

                                        SHA1

                                        dd9540427d08c3d0f3320ae1d5c27b4e5da57797

                                        SHA256

                                        b40600d10f1253acdc01df0a6905790b804b30e3d5fa0de4c74ed3feebf5056b

                                        SHA512

                                        093f6930977bfad5bf575d1b11965532099c51a05070c221f6f77714de110998c6e0fd2d141980cf99ab9f1b4fd7083be9053c2410ab9578325866952a2d3633

                                      • C:\Users\Admin\AppData\Local\TempCIWES.txt

                                        Filesize

                                        163B

                                        MD5

                                        ba429fd56ff7582c4de4880c49452a09

                                        SHA1

                                        f39ab13e597a4092461eb550a4a343404828677d

                                        SHA256

                                        15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf

                                        SHA512

                                        83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a

                                      • C:\Users\Admin\AppData\Local\TempDMDXB.txt

                                        Filesize

                                        163B

                                        MD5

                                        959ce2dc63c9a8dc415ada7620c0e6c1

                                        SHA1

                                        f14ea8fd1fce52814e7e2a466fabf5657bd29237

                                        SHA256

                                        540cc3fabbada66cb2a48e9dfefa10552f7f808fbad3e5ded47a9298c46db431

                                        SHA512

                                        d14fb69c2f904b73517475d1452fa01c8fffc705974e45fd19fd59a3d0d5b9c22161f4ef1ff82c981075c85566a897d4ae498583e3f9993d1b4a198d4386358f

                                      • C:\Users\Admin\AppData\Local\TempDXWLU.txt

                                        Filesize

                                        163B

                                        MD5

                                        40b9cf20109025ad75be3402cbdebbf7

                                        SHA1

                                        ae4cc8e0bccc77ba300ee93182c4e9394bd0a4b0

                                        SHA256

                                        67d1420ef138770d14e70d0aeedcd6da05ec9b01b5a77bfc45119052ed524a5c

                                        SHA512

                                        9c3a5d3b20d84800a00c990ebeb2c07804baebbb270d75ed1f72ab86e56ec64d6af1f0c53d9bf130b5eb06c95fc569d3e172e3f7aa3b5a76d39d3a11caa301d6

                                      • C:\Users\Admin\AppData\Local\TempDXWLU.txt

                                        Filesize

                                        163B

                                        MD5

                                        68bb6bc802f1cb81be567c87ac56bca8

                                        SHA1

                                        9bc6bb11c94e6ec822daed9904abb0a4b26a005f

                                        SHA256

                                        4d6bbef93b89d492b646a5f0420bd7836969ff291563b879d87466166261a824

                                        SHA512

                                        1522799df12c6f32f3441034a71b3b1f67cf4e8c6eaf3d5de6a7585f9b118891627c2d3dde4af82cb81b9766be9871f82e8557fa3f558b2267e5151e6d026335

                                      • C:\Users\Admin\AppData\Local\TempEIVWW.txt

                                        Filesize

                                        163B

                                        MD5

                                        01b156184077e3a7661d9b6102b60c2b

                                        SHA1

                                        abf0c9868b54e26bbbbd202111a3c137dff532f8

                                        SHA256

                                        1c575544825aa0d84f634b9149f0ddde314ab52f5f5139580aaad205b8c8fca6

                                        SHA512

                                        70e17a11c3ec25ab07de16cdb495b40b3e709a5fc85655404fcfc3c91eb3ec0fc49e997d1be434ecc2470209651162e8d1a551f4d6991f99d28dfb11b3d3695a

                                      • C:\Users\Admin\AppData\Local\TempEIWAW.txt

                                        Filesize

                                        163B

                                        MD5

                                        f458235acbd4401559e22043a5075847

                                        SHA1

                                        b229821c9497246b2d23158268c63bf67b93a031

                                        SHA256

                                        4db71379845a52332a7230393122aeb3f5b834a80ebb01cdf04584839ba0aa98

                                        SHA512

                                        c62c105f1146bd7c956527c705f08ac2da9ca228813587a1899cc2cef894923ee4d280d2e50dca52f6176ce7ddc5dfefc1705d1161ecb44358b442f0184c78a1

                                      • C:\Users\Admin\AppData\Local\TempEWVRR.txt

                                        Filesize

                                        163B

                                        MD5

                                        b56045d1debc87654a818053068d8477

                                        SHA1

                                        faddf5cafce626a78ea4f6c8eda715020062a18d

                                        SHA256

                                        57c172e9eec5faa067a65717cbaa81f6f56199d9c729684acacca93a41847801

                                        SHA512

                                        8258b9044f12e7dddb303879d04e4c774ba18018aa55811761bf0598d1dd2ff2ecffeb90f3597f70a44ed885967a4bc02766f12158f826d77ba0bff6ab638120

                                      • C:\Users\Admin\AppData\Local\TempEXNIR.txt

                                        Filesize

                                        163B

                                        MD5

                                        dc9dc289aef72df1c62144393c3a9dd7

                                        SHA1

                                        48b3ce4f7c50e7a4efaa91c0507693b65e30767a

                                        SHA256

                                        0e8072edfd6c45b33dddcb971d0f18d0746d07a0b9982a207905de63e7746a48

                                        SHA512

                                        43e47abef516d4926a493320c7f1783877a6722dc46679d791e603f1865fb8c212cd80a31f846719e8e6614ec48f5bddccee914c6d1464e9325be1661ad17f92

                                      • C:\Users\Admin\AppData\Local\TempFVORT.txt

                                        Filesize

                                        163B

                                        MD5

                                        3ee0fab3312f08a89991b7ca8765c4e4

                                        SHA1

                                        ed596f47ace0db160d6db2908960ca3d3b6396ce

                                        SHA256

                                        463bebfae6e65d180c36077d35a8249f59b25c354fc7d769e89cbc408fd7c817

                                        SHA512

                                        19e639999512618e35c97d08c94e9555733d7c66a1442a7846dd0cd62b3c6377c531653cf32215f21c3eda870b3ced5518dd044377d4fbad7756b6105dc2bfa9

                                      • C:\Users\Admin\AppData\Local\TempGBIWE.txt

                                        Filesize

                                        163B

                                        MD5

                                        ab76ecc74323655ff4be1c0400dfad48

                                        SHA1

                                        44583f4e5b80dae8c8d7d1ba8f05d76e85373ea2

                                        SHA256

                                        31957eafadff16021968a815a4b25af687105bb41a85d3b10536b8e304cacd9a

                                        SHA512

                                        cd43dcbcd99ffbb54e5485304c6048f956edcf341c160a9817050cafb7173ff59ace51ad953c1c63441bd44e7c30f37a4a6526c9036bdd1d1e32248cefa1af34

                                      • C:\Users\Admin\AppData\Local\TempGUCQP.txt

                                        Filesize

                                        163B

                                        MD5

                                        f1011e2ad9689a7cf42a9447ea0dc057

                                        SHA1

                                        39411847e28ba728aa33b0bcc301498eaf5e52f3

                                        SHA256

                                        55669f07ef4efb82b82c8a73655297efe72bff245e96e22b016f34880b720752

                                        SHA512

                                        fd56e5c98ac4d357f7d9b7bfa84011b336ad6ba226bc0f88f197a08f9c0279fe94a76a5646e64525c4b6fc6bbba476e50c060777ad4a1669bc2a24aa6c7cc6ee

                                      • C:\Users\Admin\AppData\Local\TempGYXTU.txt

                                        Filesize

                                        163B

                                        MD5

                                        077975505ee313d4d0f5595fc6eb7155

                                        SHA1

                                        4744ed31f9d8fd37b77625e24c415c98e78676bc

                                        SHA256

                                        21b75430c8b79e9ff7d13b3fa09f99870a5c47655d6a627624ef09cfe94a269a

                                        SHA512

                                        f4f3f1a0fb493a99b27fadcc00201ff92311563f272eb7ddc1455b7293004feb2f14d9db9cf140e42b473ff136bd725ae952866a07bc9ce899eb98cff0fe7f8e

                                      • C:\Users\Admin\AppData\Local\TempHIFOA.txt

                                        Filesize

                                        163B

                                        MD5

                                        b1e246ba770058be2c311a757b3bd63d

                                        SHA1

                                        d911296ad714a3357ab09687fdb3c6d679249a99

                                        SHA256

                                        b27120533de4153beb1365a5154c28f013238763589f04015ad068646441b8b8

                                        SHA512

                                        208126c01f598ab8c7acfd9950813d7fba88d612ede86c4fe042b702dd507520c9d3f561aebd837f5a725c6f0da0dc313b25f066116401983f8256f656de1f29

                                      • C:\Users\Admin\AppData\Local\TempHPBIM.txt

                                        Filesize

                                        163B

                                        MD5

                                        0e852e3f3893578dbbc3348986595242

                                        SHA1

                                        1580d7f1669b5d72ff048009acaa40bc9c6b6a8d

                                        SHA256

                                        acd2d8f85b9f16d5dcfae0a940261a752c0954fbd0e24794e9e62d2bdca9c012

                                        SHA512

                                        e601e7804202f35f98195848574164f11adfadd8685594bd764566a14917fe746a8f2fe9a8ce6e6c2ec86b2ef84c4b45ae1624fd58398631d265ce029bb79ed1

                                      • C:\Users\Admin\AppData\Local\TempJGOAH.txt

                                        Filesize

                                        163B

                                        MD5

                                        ff8bcd6b43fb782cdb379b14b5df3b3a

                                        SHA1

                                        38255e5ef3b3a6d8efe0b92c57f4da182b2475de

                                        SHA256

                                        67ac74809d00522e7a606b960029548c9a7a54c756c4b8950c675b3c47329a9a

                                        SHA512

                                        8eb3e6cd129c99710d34dab4c11f3c1df2d498a8ed229e4ae993b5a9443bc1280c40ad3646532c9dcc485803b32071d91bef8472c328c7eacdc914f6bf880b59

                                      • C:\Users\Admin\AppData\Local\TempKSEKP.txt

                                        Filesize

                                        163B

                                        MD5

                                        32675ebc3e0872654680aa78682110bf

                                        SHA1

                                        ca1a6f1f4395f7044f1a4f5c861c1237d518fc85

                                        SHA256

                                        ab34abff316d3f92176f82c011f36556c5e2ffbaef3a0d9192c4f300fd7eba68

                                        SHA512

                                        d830e160e2a6ae056d51bca0068dd39ecd4a4e51469f338164d92032fde91b4ae7d19c91cb2a59fca4c56e6c9654f7f42c9db8575e7ebb34fe2499f066f66438

                                      • C:\Users\Admin\AppData\Local\TempKSELP.txt

                                        Filesize

                                        163B

                                        MD5

                                        4f207b885baf9e448056f22a9f985300

                                        SHA1

                                        77cf487181fbde7f793471965aab814cd164ff97

                                        SHA256

                                        3c89444a399680346c4c1f11626796d63e184258654ad3958472248bb7fd5e8b

                                        SHA512

                                        6ea41e75444a6bee919c282ec7bf2335740a6f986bedfe265ecf2ca56d76cf634ae318759f7cc65cc1c9cfd091c750b6390db1395a4b400cdf2a4bd87796f212

                                      • C:\Users\Admin\AppData\Local\TempLDXAM.txt

                                        Filesize

                                        163B

                                        MD5

                                        76805ae08aa7076e34684eedc16773eb

                                        SHA1

                                        a73ae860332954bbae7eda192e2c6331b903ad17

                                        SHA256

                                        49be724f542a113b9f64041d7f139d38c88ab1694b6fe83b1416c555dcf8337c

                                        SHA512

                                        be7389fc21d6fd83562e6c4b87cc86bd4d94c2cc6a4de677d63deb6875d169c26d7ca2161e90b2bba22d90b989cd412c67063a15962777fb9c295f6e2117b063

                                      • C:\Users\Admin\AppData\Local\TempMJREK.txt

                                        Filesize

                                        163B

                                        MD5

                                        e61b23312b437cd266bcbbf5f594c849

                                        SHA1

                                        4dfbefc30ff7d89390859c2f016808e83ca963ce

                                        SHA256

                                        4b1fbe9b6a793dc190efdf97661c34ce1dfa5392b60b0378dc21cffc6affb967

                                        SHA512

                                        da2725a20ef1a07436bcdde8aac24991327b049f6d9f953be35ddf32170bc94963c62ced72b0db32ba105d82ee17b20107edd9f22c89a363efa953b0ef4b26a1

                                      • C:\Users\Admin\AppData\Local\TempMRMTI.txt

                                        Filesize

                                        163B

                                        MD5

                                        07a565dd42cc529ae297201564fed066

                                        SHA1

                                        debd8da45505fc92ca6008a28ac13208342a2500

                                        SHA256

                                        435043dd6d2fa4b82c88b0875027effe379b3facbe9aff3b6d7b3ba36fe71cbe

                                        SHA512

                                        87a8ac8956bdc6b6ceb892a4b1f9f16bf17fbff83bb0afaf99d617ad96670cb90eef7f42d6868b78f85d4e5a2c22dc517397faba50b8a82668a59756876c4946

                                      • C:\Users\Admin\AppData\Local\TempNGJKT.txt

                                        Filesize

                                        163B

                                        MD5

                                        6387e55751abb7e5fd1b6a77317bfee8

                                        SHA1

                                        6fdb737213d86060a52ec7e55235cbfda16bb949

                                        SHA256

                                        c7223419320b28eb3f21d63ba0dfca8f0f4ab203ed82460ce14ce17af93c4cd1

                                        SHA512

                                        33a7102db83ea529735ddda12cbf77e7b65491c28f9f41338b72eed475d371c1cf48244641d361c0d61c9c61e13a870cb1504efebc4c011d66be7c3ae332691b

                                      • C:\Users\Admin\AppData\Local\TempNWIOT.txt

                                        Filesize

                                        163B

                                        MD5

                                        3fa377d490e135358ff8715b7130b57c

                                        SHA1

                                        90826df37fef897b8d9b2a225d23b581e87e5e71

                                        SHA256

                                        07652d1b9830b4d5d201dd0a67c88e979c0a47fa940c7cb638286e51b638b7f0

                                        SHA512

                                        cb99c54fc5345e204f70433c41f232e80d8893ee4447f152781f9b7a07b24319ccc47805fc35669ed599fbdce7c0c58ddd70bd6b3b0878716368f0bee0c1b61d

                                      • C:\Users\Admin\AppData\Local\TempOKXXJ.txt

                                        Filesize

                                        163B

                                        MD5

                                        bbcba080f74aa2b1f066df621ba2c56e

                                        SHA1

                                        7f4d7e934406ff949e209ef6df6e1c79ef62b360

                                        SHA256

                                        dd38ce5046cdc489852a85feae011b6b3c2c33a6ac39496248e7a6c377b63d2e

                                        SHA512

                                        40d2e31125ba8aa042ebbefa850c34fc3f78023a0772677acabadc82867c2aec1c32703f2d806b680dc4f09c04ffe8983af86b2dbcb4972a9f7eb89832a74cd1

                                      • C:\Users\Admin\AppData\Local\TempOMKOC.txt

                                        Filesize

                                        163B

                                        MD5

                                        02b0cbfc4742667bd2e66679a91f5359

                                        SHA1

                                        b3a28d1593d027cc14844d1c46e02b317c6c474a

                                        SHA256

                                        767a3f58d48b0f987b0766f6c82f3861cacd29dc65f1bb0e2e87306bf88d709b

                                        SHA512

                                        0be8c095da302354cda62ce302dc0a41aef296ee93c0ef8d476078208d8532f61ed7aa0cd11269a02c8c4320a76df5757b93d9af43fd03b522f12717659872dd

                                      • C:\Users\Admin\AppData\Local\TempOMQLT.txt

                                        Filesize

                                        163B

                                        MD5

                                        9b8ddcb8a03dda0db854de76f0b97656

                                        SHA1

                                        33e6cf7b482d51ef46095957b6c7757aeaf3fe6a

                                        SHA256

                                        4e81ba1a0b8e70dbfa0c5b77c2b2ba7e2a1e1842ddab305960de4d3f8422a368

                                        SHA512

                                        967d33476d233c9f45d452247268ac5c03eeb104330a885bf6bfaf9143c19a67680ec766122a884aefeaf6375d2b9c4959cb7458ebca18443b5610a2a8223840

                                      • C:\Users\Admin\AppData\Local\TempPBIMA.txt

                                        Filesize

                                        163B

                                        MD5

                                        71ca6c13396be7214beb9e6c654b16a4

                                        SHA1

                                        adfbf6baec6d6ea41b1ff8bdb7b82d4a08b6a168

                                        SHA256

                                        f943ba200105c11907211f135a4bb85000cd15e80b7cf6171d7f326f67a75775

                                        SHA512

                                        657b0085988f93afabeaac89ad8897e4f77acbc1d32cde409f30ec00ee7729c8b2b5f1c05ef7be8d9602556d5ddeedc9df3450154f7ddcb0e52cc4c82ff919a8

                                      • C:\Users\Admin\AppData\Local\TempPTOWK.txt

                                        Filesize

                                        163B

                                        MD5

                                        c1d77ca7bfdc8a6c406081f85955c2c5

                                        SHA1

                                        91099f3b0c7bf5cc14745adf2d54323ad23dce84

                                        SHA256

                                        32a9ed729e9be02a1b51f5029093df81d37fcb77750dd6f3980bebbc70ee2aa5

                                        SHA512

                                        196dc34f912a0d9f636b181cabc8e61e1f9fc45af90d6ada44a3355d9fb5e356941260c0236bf8e8c306f88b44183a090ca4d884f76b0ffda62e3e78505125c9

                                      • C:\Users\Admin\AppData\Local\TempPXODM.txt

                                        Filesize

                                        163B

                                        MD5

                                        064980d572e573e41cfb79e310369d69

                                        SHA1

                                        c48f752070a34a7bf790e1b3e2e95503275edd1f

                                        SHA256

                                        11f3448ed0674a7deb1db20a2eac212e743461d223c786c01b3e5d7472f46cbb

                                        SHA512

                                        59cab5247fdc3567b394bea3024d42d7f04672efd90f0014a4b53407c84a5c495a705105ed2e8b471344d2ada9b2b460a17707d76205290f9198658447f39a3a

                                      • C:\Users\Admin\AppData\Local\TempQRWDE.txt

                                        Filesize

                                        163B

                                        MD5

                                        5f86bd202bfcd38eb1df9dc3f99b3f2d

                                        SHA1

                                        20eb5c3c335c0ae536940a2687e7a4b19f36ce56

                                        SHA256

                                        d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84

                                        SHA512

                                        4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

                                      • C:\Users\Admin\AppData\Local\TempRLEKC.txt

                                        Filesize

                                        163B

                                        MD5

                                        99658831b7bc15a4bbd6b90b0013d9f0

                                        SHA1

                                        20ec38a3cd81de3e92d2e25df16064c02a235e5b

                                        SHA256

                                        d2f57ec35695ca2c404ab5ba4580b9a28c1e97e6325b0f3770f42721613ef691

                                        SHA512

                                        b883bf1b115c6a280bbf38acb393d28813bbe3d7c31ff09cc8c8a701cf24133e91ce2afaa734c533e83d2d7cf7c79c0cb470f8362c4b8758e942879aca77e4a8

                                      • C:\Users\Admin\AppData\Local\TempRMUIJ.txt

                                        Filesize

                                        163B

                                        MD5

                                        219d0228ed8fcb79b8cc0eacf85b8fa0

                                        SHA1

                                        85b7c06eda42db1d613d6e13fe89c964a5d6cb98

                                        SHA256

                                        9c42c45c317898cbc14f9ebbac4305370d4dee7a73fc508e32a481f7332bf5a6

                                        SHA512

                                        d9f389681dd4678ef2a187b1bfdf35956bf1a50cf90c27b9cde282310b6a94a20e8ed26461f1a0004054abb1eff7eb3bd6694d435a5fc6c44ecb773feb5b7c27

                                      • C:\Users\Admin\AppData\Local\TempRXJFP.txt

                                        Filesize

                                        163B

                                        MD5

                                        98b653c709ac78d8d529ebe27c71d8b5

                                        SHA1

                                        bdad6f8189f16ad3bff1140ea557e1ea947f867c

                                        SHA256

                                        2544aeda712671d52192e04aab62d947ccbc0dad24fd2a05ce5e18128f8113a1

                                        SHA512

                                        7e08d56091d1ded058cd56cde8bf5295928058c85bcda4a41c1460a390537e45b316145baeacbc9d840b4d35967408902747acfa27b2960cf0b7e22dc0c6243c

                                      • C:\Users\Admin\AppData\Local\TempUQYPE.txt

                                        Filesize

                                        163B

                                        MD5

                                        001fda6fb81f59f183629491e07d6ea5

                                        SHA1

                                        887172a96b984ce68a23ad449c1bee0ccc89b206

                                        SHA256

                                        17b05c2bfa9a136278b1df9bdf7f8549ccca141d2e1dbf7d385386d3da0f7e49

                                        SHA512

                                        308218b3a94a67cb0c4f3a96e79a9210cb02bbc4458ce6603dacf72d2d21a6580d15496e8b26565f82bcc144cabdad17cf1649eb9e277a7b4b4fff0ff6723fde

                                      • C:\Users\Admin\AppData\Local\TempURAMS.txt

                                        Filesize

                                        163B

                                        MD5

                                        6652a702ed3f149e8256d04da6c7cc1c

                                        SHA1

                                        4570b6fb92a5ef85813ca21f35a2943e88f5df97

                                        SHA256

                                        6d00705de5d3db9ba7510cf597efa322255d19a0a47417cd74a5197c1450a5de

                                        SHA512

                                        b4c4eed12082d619278a3f64c90e18a7b0689df31b40ad2b4789556225deb4e535db732606709b9604e6673d1f820a9fe6163f0b07ad038b9a911a5a0a246a99

                                      • C:\Users\Admin\AppData\Local\TempVHFJE.txt

                                        Filesize

                                        163B

                                        MD5

                                        6c0c0682818e396dd2f8d9cc3b15a377

                                        SHA1

                                        a7eef2f27232378b934bab9619f061106b788aa8

                                        SHA256

                                        67b5558d7dcd6bbba6bb4af5c56c29ac8051add17ef2e9f8e2f1881230ff9492

                                        SHA512

                                        3a31d50d9a6c59aa3e3d742a5bbd6d4f7a5eaf40e8d3120ec43d088be209e321f8e9efd3497c408bd1f639dd0dab0bfb1b9525b80d50e09774bda341a3e16bb0

                                      • C:\Users\Admin\AppData\Local\TempWNLPK.txt

                                        Filesize

                                        163B

                                        MD5

                                        ff8ddf6bf9e22f19b440a0e65f61325f

                                        SHA1

                                        53331dec6261ef73acac458313d465931ee3550f

                                        SHA256

                                        1160ec43828e119e2e55a60e06399eb0f0306ca90f26d2a460e41cb53c5cccef

                                        SHA512

                                        1ccfc853c063d1badb315031ba3852095e033142a62d79a2bf0ca8bc817e7aeeb23900689c51df694ed340da803eaae03cc56e4effcb3c53919f60c912a5ce31

                                      • C:\Users\Admin\AppData\Local\TempWSRGP.txt

                                        Filesize

                                        163B

                                        MD5

                                        3c54abc098fcb0c6f5868a26cd95d44d

                                        SHA1

                                        ef4f63c77c4e794cefd7ac53e71a7f94b6cdf917

                                        SHA256

                                        f32e2472a9cbc20ed991e19e857513228fa1373253581dc79be85b9e3432594e

                                        SHA512

                                        3f222bc0dea422150b9d0170633e0b1a605a826dd9cf4e0e05ed5a36a171c3fc87173daafdb1d70d1b1703aa6f0dc52a66e1503f4aed22e7bb3addf730f14afd

                                      • C:\Users\Admin\AppData\Local\TempXMIQH.txt

                                        Filesize

                                        163B

                                        MD5

                                        4dd66c5c23dfd0cbf76b6949f432cba3

                                        SHA1

                                        0640c41d299e9a8be37c82ace59f023e274ebbfa

                                        SHA256

                                        6461d3a95e8f479223d3187d5d31ef721d0cfcdbbfbe02335cab7f29fb4967de

                                        SHA512

                                        9769ce048e1718616ee73fa6cce70f39b9082e8dced33ca56df8a3d25a49dcf5751f1d58c2c2e33fb47f1ebb11aa26c35a31650bca90ac30f9186305c83c6522

                                      • C:\Users\Admin\AppData\Local\TempYAWVM.txt

                                        Filesize

                                        163B

                                        MD5

                                        912bf90f23999205f2e6c4e79d85e825

                                        SHA1

                                        b7d9328d0fa01538d1184e0c8bed1478879d6676

                                        SHA256

                                        c094bfc3d194bbf154adfe98bc4d2f7372886f405e269ab9a287a78f3890cb6b

                                        SHA512

                                        7476c78368204af845409adb4d9961bc414bf6920583d955d7050aa99ab57e33f58599a9e12087909b2759e3a997db32e7063b447871b41c21beb71bb1368495

                                      • C:\Users\Admin\AppData\Local\TempYBNKJ.txt

                                        Filesize

                                        163B

                                        MD5

                                        d27cc0987d99fd5301cb67a34fc30006

                                        SHA1

                                        3d355ba8d723f056eb6b12b53ae0c07cc3c5dcbf

                                        SHA256

                                        0872f2c1eb629375c6e191a9ce77c50112dcc8cba1a94f657a49457459c9dcf8

                                        SHA512

                                        28de00d1d0b9e11c31535f82b6f76d898034cda2e7a5a3475729a3f3a8e1cbfcfa6868261ff359aa0438bc5da6ce188c9bb1e420fbe57c5a9cd21280c456d61a

                                      • C:\Users\Admin\AppData\Local\TempYKIMH.txt

                                        Filesize

                                        163B

                                        MD5

                                        ffc855aff102d74ae673fe8eac8c2e70

                                        SHA1

                                        d68a015334a2510a13d74d7d7391d88fccc0a141

                                        SHA256

                                        eb798d686427248292fb0d88fdd4d552666ff67f5e040f078cca0cd33485cbf0

                                        SHA512

                                        1f257e4af2b78838845681020a1f8e91cdac1889f4b87fcd68b8cceeb115873ded4d32bdb6db3eefb94c8f8422be3f45d018db558bb003cb09815c35f0aa8d44

                                      • C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        b572e8faa9cefd41fc8df2fe55d586c7

                                        SHA1

                                        5702ad2ca31b33fc0da9ac4a55bf91f825868633

                                        SHA256

                                        1afe9998326cc03b6ff2a3a29d8cbae88b9c54717cc7c62e7b28c64e968d7f1f

                                        SHA512

                                        3f3052b2a60a4f2b60b331615430339be5c796e8b4b6207ac3df095ec9e6f6575ca4904218b9977e8e7512329db4bdf81446a1655741666a6e094d224958cc9e

                                      • C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        46e694eb820a645f62a62b17e00ff8e6

                                        SHA1

                                        2e461e1fb68b2b4522891b9118069236e5b8c5a1

                                        SHA256

                                        52f03a93b95252d41292084f3b7015a66a261d273c4fae998ea1776b5c7f6cb6

                                        SHA512

                                        6d7ca3205fbcf045853723b1a2434f50f068e4851021562f21e9952636e332cf74900680a522ed51c80d81fcc4c6013432d33a7979e4364f40ecba7e136645e3

                                      • C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        9b69f248bb1dc5bea6fc49fd2da3aca0

                                        SHA1

                                        336a9cd92c85bfd2a65a64840c501b5c41f0bd48

                                        SHA256

                                        194257ccb099e597d91f74391f883dec45269e6064334cdcbe9ac33feaa7d801

                                        SHA512

                                        9ec7b64462548e0bdc4c67827788707463236745e173234b91b54cc20aadfffaaa082abfbe400a37de0d3eeb43c834d11a13e5db072cb8523549992d17e25dec

                                      • C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        da4783f7e40a5f4e1c2951bc6a5a4bc8

                                        SHA1

                                        cb9f47c801f7961646a5be5de80f907841448a5d

                                        SHA256

                                        7ec5507c0f63da0d7f8e024c13b32fc4bc9651c41b67b48e2c6c08dda20d6e9c

                                        SHA512

                                        16aacf4b3938a61dced58bad76c5f1b766349fb0f4a29ca5cd0f71e1e5fc72c9dacb9141e16d71097c5a21b5f162d966a3c837af3da118b49918f2cb1c3ffcaa

                                      • C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        eef150af89d89dcb283e6977aac0c84b

                                        SHA1

                                        8035e6a6fbf5dd2650ff48904b0f2f936b1be707

                                        SHA256

                                        7ebf39d536e9f65a38df4294ee3de3457d702ece12fd974ebdaa77b2fa094795

                                        SHA512

                                        890cdfe7ace3479da7dd41e5e92fad0a2f3886c8d908c245c8ad3f5b810ecca977802104e3a125f5df0a7407632da5fb46ea6ceac1ad9fdfc94c3e02f6940855

                                      • C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        64ce9d48b6fbad040386360f87f90ab4

                                        SHA1

                                        59c77726575168b218690701b9f88d92f1345a21

                                        SHA256

                                        112d9af8228cd32820bea4eb4b0d21701eb06e1308f3c8460ad46c21f76794ae

                                        SHA512

                                        6615da3f8feec15932d8dbf8d8eea1a666ee66d0fa23274987ef08cc2b3c01191d611a1305a56ddaa894aab068f53b02bced80a07cf7bb8c2b4c1723d1c0ccec

                                      • C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        7f527620d43c47c728dffb7dd45ef911

                                        SHA1

                                        c23f6c4715156fc8a70e68864f0044c3d3c49f29

                                        SHA256

                                        46fc1e0e61e36b1cedb050551c2a3f31367a34ccf7b8b27cd8ca1a87a498882c

                                        SHA512

                                        723663d3006532d4eb479c8350395e7384f63b389e65db267d9ef6d7499a37062078d57e76f308ba56ef7195c8dd59f089805c60362831114a7778918fa1e533

                                      • C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        ef84280b377dafe63e545b3e8e943579

                                        SHA1

                                        36b24bdb42d047b1bfa745fc72b91bfa918d8a3a

                                        SHA256

                                        175d429ce0412c7ba74fd0cb27df7f25730b3b33cdb9bfbc55e2e426c2a44d60

                                        SHA512

                                        99aa2c335e9c8fa6250d54ba838b5da822c8e2ddc6da9682d872bcfc9da1e22b340e31275f66a28ee02058249d3e31b267b0f71838657c0544dca6b75352f9b4

                                      • C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        58496010951d3961fe5a13425ea0cd79

                                        SHA1

                                        f80fc7d9c52300f54ddaaf286ecfec5f4b8a719e

                                        SHA256

                                        b1d2400c468a7dbeedb78110cfa949e95b0c06b9a675ef0c8a5235c30176faa5

                                        SHA512

                                        e4012b34b91c37220fc178a9ea1ef491e93d2908bea82c6851221797a5177529fe403c30e30f361f4d6387fb17a809ecbfb3de85226911f3d39d35185c10bfff

                                      • C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        ee55ca908f97384c270e61566fe47167

                                        SHA1

                                        0770c3f56c1a47a7f699bc0a4a98150aaa5a6d4d

                                        SHA256

                                        498af80d63ff4c0a5fe7fd8d32b37fb747bb92a97b528d91edacb1c4d75d673d

                                        SHA512

                                        0a7f54c15668d7b8137bd0476d5100c38994525a6c8967175b1d07b15fbd7f86f5d0be0f6c6050efca4db894f0c2b2b69632e976e87fb407df8cdf3a21aa646d

                                      • C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        491464eca58b4a4c0e34f70701a44dea

                                        SHA1

                                        2cd375c7ce380780c94a4075045b9e2a9fcfabcb

                                        SHA256

                                        415313b39e389aa06ada027b05f36a80833f67555858de971dcafb0f08cba61b

                                        SHA512

                                        9b9d622c856bb2a41be1f9890d16b61a32d4a668d672559b9ef6a6de405fac0ab98f5136b1390358d6bf49c9785b8eaa69e9057b20b9c703ffda4a8b51f48f39

                                      • C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        869e554ed4fb03b75c5227cd2523d625

                                        SHA1

                                        181347516b9aa8ab3bc7f06d4c35acff5781195a

                                        SHA256

                                        773cbbbc658a9776db23ea4e7332fae4fd028a30985cf64c1c2cbc6bdee1daec

                                        SHA512

                                        ed090872b716db29f761771af423b815728886d287815a416a02f66294260a5f91213a37bbe200525db00ee0c2eb001f63fa140d5cf1c37b0392d256cee2cfa9

                                      • C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        7539c37de101bc6cf785e71548678222

                                        SHA1

                                        182516bb09650b9600d2a26a2dd58a8c24fdae6d

                                        SHA256

                                        d4b8eb2c486b0118c9c7a5f2cd5843e4f853efd52a95c3db80d899f70a3a0cab

                                        SHA512

                                        aeafdf802f70e6317c63c44cd3f2c251a6a832577ad905c63cadd18dd7b0f79483b0c92db54cc5843235a2cde20a2d8b555f41c59adce8772cdcd521969cbd3f

                                      • C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        55661ab1cb2ccc7b34a19f8bb0639198

                                        SHA1

                                        c5f9baea44468c3a0bda18b509069c3c71286cea

                                        SHA256

                                        66fb4f593c7560d6e3e6a289d77d452b3be80813cacb2eae9e2506409320b365

                                        SHA512

                                        3ba2a34726a9e23f01305a6b83e8c58967f95ed5db8149027530341e667b092e068c49cae0bcda1e8bd6c1c8d9057f70b7dd4220da25073a65c3c68676e11dde

                                      • C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        8acae0a4b156ee7296ec93b36a7f2eb5

                                        SHA1

                                        7b9b3233b37ecc6f54bf49531447c8ac3940496a

                                        SHA256

                                        a6f77dbac1039f19b2fc63cdb22751ffa3b48d313da8f55e6e3a4087c58afb25

                                        SHA512

                                        8d808f637e73de1a0c7f862a3915a563a2ecb3f903de9686deee21ae8a3356c3d1cbc4543cf523ec74762d279cee46bbd0956dee8b60934a00e08fff89a87d7c

                                      • C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        b23b456ae177ce9559b34ec58d095ceb

                                        SHA1

                                        e3ec3913e03cbb29fb72fa078242f6c0f870b50f

                                        SHA256

                                        4136c6928b7b39f74575e9971d4dee8a47d7f21c4c48eb3e65f23e2cf6e317a7

                                        SHA512

                                        835803601b36101ece706086bcd88bf4961ca46c520c611dc9a73bba250b550b88cf5eb21d83959ca816ccd01a36f2348e1c179b105149432ebb04b747fdb9f6

                                      • C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        0dcb1974588ea208e76b7589b7e47ab0

                                        SHA1

                                        957bba3eeb2a868af4a9dc887aeda4114878d8da

                                        SHA256

                                        9aded40a697916d504cd898861bd19f923cacbaea11ce25dded3c607d4ca672e

                                        SHA512

                                        441192d037e7bdaaa83c20ec962b19d214359746831bf4bdb71c4427f11ae8671cd2fda25b7a76a703cb6f4415a8200504475edd7a577832a5f65710cf4ca38f

                                      • C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        b21357ddf5d2d3379f33ac9f06ccb225

                                        SHA1

                                        fa6de056faf5e909447d82a94c4c8e932ea37c59

                                        SHA256

                                        d10f30a84fe4f465378242ded05e595b25c866e4434c1671db71408edee34715

                                        SHA512

                                        83cbb0507207175ad09f474f5edf876e4bc846f6cdab227f90b02602f5a8f4e1dd0e4b5d3b44b44fd7bc45407fce83703d5d02a2d5f73b93c4eb3e502025a88c

                                      • C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        78a917f100cac8087321d4dfa1546403

                                        SHA1

                                        4067e3a73a3d0eb6a8f2a76d6e7e88192f3121f9

                                        SHA256

                                        167d07cc5b092ec82631ec39995378365922f7a0e666e7e3d4e0cab2434c9c19

                                        SHA512

                                        029be9ae44adcaf9fd0cf9faf9508c52691c5a29bf1c9f38047c7ee44db85470c4e5f1e7a5f6f6649248fe102722a203e36e07174756fd7be4b963889c5e710b

                                      • C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        86e09bae83fd7941691f3b7aa41491e4

                                        SHA1

                                        c3d5f729382447ea27fbeffafec849faef8c2c70

                                        SHA256

                                        60ce106d68502dc574550f9f03c738db1cfd01312b0c69baf6e1865ba31e454d

                                        SHA512

                                        0c24df5b4d2f2574601359ef86e1259a2858bf0047c035c089c331379df07f046cdfa3b2c4e0a4195633a64df78cca1be582432470bdc9200e9779964f0bff47

                                      • C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.txt

                                        Filesize

                                        520KB

                                        MD5

                                        c95ec7ae7c806ed9f9c7f91d1dc8aeb6

                                        SHA1

                                        674c9f0f3f069f968e427d073c2b8b8d2ceaa126

                                        SHA256

                                        ad460348b4b1dd463ebc75bf45d859bb61ed8947199f239f055758100bb00056

                                        SHA512

                                        fb999ac1cda132930b990a4e074432c5da7732724b3290ea4e1540d6cb628448bd102f18181b163f619e61ec6ed11dee97034816f5f8562ff3bc52bfe2fc2d9f

                                      • memory/2932-1074-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/2932-1075-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/2932-1080-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/2932-1081-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/2932-1083-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/2932-1084-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/2932-1085-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/2932-1087-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/2932-1088-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB