Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 23:01

General

  • Target

    e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe

  • Size

    520KB

  • MD5

    481090609ca307c7630403cdebdf988a

  • SHA1

    7476081b41b122a1ef39bd7b0ea7c41259df8c9c

  • SHA256

    e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49

  • SHA512

    e4d4ba737881a6deaf6f92af13c6a018880e434c8eed7e4095257895f142658d103ef20d33b7cefa0a92605f87150ead8b1f40bbfd53a59fd2d76e93796d5fd6

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXg:zW6ncoyqOp6IsTl/mXg

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 9 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 39 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 40 IoCs
  • Adds Run key to start application 2 TTPs 39 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 43 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
    "C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWPVHD.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYAKQXXIBDQMLGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1796
    • C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
      "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4072
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACERNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
          4⤵
          • Adds Run key to start application
          PID:2432
      • C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
        "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3944
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDQ.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:424
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBEAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:3604
        • C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
          "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3500
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTKFO.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:996
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOKHYWMMOJCFHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe" /f
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:32
          • C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
            "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4448
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCVTCC.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:5044
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQALRWIGKFNBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe" /f
                7⤵
                • Adds Run key to start application
                PID:4272
            • C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe
              "C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4792
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVOTFC.bat" "
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4860
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VXJPWWHABPYLKXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:2640
              • C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe
                "C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1028
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJWHGK.bat" "
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4764
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFSAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
                    9⤵
                    • Adds Run key to start application
                    PID:3196
                • C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3580
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUGNS.bat" "
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:3604
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe" /f
                      10⤵
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      PID:2096
                  • C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe
                    "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:4048
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXATT.bat" "
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:448
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMAMYVASWROPCHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
                        11⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:316
                    • C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
                      "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:4000
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESYKG.bat" "
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:4696
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EOTMCCEGUCQPBJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe" /f
                          12⤵
                          • Adds Run key to start application
                          PID:388
                      • C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
                        "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:3192
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2640
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQTIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f
                            13⤵
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            PID:2280
                        • C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
                          "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:4784
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNCLWU.bat" "
                            13⤵
                              PID:3196
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SYPNRMTIJBIJRNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe" /f
                                14⤵
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                PID:3272
                            • C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe"
                              13⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:2832
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
                                14⤵
                                • System Location Discovery: System Language Discovery
                                PID:2684
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
                                  15⤵
                                  • Adds Run key to start application
                                  PID:4680
                              • C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
                                "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
                                14⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:1364
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "
                                  15⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:628
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBACXSFNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f
                                    16⤵
                                    • Adds Run key to start application
                                    • System Location Discovery: System Language Discovery
                                    PID:792
                                • C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"
                                  15⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:1996
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGHEN.bat" "
                                    16⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3300
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKYFOXVGCNGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f
                                      17⤵
                                      • Adds Run key to start application
                                      PID:2016
                                  • C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
                                    "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"
                                    16⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4696
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRIGS.bat" "
                                      17⤵
                                        PID:2544
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OUKIMHPDFXVEEYN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
                                          18⤵
                                          • Adds Run key to start application
                                          • System Location Discovery: System Language Discovery
                                          PID:2180
                                      • C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
                                        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
                                        17⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1144
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "
                                          18⤵
                                            PID:2452
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFRDBFYXTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe" /f
                                              19⤵
                                              • Adds Run key to start application
                                              • System Location Discovery: System Language Discovery
                                              PID:3272
                                          • C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe
                                            "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe"
                                            18⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2420
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
                                              19⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:4544
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
                                                20⤵
                                                • Adds Run key to start application
                                                • System Location Discovery: System Language Discovery
                                                PID:4680
                                            • C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
                                              "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
                                              19⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3416
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHUFEI.bat" "
                                                20⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4476
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OACFQRMLNDQYHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f
                                                  21⤵
                                                  • Adds Run key to start application
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2016
                                              • C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
                                                "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"
                                                20⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Suspicious use of SetWindowsHookEx
                                                PID:3004
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJQA.bat" "
                                                  21⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:5096
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRWDEBKCHVVJKFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
                                                    22⤵
                                                    • Adds Run key to start application
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4616
                                                • C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
                                                  21⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:3212
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
                                                    22⤵
                                                      PID:1296
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
                                                        23⤵
                                                        • Adds Run key to start application
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4072
                                                    • C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
                                                      22⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2016
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXODMY.bat" "
                                                        23⤵
                                                          PID:4496
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IITQOSNVJKDKKTP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe" /f
                                                            24⤵
                                                            • Adds Run key to start application
                                                            PID:1956
                                                        • C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe"
                                                          23⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1576
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDHXY.bat" "
                                                            24⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1976
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJOBNVNACWSNBWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe" /f
                                                              25⤵
                                                              • Adds Run key to start application
                                                              PID:2528
                                                          • C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe"
                                                            24⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4616
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "
                                                              25⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:736
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKKUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe" /f
                                                                26⤵
                                                                • Adds Run key to start application
                                                                PID:4796
                                                            • C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe"
                                                              25⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2804
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXBNK.bat" "
                                                                26⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:3816
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe" /f
                                                                  27⤵
                                                                  • Adds Run key to start application
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3488
                                                              • C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe"
                                                                26⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:3868
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "
                                                                  27⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4520
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFRDBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f
                                                                    28⤵
                                                                    • Adds Run key to start application
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:4332
                                                                • C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"
                                                                  27⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:4900
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
                                                                    28⤵
                                                                      PID:5048
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
                                                                        29⤵
                                                                        • Adds Run key to start application
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:5044
                                                                    • C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
                                                                      28⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2240
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEM.bat" "
                                                                        29⤵
                                                                          PID:4388
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIUROSNVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe" /f
                                                                            30⤵
                                                                            • Adds Run key to start application
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4324
                                                                        • C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe"
                                                                          29⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:2528
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
                                                                            30⤵
                                                                              PID:4644
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
                                                                                31⤵
                                                                                • Adds Run key to start application
                                                                                PID:1572
                                                                            • C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
                                                                              30⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:4464
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
                                                                                31⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3000
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe" /f
                                                                                  32⤵
                                                                                  • Adds Run key to start application
                                                                                  PID:2444
                                                                              • C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe"
                                                                                31⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:4864
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
                                                                                  32⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4052
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
                                                                                    33⤵
                                                                                    • Adds Run key to start application
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2200
                                                                                • C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
                                                                                  32⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:4400
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYQFN.bat" "
                                                                                    33⤵
                                                                                      PID:4520
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MJJVRPTOWLMELMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe" /f
                                                                                        34⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:3736
                                                                                    • C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe"
                                                                                      33⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:4680
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVSS.bat" "
                                                                                        34⤵
                                                                                          PID:3296
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MOJHKNUDPTEQBAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f
                                                                                            35⤵
                                                                                            • Adds Run key to start application
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1956
                                                                                        • C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"
                                                                                          34⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:2116
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQE.bat" "
                                                                                            35⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:424
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOFSOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe" /f
                                                                                              36⤵
                                                                                              • Adds Run key to start application
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1976
                                                                                          • C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe"
                                                                                            35⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:3768
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUTFNF.bat" "
                                                                                              36⤵
                                                                                                PID:2240
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IECSYQHHJEABKYG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe" /f
                                                                                                  37⤵
                                                                                                  • Adds Run key to start application
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:4284
                                                                                              • C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe"
                                                                                                36⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:3032
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
                                                                                                  37⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:3260
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe" /f
                                                                                                    38⤵
                                                                                                    • Adds Run key to start application
                                                                                                    PID:1064
                                                                                                • C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe"
                                                                                                  37⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:2460
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPK.bat" "
                                                                                                    38⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:4464
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f
                                                                                                      39⤵
                                                                                                      • Adds Run key to start application
                                                                                                      PID:3404
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"
                                                                                                    38⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:2160
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTQOSN.bat" "
                                                                                                      39⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1028
                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FCRREGBBWRFMGLI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe" /f
                                                                                                        40⤵
                                                                                                        • Adds Run key to start application
                                                                                                        PID:2260
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe"
                                                                                                      39⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:2888
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGGEMF.bat" "
                                                                                                        40⤵
                                                                                                          PID:4436
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXUFBMFGWPTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /f
                                                                                                            41⤵
                                                                                                            • Adds Run key to start application
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:1336
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe"
                                                                                                          40⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetThreadContext
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:2492
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe
                                                                                                            C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe
                                                                                                            41⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:3580
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                              42⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:4816
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                43⤵
                                                                                                                • Modifies firewall policy service
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Modifies registry key
                                                                                                                PID:4556
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                              42⤵
                                                                                                                PID:4628
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                  43⤵
                                                                                                                  • Modifies firewall policy service
                                                                                                                  • Modifies registry key
                                                                                                                  PID:4788
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                42⤵
                                                                                                                  PID:4884
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                    43⤵
                                                                                                                    • Modifies firewall policy service
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Modifies registry key
                                                                                                                    PID:2364
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                  42⤵
                                                                                                                    PID:2496
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                      43⤵
                                                                                                                      • Modifies firewall policy service
                                                                                                                      • Modifies registry key
                                                                                                                      PID:924

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\TempAHVDQ.txt

                                        Filesize

                                        163B

                                        MD5

                                        e5fea69fd378f24cd1e7dc48ceb8289b

                                        SHA1

                                        40726f47bb9fdd955834922939ddf3f5404583b9

                                        SHA256

                                        5399625df7343f1ac173b24c626b96e7ea6eb480c6745331fcdf5b1b14901b09

                                        SHA512

                                        ca258556151b7f69d0a0368418469edae5092593d2a3a5833e380f91e66d8bf688626a12b40d68bbd8bb9e783b64d6126fab2ac614efc3c0bcd5f424a3d29a2b

                                      • C:\Users\Admin\AppData\Local\TempBEFPK.txt

                                        Filesize

                                        163B

                                        MD5

                                        5d5193981fbb091f2db96343213a1540

                                        SHA1

                                        ff915d08eb74f807c0f4025cb9328452915d57b4

                                        SHA256

                                        0507bc248992b8bb2868f818afd9557ee243cf4a23ec0600dc075bd545593611

                                        SHA512

                                        22900c727121acdd2e26815c64739c26e94de8e96aada530d44006b47162cefc8200b44829f5da5a3332e4227738a6fe2dab62772ae5987f7521a971bae2dce3

                                      • C:\Users\Admin\AppData\Local\TempCVTCC.txt

                                        Filesize

                                        163B

                                        MD5

                                        275174313a2b433bea4412f51746c984

                                        SHA1

                                        0eebf035c90c4e225cf33705775a9c5fb5cbc211

                                        SHA256

                                        1feb545981a83465d1f2c20a7da63705bf9b372db4fb3cc0760467322cd5504f

                                        SHA512

                                        16db370572f3579761721ffa45abace7f5d7554785288fd8d1e9a127654c5e6e97f8621dafe5e056785b96e3ab6245bbd680e2836ecb2e4a8b4a708e54924c93

                                      • C:\Users\Admin\AppData\Local\TempDXBNK.txt

                                        Filesize

                                        163B

                                        MD5

                                        2f8d9f8f839cefaf6e793c822df4b87c

                                        SHA1

                                        f12d7e789a19dc007186bbe483fc8244f76f6409

                                        SHA256

                                        894c1f0c748825d255dc02505fbc207346d341ffcaa0716bf777fc9d5f66b2e5

                                        SHA512

                                        7aafcc9c63587e06c1e1f28b1a809457f5921840b009b69d8c36107386f39a0a492bb13a5ab3b56416686f79cc33fb4f20a16c711670a3c568fe50f4b2712ecb

                                      • C:\Users\Admin\AppData\Local\TempDYBNK.txt

                                        Filesize

                                        163B

                                        MD5

                                        9b43f1e53278510e2b5775bc17f3827d

                                        SHA1

                                        a0f267cb87243f5c90671be07e6af69093dfedca

                                        SHA256

                                        35f64b5dc8c76cd13d69761f7af1983305a31b1289a2ff0275f206b83dee395d

                                        SHA512

                                        555d924197b1c4b0aa9807149454ca383f6bbddc39806b28b1538c2ee7252e594180912c1dd0368b6089ef7dba2c8cf49281391a3964a247464ed1bcdec83402

                                      • C:\Users\Admin\AppData\Local\TempESYKG.txt

                                        Filesize

                                        163B

                                        MD5

                                        69608039a9100b66344d0e27f28327a8

                                        SHA1

                                        3fbf0948e290149ffb90b21d9e3a401258de0d9a

                                        SHA256

                                        1cae5fe5857a1de42e0423f499784d1f1d501cb7a5a91c479b51c73650e6eea0

                                        SHA512

                                        4a363a1c576361a358d4a878099c99d905ffd54806868f8fbbea3edd1d7982afe4f71de32435deb901ad36d1ec145c6d949f0498dad5d3d6cfcc1a551bd3b0ab

                                      • C:\Users\Admin\AppData\Local\TempEWVSS.txt

                                        Filesize

                                        163B

                                        MD5

                                        393d3bbac3e0801b7c7ad74ef52aec45

                                        SHA1

                                        8d592a375f8e568d475226aa524889ae9c7cf0b1

                                        SHA256

                                        6a386293abcb8f980e7215c56efb83b1c8752d6a6ca8cdbe06816534ff236605

                                        SHA512

                                        4d76a25d169c51025af3d6013259a07e697f6312745d254ba5e47f46f77f63fe49b20eec5ed731b7b1d3630379429c8701935fb28436a4d3514fa54b5582e838

                                      • C:\Users\Admin\AppData\Local\TempFYYNW.txt

                                        Filesize

                                        163B

                                        MD5

                                        55ae9eaf6bbf34f43d2b174ad6d75110

                                        SHA1

                                        5d828ffea60910fd94a9955fbaf2d31f9deeccfe

                                        SHA256

                                        5e8f4b6191f88b6e94835de40dadc0eb7543bb512cba996049bc01d1fd73359a

                                        SHA512

                                        2aea0961f2890f47b695ad363b7be7414c87a27c7669708f57d32184b42b64a48e9427901a7581db444cc0816313b544c9f36b48b133c1a14ca398c056ba4119

                                      • C:\Users\Admin\AppData\Local\TempGAOXK.txt

                                        Filesize

                                        163B

                                        MD5

                                        598c7a777f5f0a84cc669b3a7f8b600a

                                        SHA1

                                        2de190e40ca2e0371431d3ac32fcb09e0de43e73

                                        SHA256

                                        35097cc0642644b48962b699c8449c6e4a7e7b3f8aa84004c406cf5a729f2153

                                        SHA512

                                        40daadec0a15451ee14053983a19ea3428c213eb2bc5c8028fa29409041c68a0a28e46507815923bf0d6e4649720de9c192c0876577e1244df2974d6ee286de1

                                      • C:\Users\Admin\AppData\Local\TempGBIWE.txt

                                        Filesize

                                        163B

                                        MD5

                                        9d8a73676ceac800fa001ece1f4e52f3

                                        SHA1

                                        789fff73252bda26653a511337e96d9121f836b7

                                        SHA256

                                        aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51

                                        SHA512

                                        b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df

                                      • C:\Users\Admin\AppData\Local\TempGGEMF.txt

                                        Filesize

                                        163B

                                        MD5

                                        f6d84f48ffef89e54d20d7a0efb4dbbe

                                        SHA1

                                        6d8779f55eff63cf837b88cd38fe5b82b898eb6d

                                        SHA256

                                        d8a7b021bfc52f0396fb8a2eb1f2f4b9b4fd13ac81a66a0436062fcce4a27c21

                                        SHA512

                                        5ef6f47946907fdcdf5a1d6c794692b7f283ec24906ebaa886caee01aed9a026768fc2fe59b476615bb30ee78e5ca8743a16546d7f44962073cdfbf05c0487e9

                                      • C:\Users\Admin\AppData\Local\TempGWJQA.txt

                                        Filesize

                                        163B

                                        MD5

                                        ff00f653cca12ff89c1093f4c4474057

                                        SHA1

                                        61de0079c2342226a77b8ae63b3134b67e30bc55

                                        SHA256

                                        8b8d3faa6fcf447f05567e088de707146c7198280d2cfba32c7bc0a29c257727

                                        SHA512

                                        20ec421758ffb87a796b6c8a8f7da9a521c4f1002293cd432d4a36de44284fe31065e630e6422af7dadaa0a9bd2244b941dac9b820d5cddbb51e0c120ccc0fde

                                      • C:\Users\Admin\AppData\Local\TempHUFEI.txt

                                        Filesize

                                        163B

                                        MD5

                                        d167a03d6dd56673d92cafa5d589ed7a

                                        SHA1

                                        3dcd857ce064770758fa80f35b3f648277b44389

                                        SHA256

                                        5d325eaf8c6e6c29bfc248ce2cd439f2e648dbb921e018f08e2b91080807ff68

                                        SHA512

                                        873bcf5a77b2a7354e3fcd8927312e7da76863130ec5e57eae0eb12e3cd7d2903f8a536265bc3289a05fa1e27d2669b8c048097a214e1f4618fdb07732dc36f8

                                      • C:\Users\Admin\AppData\Local\TempJRIGS.txt

                                        Filesize

                                        163B

                                        MD5

                                        64d0c25d229ee11d34007aca9e0a800f

                                        SHA1

                                        546a8ccc6d36f93efd41ab04b2d7063fc2864072

                                        SHA256

                                        5f04f7e88481707ccdb5e17f4fab5d9389edc620d1e86da98b30897c05bfd50f

                                        SHA512

                                        fa96fad4fafa3c3618559d62ec42d46fa3bba62c7fbb27d85dacb83997a3f7bff35a175c234013d635fa006fc49ed99cb014c954ef3e9c4f732c68d2ff3dd7ef

                                      • C:\Users\Admin\AppData\Local\TempJWHGK.txt

                                        Filesize

                                        163B

                                        MD5

                                        cd7b73ecdab64dfabaa705c8175aa245

                                        SHA1

                                        f28fb8fca424755a0dbd828c77c6d0e583b9fdbf

                                        SHA256

                                        3c9928829d3e5d2b03d80be1301e08e77f42dbd1247665728c0751931459099e

                                        SHA512

                                        bdef52704c32326b0e08a96e910a650a3ee5c5e1ec956aa839bf49bbd0227d87fa540c466686a9616a0cd4e0e7ec55fded3efb66719ca6acf9fd9584e57f489d

                                      • C:\Users\Admin\AppData\Local\TempKLUQE.txt

                                        Filesize

                                        163B

                                        MD5

                                        68603a3bf33b1371944acc84fda0d5c3

                                        SHA1

                                        8a5cc76d43e8854a064902a694058a4f0139da4d

                                        SHA256

                                        0c380579cfffe81c26242eeac446dbbaa5cf10bffe6c9ad0517dce461f07c4d3

                                        SHA512

                                        d3db01ba305d3cba257fd53ee0d087f639a723587311a2df6938e96dbfb070ddb3404794b2b029b87ed388604cd6239509de1824bb1ce5b12d3eac45e294355f

                                      • C:\Users\Admin\AppData\Local\TempKTPCO.txt

                                        Filesize

                                        163B

                                        MD5

                                        e19b90bfba2c69d2c21ac3776c877917

                                        SHA1

                                        85d70a13fc6e4842be8e175522d24be6bd879a9e

                                        SHA256

                                        f26d0a66680e921a772d938e06bdbf148c6c8cf1d28d0e2d6f33b202f4fd55c5

                                        SHA512

                                        3473e5d438d56038f4cde527e74c8ea478621af9702f4e6f18d1041f45da675dbece582c6157a46fe76c79a6445d3f8833830ea6d2e717263cccbb563b90b46f

                                      • C:\Users\Admin\AppData\Local\TempKTPCO.txt

                                        Filesize

                                        163B

                                        MD5

                                        6924cd32a0a33db2140009298b4b812a

                                        SHA1

                                        6442a9818093e0fb37b9af856fccd6ccaf8a5737

                                        SHA256

                                        aded1d2932822ab8a791a717911af196bcf7715493bbea38730a9c3e64efba9f

                                        SHA512

                                        1761311e8094f56c790d3c2cce5b52d6a9e2410766c596d189e3d9d0a16135ffa36ddc609364fbc1de751497759da17feb2c2ff18c5a47527a4c13190f9fcf4a

                                      • C:\Users\Admin\AppData\Local\TempLIQDJ.txt

                                        Filesize

                                        163B

                                        MD5

                                        957ad5dbaa44ac91d5d250272d2a94e1

                                        SHA1

                                        d6c101bb30848098ab9c181fbbc422278ab6f6e3

                                        SHA256

                                        64b0e81a7b92bcd7830d11fd3c39e32283c4a7fb1c38688c28fa581186061582

                                        SHA512

                                        052d798609fb80f14c32c1ee87a9741d11fbf89a72e53e08c146031c943dbe2f450ef3c4ca6d35d9d015574eaf7a41f773418fc0c6637b3d5914e6ffd405e857

                                      • C:\Users\Admin\AppData\Local\TempLTKFO.txt

                                        Filesize

                                        163B

                                        MD5

                                        3e754df7e64a9ec957e2a556e1f5747a

                                        SHA1

                                        cf8dcc90da533279b0e57f0ddfc8df475be032b5

                                        SHA256

                                        8c5de31afed06c70ef24683520aebc07506b62556530d2f441e29e1089e6d599

                                        SHA512

                                        597a30f19d670397e21068524210b687db3f000b1c9223d24620f7894e75d41daec1af471d02eb0039601253f5918612979c0fea88d852aa64633ef24b481e97

                                      • C:\Users\Admin\AppData\Local\TempMUGNS.txt

                                        Filesize

                                        163B

                                        MD5

                                        11ad762658723fe1b07038c8e4abc9b0

                                        SHA1

                                        6b1230f97f32cc96cb804b5f8f298db5256d61b6

                                        SHA256

                                        50785427907723a9a882eb1d1445f49c12aa49c2c91ebbd6ff09907d535b6a72

                                        SHA512

                                        772ec9d8d6caa163e5d2b1aeffc90df81ea74a513117b85389d5e880e257de1cc6405817cf340474a71e4d9fdab3a005610e563b37586add9416a5cf4575da88

                                      • C:\Users\Admin\AppData\Local\TempNCLWU.txt

                                        Filesize

                                        163B

                                        MD5

                                        5ef664327d98f54123692599492aaf28

                                        SHA1

                                        526ce8210feaf0ecce7d4bd510287fdd8236abed

                                        SHA256

                                        25fb1541225d23d003873be0bd315f6568caa114d1b2e26aabcca6479afa1fa0

                                        SHA512

                                        f3a91a5b033967b52b3755f34976e5226408810fddc432a31a6eef0b6032d1f087ff86be4ab927fbd4b299bc13caebe4de7513805b8e8377dc351a60ac70988f

                                      • C:\Users\Admin\AppData\Local\TempNOXTA.txt

                                        Filesize

                                        163B

                                        MD5

                                        2f639433a90ffd80f88b06472aaee1ca

                                        SHA1

                                        dd95f3059098502e98cb1f11ac51b756c509fb67

                                        SHA256

                                        1adf52f8a0dd36c614052aa308038793d2c314af5e50719c6d987888c77f4866

                                        SHA512

                                        24bf0e75536c0e50be3e88c7e95ef7fcf6f9fb17e54620d35e05bbaf251556a81a552f0d5cae5d1c1d8d79d62d87e3ee591e3126de0c0fedacd2c684820db5d4

                                      • C:\Users\Admin\AppData\Local\TempNWSAF.txt

                                        Filesize

                                        163B

                                        MD5

                                        1a15ba0942c96ad946befe1a84299150

                                        SHA1

                                        81cb5052e3dfbfccfce36ebe614cda1163f72d99

                                        SHA256

                                        00f4acfc005e1e8dd5cd682d989afe03f1e7ea57a57fada424cf43a6d33920b9

                                        SHA512

                                        e9833508ee354ba75bbf490d6cc67783a27f8da1acd56d42045d81257d29057f350bc5f98943caec0ca5d8cb1b9697ee782c6795316c38fa309227e866bf6268

                                      • C:\Users\Admin\AppData\Local\TempPXATT.txt

                                        Filesize

                                        163B

                                        MD5

                                        c04a1800909a8333e71fc197ff071d9d

                                        SHA1

                                        12305c72700402a3574bdce6bab13accf4c3520e

                                        SHA256

                                        9fd133e75523e0545c523bcaa549d63c7b0a0c061da1020cebcf05bcbd9c825f

                                        SHA512

                                        eda4a8f1c4c00b6a813678e8cbda76ef6fba0365089216aaa81938db677029e618901709b7d63993a48cca9be5d4accdb9a892d431d7a96739291e10560e4c7a

                                      • C:\Users\Admin\AppData\Local\TempPYPEM.txt

                                        Filesize

                                        163B

                                        MD5

                                        e6348f4c811ee47c64701c4854ced368

                                        SHA1

                                        68ffe06a37d8f3204a521ec7b3357fb1b5cbb15d

                                        SHA256

                                        37575df12f3a31ef0ef92193c5f6e95d5693c23605f8d469c1990f11be89c6b3

                                        SHA512

                                        7a94944804c638197d435f2dbb392b8f9fec1edc40352ab6ea1a04a55cb8f1570dc13b31014d3ccb5ddd18a9de9ea626d9d6a4857a4414f417a3c4e462ff400e

                                      • C:\Users\Admin\AppData\Local\TempQYQFN.txt

                                        Filesize

                                        163B

                                        MD5

                                        36cd1200fc8bc37dcabde2335c93e89e

                                        SHA1

                                        b89c3f37aa79580e28d070e39731a9aab936b22e

                                        SHA256

                                        cbe722f95bea66b473aacf60f1c3be929686dad96de85290e15759b16f835fb0

                                        SHA512

                                        b6f9555594b1b4940c922a7ba786c4ca7e1e62a47062d48e375f8608b35c1fcbda471f2db921035f40ca601975bda7655bea913e50b3bff909895b26d9ab4272

                                      • C:\Users\Admin\AppData\Local\TempTOWKL.txt

                                        Filesize

                                        163B

                                        MD5

                                        b71c01ed84b9c66ee2975a5fe4ca198d

                                        SHA1

                                        dc47384dfe9dfd2b9cdd5a1ea315acc21f928bdc

                                        SHA256

                                        fa4dfcac5b1e69c83a7d52ecefb1c5a31905782df3c0f0005d8dccad4c0818a1

                                        SHA512

                                        353f5282d2fccc0babdc7321ffb5fa9b44a479351ba1de7f1784439ec5bb2dec6fc5eb1f5d51e609e054e0e93800d5a6673d882ebf527a918752837e4ade8897

                                      • C:\Users\Admin\AppData\Local\TempTQOSN.txt

                                        Filesize

                                        163B

                                        MD5

                                        bc86c0446fdb1df8d67a42771c206cb6

                                        SHA1

                                        dbde23577c1b83d30d0f2f112d91e9cae31db673

                                        SHA256

                                        b773cbc680bc134b180039e7542e759164cd211588c6e2710a678c736a46db0f

                                        SHA512

                                        b898f9925bef5b75561ef873600e498d85c46fc53270abb11e5d516207caf066921232fa812630e9dca489a37d50d389864d3e18689d78c4d3a5028e08d16733

                                      • C:\Users\Admin\AppData\Local\TempUGHEN.txt

                                        Filesize

                                        163B

                                        MD5

                                        b317d9a4bda7ec2fdef220e86c280304

                                        SHA1

                                        586b2e3290b4f5ee43497f276e0947a58c5c2e95

                                        SHA256

                                        907f30592d821d1840375f7edab3ddf81e588a04016d6f784b898e84828d2db2

                                        SHA512

                                        09ec2b91e554a5e76865a644916894cc6002f118f1d51f3916fd40d614be15e142533835deb3959398dcfbe6fabec0dcdabaac95ad99a7e50ec9859738a39a48

                                      • C:\Users\Admin\AppData\Local\TempUTFNF.txt

                                        Filesize

                                        163B

                                        MD5

                                        b2b70af0804fbd3d7253b7cccabaaa3d

                                        SHA1

                                        b27bbc932aaa03195e624ee98e325e2a4bb69a81

                                        SHA256

                                        f3381ec12229252b26164bf595d7ac29e812cb97ad072cd1d74534d1c6f7e24a

                                        SHA512

                                        078f158ba5ecc7792eca6e9ff6bb281d122c17a9311a92ada8a6bcdb44f62ab14c3ab287e278b2766f0be305a69caf71f26b6a7e0367a756093699bd91fcfabb

                                      • C:\Users\Admin\AppData\Local\TempVOTFC.txt

                                        Filesize

                                        163B

                                        MD5

                                        d4c2c187ecbe9866d91d5713a6cf9d69

                                        SHA1

                                        fb7b54083ec1a6301b8090735d56364a219e650f

                                        SHA256

                                        38463578efd244d5249be95d62b57a76498e5fa5979d7bcae9eecc25c0fc6b0d

                                        SHA512

                                        f737cba3fb69a16cf6f703fd064b2236a59e3c6b0d86914baab286bfb1e31fb715a6b5d374b7672ed9ecb73e4a7283d37858af987b9bec7afba0f3e6c54b3588

                                      • C:\Users\Admin\AppData\Local\TempWPVHD.txt

                                        Filesize

                                        163B

                                        MD5

                                        a6a356d2b4b9efad0d586fddb722c933

                                        SHA1

                                        74344d6d5a10b3e4327f842986d7569f51876cb9

                                        SHA256

                                        51495415978b6e5f0323a4b75728c8e02f939aeb082d866706e6ebdbc49fa96b

                                        SHA512

                                        1e81d7a4b10b1f14ca9dd093aba9c19eb3e22a7a5c0d796c3f81da59dcf60057e4d2f2fc66c875db2e3b4305d680db8e264c8549a225fd9c89114ca3a5481b6c

                                      • C:\Users\Admin\AppData\Local\TempXDHXY.txt

                                        Filesize

                                        163B

                                        MD5

                                        db21fcaad3f7817206eb7a5ab13b967e

                                        SHA1

                                        8767af79dadac7280b9d65d26f27b0c4fa4e7d5b

                                        SHA256

                                        209d81c873b175be359c27db3bd5dd27738a41bc2e0feb133a7a8dac001787a7

                                        SHA512

                                        fdbf17805815cda30cf9048111e58b2d096157ddc3fd339d2a67fa657d747b3f78cb8be28c9c5218f3217b5b42d964a16a3986269d50ca4ab4aa15b6061855f1

                                      • C:\Users\Admin\AppData\Local\TempXGGPL.txt

                                        Filesize

                                        163B

                                        MD5

                                        4733ad9fb4d445ce8b49c8b002dde71e

                                        SHA1

                                        8d4b4d589d282443c98be543edfa3f434918f8b4

                                        SHA256

                                        7664fa4d5f995ccecba9e4533425e6d9721d4b9904dfdb5fa8f8548400afb435

                                        SHA512

                                        b54d22b7fc7643d666e22bad1e9823c925cab1082d822bae8602b9b6bde1425cd11ee4c8dc22bd3c3d1645f8b32656ffbab2ac547c50f2b692128dd3261e12e5

                                      • C:\Users\Admin\AppData\Local\TempXGGPL.txt

                                        Filesize

                                        163B

                                        MD5

                                        8596d03e05bc1bf684fe5378480b07f7

                                        SHA1

                                        a95b91da45c2bb6b394f5eeab3460a94c21f736e

                                        SHA256

                                        7f351ffb826c3a4571de9b839701b2fa4a950f06c9a8fa95f70c6b434ee5bd80

                                        SHA512

                                        689d156e1b5042a895cad83e84d6d3f17f20d732aa2225bbe96eb555974ea0a9a3c683e13cc4fa415b082149d002818e8318e28db13c2d0c191d1d25dad11c59

                                      • C:\Users\Admin\AppData\Local\TempXODMY.txt

                                        Filesize

                                        163B

                                        MD5

                                        2532dcbac1e834e1e1ba52c75085adee

                                        SHA1

                                        bae15f077e4b3c0946605dcb8f0c02bd2a01e1de

                                        SHA256

                                        32ff5f70924f75a8b5469bb91ab121e0e882fcf752708bd9b0d6cd52e4c18c1f

                                        SHA512

                                        9706d09abf6dab11b48c323e5a6679d66b51dd1ec1645d045a9eecd922900382520c4e70d4570bf23af68d792115c6f1135daaba193a62a046d7438731dcb7f0

                                      • C:\Users\Admin\AppData\Local\TempXQWIE.txt

                                        Filesize

                                        163B

                                        MD5

                                        743691743d8e8df93eddfe8efa698259

                                        SHA1

                                        ed6f1e361eb6586cb10372f7b879921251b28751

                                        SHA256

                                        290a8ba0b49cfd1556a9322ac6d0ce8dc22ba6046dfcf5043642be1c5c6c704b

                                        SHA512

                                        a3e1f5526b531df6a1d0f7c42c854eb5dcd1dd0f50c9ac19b0ecdd7cb123ffcee8c5eae729bb4bbc39066324fb15c366278a151bedc62b7bf1472fc2d0a88348

                                      • C:\Users\Admin\AppData\Local\TempYXTTU.txt

                                        Filesize

                                        163B

                                        MD5

                                        980956a3fe5fe8ddda8de7c1fe0fd3cf

                                        SHA1

                                        e9e6968fd02fdce967b5654748d3661c2ea51542

                                        SHA256

                                        8c013a7f3be51959e476fd7d7c15a4fbe3ac3a594b4ed14642d3c1fff110a1c2

                                        SHA512

                                        9dced64dae35c0c80e8da9b4461783d0e952df65d6c876c251bbd29c42bd34b0708a20da46efbde91f1e9fce943828afad4d0ba5bce414aba215bfa93507db7d

                                      • C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        62737afafc03e339d0a031d85b681944

                                        SHA1

                                        c39542135425657c04b65b62a3df74262081efcf

                                        SHA256

                                        f065f9b13465174e5f29cfeeebce5f79a8be009ed611f2827fcefbc03fb12cbf

                                        SHA512

                                        7c3e8994b0ed9da76a8779ff0989c47553c2c1cfaadc63067c7830b4fed22c9526e14c19681470dd290d34593f7168ad77b1c51fa17febd9aeb20862e82e57a2

                                      • C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.txt

                                        Filesize

                                        520KB

                                        MD5

                                        31a9cc8bd44061295e2fe392d4f137d0

                                        SHA1

                                        f63e884f48bbd4eb0607c56858a7dcda4eed92cc

                                        SHA256

                                        63b2edd29111c36468df478bdef3cec9a42ce41bdd9ea8c8668adbf77573f296

                                        SHA512

                                        93df33a96f498f884865e6ae6a22f04670645c918035903ca67bcf472e4da53a3bfeba9ecbf75c9a113ee28f478139a2e276b49311fa8788a7d1c4db573d3631

                                      • C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        c6df6fc41a24891ed5a63aa11b670994

                                        SHA1

                                        10969489fbc303e273c9602f09ba9daa8d903c12

                                        SHA256

                                        122c8f16638dff602c445545ae05aaeb29d734b67c7a1f76233dcfdbeab212f5

                                        SHA512

                                        5babf20c1f4122ffd742f1a7d4088861a09c3e32ddf01574e6270ba93ad26c48d372f52ab1ffc0da560087c41cdc287d8ae75e51ab25952bc37f207801f9b57e

                                      • C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        42820b246781a5d1185926be7af0c834

                                        SHA1

                                        f68a4984b55cf3287838161e9065528888f8529a

                                        SHA256

                                        e1c7cab1b30be0002eafaa2a9d036832ec753040f7bdd424241a8f6362d0179b

                                        SHA512

                                        baec6b25b014b91c42bc292491cba67f68d8c7fa1effa154571c3f3886ce3e79c9d8b9c507cbb45f5e91ea4bbccfc056a90205fd71888ebb1392d7b73a4314b0

                                      • C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        7927853e448a6800ba402fb33e9f0514

                                        SHA1

                                        8f6bbb34fed42cc12fa8a22765906de342145821

                                        SHA256

                                        2a1113d2e115340111dd8d51ab360e83aea9d28cb378f9093b2a26b2a47efa92

                                        SHA512

                                        2775bdbbd61b469c9c7490def83f3c4902998ac5cdfe500d8d7c59231f7506d76d3ec12f8747078fb41c1412713d16fe26aaa37d7bff2c6a55e84aefd2333394

                                      • C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        58c2e813aaba995c7447b6287d38d1d9

                                        SHA1

                                        020286bff3792a6514c2fdc62047c8fd56d76684

                                        SHA256

                                        f9fdbf33aa61771380190ab5c05b24f84fc2e24b7e40b357d7c3d439f142e3a9

                                        SHA512

                                        ec2ec18fef0d64311f28a9e477506a512cbff01bca3ac9e9fcdc7d3399d74367d7c3efeed31de38d212b3c1ee3fe3e320a80f2d120c889e50a144cac439e6a29

                                      • C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        f5ddaa57dac5012400e359f798ceb80d

                                        SHA1

                                        65e31cb1cdf7d319ecb1916610ff0512f2e4bc31

                                        SHA256

                                        3e90354adf3e621dd7a7cabd5424e60789479d6ac6f3e4c5d81fc0ef72b60616

                                        SHA512

                                        58c3fbec09389f370a22512bed07c5d2cdde18c62ec1d1974001530285e3cdbc1eab5d20266a568e6ea0c08295edd5a5a0a506cae584ccfb2a2468819789c70b

                                      • C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        b2a80fbde54954056e4e4a4d000bb83e

                                        SHA1

                                        940bae9219f24585c900991568826c62dbeb74a0

                                        SHA256

                                        2d4d7dfa2daa2cccfdd66a2444ed3586717c50fae985a7d39bdb6b2e6b255758

                                        SHA512

                                        acb65c8a8d4fa3a041d37471ef142381fa7bf600718c33b29d84a87e261bb852ef8345fddd8479aac2b8cd3c5c02088889431e873b849cdc0ad4c70375bcb6bc

                                      • C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        de5863f5e64687eed5db5abc95ff3919

                                        SHA1

                                        230428f0f5d27fefacee7b2a4a83cb1a51916a55

                                        SHA256

                                        538d4230c1c09e13c6c1687112ab44706f605a9d42bec833646a9cdc9038eec3

                                        SHA512

                                        a8e141b4c69df2bcbacc81b4f05a6b74c45792e8919fe4c1b6f61811654dddaf398f94018be83dbd1c139484c3498b126c04db3ac7837488d51587d927671033

                                      • C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        34455b2aa3f4b9d1aecc25433007bbb4

                                        SHA1

                                        d69227e7fdf4f8418726dae6f20b3e2a9a5ff340

                                        SHA256

                                        d3e4e29a28fbb7a2a5dcd6ba0bda4d01cda5e42871b2f0636464e4798da31bf1

                                        SHA512

                                        31facdd33df3d90e492963292727dfb2206979ec5d624972bd20ba45c8a92d698a1ebcb14d0233397168e5460863818fae31814a3d2a9b70e4b88932e377cb15

                                      • C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        9c378d88187969c61c24a1bc8fbc0825

                                        SHA1

                                        078fefb723decd58a0ce844a8be85f422abd8557

                                        SHA256

                                        82969ceaac95fd5ae043c8e61d33176fd74b54c0d9c4933901f37cf403b11d14

                                        SHA512

                                        f1e5dff967cc3e05be1aa308179ba901c6d665ed494434d3a1de79d6a38f0b7dfed70d179a4eb94ce08bcd56fe6663a6863898769b9d74daf8f7dde7184d8b2f

                                      • C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        4b7c6007dacacf8dd419c71d9b4c6670

                                        SHA1

                                        16faab63288f3a7dd116045c5f091cfc08928139

                                        SHA256

                                        9fda86995a6adc5858b951062ddd5f77e4f32ef552eff79d5ad5f933529bcfdd

                                        SHA512

                                        ae5b101ab94722ac837c85302ed7408acc70b4810d51806845a1274d1850d015995b83587adb542564bce1b2698bc479a2f24696afb70182aab9edad86c1c91f

                                      • C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        492e51bf04a52ef6965ba29d8e9dd3cc

                                        SHA1

                                        ed24cc7906b8af9ae9b650a6495d754d39f94779

                                        SHA256

                                        f6282b1101ef2d15f0ff169b4feb4fa2b9d0ce8107429614fe542866932fc6a9

                                        SHA512

                                        51992f082f6d559f94b7fad0daeb340c8c20580bc2894df2461f1590255360bde795f6eb554548987b7110791e794db55645f7db203765a38252fb10cd696fba

                                      • C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        60f0ba980005f6385ff059faf715e155

                                        SHA1

                                        b8505070ac45bc6cd752f9d07ef32d77c63c0b85

                                        SHA256

                                        2b37f36f1849cc9d40c38828a297d75a0baecec21a356a8a2300e46859c07a98

                                        SHA512

                                        3c0a68faceafd17e83f1a27ca61249a08397c513d8d1fe9c9bdd58fd35ef0011fce4c0b1b8c85bdd888248bb7e31131e0004bec8829bfbc36eeab395fdd89f47

                                      • C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        cea8d8e5d79baaea0c3544d3973507b4

                                        SHA1

                                        80037c51c7a7dca5fc936d4bafb70587f89adab7

                                        SHA256

                                        b7b02cb12f7893f648861ccab767466c8b05406dff77764f72e282cb927dc3ea

                                        SHA512

                                        85c193f804885eb5dd413a8ae9c6938f52ea84888c88c8999d6a5350d602ce08b485274443fbb688e2a3d6fcd22e2de839559e9f16bb793658ad85be566a27c6

                                      • C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        a656d174799616a0178a322c2905c601

                                        SHA1

                                        ccc18da9bc257507434e07d0e8756dc4ab8e92ae

                                        SHA256

                                        f1da973b54d7cf1dafdd5a2cf19e9c76eb97b5752856dba491d0b11c24f088dc

                                        SHA512

                                        d1a5c42ecc2c136d58deb8809056b932b2ec6195a4b7eef65c75f2f860c223d4df1f181281f4b2c981e403db979d8b0aec58989c068ac0b6b91dcf3cceb61732

                                      • C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        0578981329cb94acb48a9835a8648b47

                                        SHA1

                                        8db28bb31226908d10ca04b2ac3f782ccdd1ee3d

                                        SHA256

                                        a7c9f2f4f0e31f0a374b9ff3e80a5b022cd852830c9db95a9aaf902b87cf6b9a

                                        SHA512

                                        7a6e52c948aaefbdc967836cb2ad80afdd34653f1544197850d3ea2c24a74ae6317dbc6cdb2b797f9cb9f550bab30e2f13692008344d11241e5288da8701201c

                                      • C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        2a7525d96b56c65ef19228c717bd67ff

                                        SHA1

                                        68b5650a18baae2c059a1e8256db24a47ad722f0

                                        SHA256

                                        3a74fe0351eaeb2d89e96ec0ae9019fbe8000e8a855da9f2fcf60bcbd131b762

                                        SHA512

                                        6bec9ea28cce2fa52c4acc91f8ee081bea45cac68b092a67236f4765967d86bcef28371d291084e65d9a4ee866cdf1ca41a9651660ef8188ffad02e5063647d7

                                      • C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        e402251fd8d810ed2fd3cb263ebaa166

                                        SHA1

                                        77c8f396b7a2467ae592193e6a7179c981475b36

                                        SHA256

                                        32994c7b08617921a56ca26f25f2d7b5474854490852a7d91e3b26e8ccfdd904

                                        SHA512

                                        06ac0516c545004cf8480d58cb2739778e5969d5336e6b01deefaadc2f002ae5ea2d9fa8fe8cb59b7431506395a75a389203b16ff4a4791d340a9aa474fc26e4

                                      • C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        4254e7afec41b6f772749a93f3886488

                                        SHA1

                                        a128c6c126996815df9b17210c8f7829e36f5568

                                        SHA256

                                        b43ed12bca8b88702d193154bc212fd65d6d1d690f56186f85cc11a616266f21

                                        SHA512

                                        bbadb530ad5c7ecdcbf0057e076a7c6b31d26bfa3c053bfa40d4fe32a34738cb211bfde22897f024f9bf7b74d0b0e9509e3909bbea8b25f70ea0e65dcb353747

                                      • C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe

                                        Filesize

                                        520KB

                                        MD5

                                        8272076e6637cc46fcf4140869dce5aa

                                        SHA1

                                        6397b18cb531469b675c340226e84f246f045d11

                                        SHA256

                                        3bdb3dc8a095acf5942a20d0c387129c361e935e1ee9eea0f3f04d317ca221f0

                                        SHA512

                                        b4405f8f74b310323aae67c339248c68c1fc827272e57c220d108488f187d063bac069050924746bfeadf1cf3653e3f6b27ce0c6957d4260904912ab13eea2a6

                                      • memory/3580-1002-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/3580-1003-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/3580-1008-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/3580-1009-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/3580-1011-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/3580-1012-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/3580-1013-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/3580-1014-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB

                                      • memory/3580-1016-0x0000000000400000-0x0000000000471000-memory.dmp

                                        Filesize

                                        452KB