Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/03/2025, 06:30

General

  • Target

    cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe

  • Size

    520KB

  • MD5

    52addf8bd42614efa69dc85209d6e760

  • SHA1

    755a0bd27dfff5247bd8af2eb3de71d8dee93837

  • SHA256

    cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2

  • SHA512

    7ca4732063b2f5420d40ea1a1235d31aa1cebd5d07bc4270c96d76d3508a1c4d5a2142bec4e9d9baf99f52cc95c1ac298715e8374542a9a34b02d44f78396989

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXg:zW6ncoyqOp6IsTl/mXg

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 9 IoCs
  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 39 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 40 IoCs
  • Adds Run key to start application 2 TTPs 39 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 43 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
    "C:\Users\Admin\AppData\Local\Temp\cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEBKCH.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5524
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LUSDXKDXEUNQSXD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:4940
    • C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe
      "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRALSW.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYXJRISOJSETDTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:3000
      • C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe
        "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5896
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXATT.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5716
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMAMYUASWROPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe" /f
            5⤵
            • Adds Run key to start application
            PID:5316
        • C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe
          "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSTQLR.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJXWIQIRNIYSDTC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTNBID\service.exe" /f
              6⤵
              • Adds Run key to start application
              PID:2228
          • C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTNBID\service.exe
            "C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTNBID\service.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5548
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGNIMJ.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4856
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTABGDSSFHCACXS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXCTOBJD\service.exe" /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:5572
            • C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXCTOBJD\service.exe
              "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXCTOBJD\service.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2236
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPENAW.bat" "
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4644
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JURPTOWKLELLUQY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:1016
              • C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
                "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1076
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJKHQC.bat" "
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4712
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONAIRYJFAQJKTWY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe" /f
                    9⤵
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:2932
                • C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1652
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPCXB.bat" "
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:4220
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTRVQYNOAGNOWSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
                      10⤵
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      PID:2136
                  • C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
                    "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1168
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXEFCL.bat" "
                      10⤵
                        PID:2600
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CMVTDAYKEYFVORS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HRIFATXJKHQCINA\service.exe" /f
                          11⤵
                          • Adds Run key to start application
                          PID:5988
                      • C:\Users\Admin\AppData\Local\Temp\HRIFATXJKHQCINA\service.exe
                        "C:\Users\Admin\AppData\Local\Temp\HRIFATXJKHQCINA\service.exe"
                        10⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:5020
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRDAFA.bat" "
                          11⤵
                            PID:5440
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DVMJETNOXNOLUGM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe" /f
                              12⤵
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:4988
                          • C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe
                            "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe"
                            11⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious use of SetWindowsHookEx
                            PID:5444
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "
                              12⤵
                              • System Location Discovery: System Language Discovery
                              PID:2292
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOHISVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
                                13⤵
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                PID:2348
                            • C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
                              12⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              PID:2024
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDYTHO.bat" "
                                13⤵
                                • System Location Discovery: System Language Discovery
                                PID:3864
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKPUBCHAETTGIDB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe" /f
                                  14⤵
                                  • Adds Run key to start application
                                  PID:6020
                              • C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe
                                "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe"
                                13⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:4760
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
                                  14⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:848
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe" /f
                                    15⤵
                                    • Adds Run key to start application
                                    • System Location Discovery: System Language Discovery
                                    PID:6132
                                • C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe"
                                  14⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5416
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
                                    15⤵
                                      PID:3588
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPFTPMRERTOHLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe" /f
                                        16⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:5244
                                    • C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe"
                                      15⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4912
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNIBEF.bat" "
                                        16⤵
                                          PID:2916
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKAVSRVIMIGWULK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
                                            17⤵
                                            • Adds Run key to start application
                                            PID:3992
                                        • C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
                                          "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
                                          16⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of SetWindowsHookEx
                                          PID:988
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
                                            17⤵
                                              PID:824
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe" /f
                                                18⤵
                                                • Adds Run key to start application
                                                • System Location Discovery: System Language Discovery
                                                PID:2112
                                            • C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe
                                              "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe"
                                              17⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of SetWindowsHookEx
                                              PID:6116
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
                                                18⤵
                                                  PID:4300
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVMJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe" /f
                                                    19⤵
                                                    • Adds Run key to start application
                                                    PID:3336
                                                • C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe"
                                                  18⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4652
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
                                                    19⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5224
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHYUUC\service.exe" /f
                                                      20⤵
                                                      • Adds Run key to start application
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3544
                                                  • C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHYUUC\service.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHYUUC\service.exe"
                                                    19⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1916
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXJQUG.bat" "
                                                      20⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3204
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HPHYQMHXQCRBRSP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe" /f
                                                        21⤵
                                                        • Adds Run key to start application
                                                        PID:3552
                                                    • C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe"
                                                      20⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:5640
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "
                                                        21⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5148
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBMC\service.exe" /f
                                                          22⤵
                                                          • Adds Run key to start application
                                                          PID:4972
                                                      • C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBMC\service.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBMC\service.exe"
                                                        21⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:400
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAMSXJ.bat" "
                                                          22⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:5600
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YXJSJTPKTEUETUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMAAVBRMAHBG\service.exe" /f
                                                            23⤵
                                                            • Adds Run key to start application
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5548
                                                        • C:\Users\Admin\AppData\Local\Temp\MFUEMAAVBRMAHBG\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\MFUEMAAVBRMAHBG\service.exe"
                                                          22⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:6008
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBTXSO.bat" "
                                                            23⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5648
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEGWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe" /f
                                                              24⤵
                                                              • Adds Run key to start application
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2376
                                                          • C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe"
                                                            23⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4640
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJRA.bat" "
                                                              24⤵
                                                                PID:3548
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRXDEBKCHWVJKFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f
                                                                  25⤵
                                                                  • Adds Run key to start application
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2400
                                                              • C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"
                                                                24⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:4908
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPDG.bat" "
                                                                  25⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3592
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYCUSBCVKYGPGDP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe" /f
                                                                    26⤵
                                                                    • Adds Run key to start application
                                                                    PID:4576
                                                                • C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe"
                                                                  25⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:3516
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBIMA.bat" "
                                                                    26⤵
                                                                      PID:5524
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NHQYIEPIJTWXJKH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe" /f
                                                                        27⤵
                                                                        • Adds Run key to start application
                                                                        PID:6116
                                                                    • C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe"
                                                                      26⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:5552
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHADEO.bat" "
                                                                        27⤵
                                                                          PID:2020
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJURQUILHFWUKKM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f
                                                                            28⤵
                                                                            • Adds Run key to start application
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5272
                                                                        • C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"
                                                                          27⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:5296
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIYLSC.bat" "
                                                                            28⤵
                                                                              PID:5516
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PTYFGDMEJXXLMHF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
                                                                                29⤵
                                                                                • Adds Run key to start application
                                                                                PID:5200
                                                                            • C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
                                                                              28⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:5100
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
                                                                                29⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:5316
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQEGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
                                                                                  30⤵
                                                                                  • Adds Run key to start application
                                                                                  PID:2864
                                                                              • C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
                                                                                29⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:5308
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "
                                                                                  30⤵
                                                                                    PID:5904
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe" /f
                                                                                      31⤵
                                                                                      • Adds Run key to start application
                                                                                      PID:1424
                                                                                  • C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe"
                                                                                    30⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:5268
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
                                                                                      31⤵
                                                                                        PID:5220
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
                                                                                          32⤵
                                                                                          • Adds Run key to start application
                                                                                          PID:2872
                                                                                      • C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
                                                                                        31⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:2032
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
                                                                                          32⤵
                                                                                            PID:3272
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f
                                                                                              33⤵
                                                                                              • Adds Run key to start application
                                                                                              PID:2440
                                                                                          • C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"
                                                                                            32⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:4920
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
                                                                                              33⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1436
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe" /f
                                                                                                34⤵
                                                                                                • Adds Run key to start application
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5504
                                                                                            • C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe"
                                                                                              33⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:1004
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
                                                                                                34⤵
                                                                                                  PID:2812
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXTOCXJYEIYWFQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe" /f
                                                                                                    35⤵
                                                                                                    • Adds Run key to start application
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:5280
                                                                                                • C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe"
                                                                                                  34⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:5856
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "
                                                                                                    35⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:3648
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJSWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKAKEYCFVRSA\service.exe" /f
                                                                                                      36⤵
                                                                                                      • Adds Run key to start application
                                                                                                      PID:3336
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\CTMSKAKEYCFVRSA\service.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\CTMSKAKEYCFVRSA\service.exe"
                                                                                                    35⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:4764
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOJXWI.bat" "
                                                                                                      36⤵
                                                                                                        PID:4848
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFVUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f
                                                                                                          37⤵
                                                                                                          • Adds Run key to start application
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:6072
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"
                                                                                                        36⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                        PID:5524
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOKXXJ.bat" "
                                                                                                          37⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:3876
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe" /f
                                                                                                            38⤵
                                                                                                            • Adds Run key to start application
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:6104
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe"
                                                                                                          37⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                          PID:1784
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIVWWB.bat" "
                                                                                                            38⤵
                                                                                                              PID:2796
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QRNLNDQYHSXHUFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe" /f
                                                                                                                39⤵
                                                                                                                • Adds Run key to start application
                                                                                                                PID:3480
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe"
                                                                                                              38⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:5564
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "
                                                                                                                39⤵
                                                                                                                  PID:3616
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGSTOMPESAIAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe" /f
                                                                                                                    40⤵
                                                                                                                    • Adds Run key to start application
                                                                                                                    PID:3504
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe"
                                                                                                                  39⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:5960
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempROXJP.bat" "
                                                                                                                    40⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:2912
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VUGOGYPMGWQBRAQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe" /f
                                                                                                                      41⤵
                                                                                                                      • Adds Run key to start application
                                                                                                                      PID:2180
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe"
                                                                                                                    40⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:3972
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe
                                                                                                                      41⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:864
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                        42⤵
                                                                                                                          PID:5452
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                            43⤵
                                                                                                                            • Modifies firewall policy service
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            • Modifies registry key
                                                                                                                            PID:5244
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                          42⤵
                                                                                                                            PID:5096
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                              43⤵
                                                                                                                              • Modifies firewall policy service
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Modifies registry key
                                                                                                                              PID:2124
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                            42⤵
                                                                                                                              PID:2872
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                                                43⤵
                                                                                                                                • Modifies firewall policy service
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry key
                                                                                                                                PID:3108
                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                              42⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5660
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                                                43⤵
                                                                                                                                • Modifies firewall policy service
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                • Modifies registry key
                                                                                                                                PID:4876

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\TempAMSXJ.txt

                                            Filesize

                                            163B

                                            MD5

                                            d0d954c2feca1254478b636eb71fadfa

                                            SHA1

                                            a677f9446da89b70997e4d1b97f12348715e347b

                                            SHA256

                                            e5fb1a734cf7e835c7ce9fef8302c79d991735059caf09057ae0ec95ed27f6e2

                                            SHA512

                                            49f453e8d1d3b8d87137f4c3ff8131d936988c540679f049b05c0a5c95542c115bd23d1af73a80448fddd12eba898e45852fc9c96ec5021a12961baf206b7504

                                          • C:\Users\Admin\AppData\Local\TempBTXSO.txt

                                            Filesize

                                            163B

                                            MD5

                                            57cd62770d9c62947b6e697cc7083b10

                                            SHA1

                                            2996798f11f51871658d287d3a4da9e3f6b424c5

                                            SHA256

                                            e2cb556753927fd4e74431da49c1a0836ad2f63784fe9b0f2b53b9d439f9d7f9

                                            SHA512

                                            bbea2b0ec1d516c9a12e8cb20941bf29f90da137afaa0d08d125f892a49b1cabf3124c1dadfccb7c47af8475ffb871a80b8abcb9b8f35d349db410a110160c8f

                                          • C:\Users\Admin\AppData\Local\TempCGHQM.txt

                                            Filesize

                                            163B

                                            MD5

                                            3334a40a942cc16d2ad45a2889309dd7

                                            SHA1

                                            5f06d91a2023bd47d6729655e912c9b0132793e4

                                            SHA256

                                            bd44b83dfc2a3fa8ee12af65ce6f5e1e4981cb299e81e9401ceae3e6ee9a6ed3

                                            SHA512

                                            aaf549e556b882db67981f85c7fffd482b02bc3471ea7447993cc5e3493fd63de91e35e9df9ddddd1b08141007d2b132216264b8d424a0c0fddafa735738e04d

                                          • C:\Users\Admin\AppData\Local\TempDYTHO.txt

                                            Filesize

                                            163B

                                            MD5

                                            2721a0efed39fcc955ff581ad2cce016

                                            SHA1

                                            5272c5552030f4e2641026c00017cb524b575218

                                            SHA256

                                            e30fb3dee4f099fb555f908ac32d1385356cac42538c8c3d47c054b8a6d70c9d

                                            SHA512

                                            2427924a05e90408bc9b1ecc9516d0c7d491a283ab3a6280bf25e7382529478e259b6ff4b7d7fb66e0eb25714d1d18e998d02247cd5c6baada9b3202727c62e0

                                          • C:\Users\Admin\AppData\Local\TempEBKCH.txt

                                            Filesize

                                            163B

                                            MD5

                                            0154f9a73dfa24e4db110e7e0b5d488f

                                            SHA1

                                            118cbf5620cf4674200239bff7978b33da4ec757

                                            SHA256

                                            4da95a7f4d7fa256ca33100a1554c1613aa197785e96e7971243fb6671bbaaa2

                                            SHA512

                                            f55af93c1a1954abfac31fe253c03d2c089def788b9f61ff8fb35b377d325ea8203f4b3d34f2ae1cb2eeb3cc87ec3c0152d3da4335dc0e1c5141bfe8f9b76de6

                                          • C:\Users\Admin\AppData\Local\TempGNIMJ.txt

                                            Filesize

                                            163B

                                            MD5

                                            4aeb60342681dd1614db8ef8f6596632

                                            SHA1

                                            271baadc59326a3633b3bfffbeefb54a6cd98718

                                            SHA256

                                            a1319d76c758490d584eb149e669a96118ca318b7c690ab3f9643f9f6d21cae1

                                            SHA512

                                            de162c38cccdccfb788167c7269edbfc5f4f8a1fa0039ba868a6320284f4c6526b80a9a2b89eeefc70c1a121947cd428994163d13fb20143c600196ed5e214f7

                                          • C:\Users\Admin\AppData\Local\TempGWJRA.txt

                                            Filesize

                                            163B

                                            MD5

                                            c703063fd9699a79ca142d1e2d775c2c

                                            SHA1

                                            631323156a949dd4038cf1052c99181fe6a34cfd

                                            SHA256

                                            f6ba460a3d3c392b18b03a69573f185dd4e288df55d14a2b1fe25656f01a97ea

                                            SHA512

                                            9a44fbb82ce7a2bc59b5e0508a2e7244dd781a27cb05d9120d932be5f4ac6e699d24f5b499da87ddbcc097ad8f67381aa1bbacbc967fae52a71ba7fec7540127

                                          • C:\Users\Admin\AppData\Local\TempGYXUU.txt

                                            Filesize

                                            163B

                                            MD5

                                            fd5694efaf2c6554304de2e815bae5bd

                                            SHA1

                                            99666b647cd5d2d90b385ebf09f5309cebdf603d

                                            SHA256

                                            782adde119da1692e215623a4bceb0ee1eb9e107428069e68c4809da4d501feb

                                            SHA512

                                            cb647362e661f08b394bead3d269a6f4e117556104495692a2febdffb8c8e0c433d73ac17da0d2026f507f2c9690bada9d7827f725c8876f3b9f0d109cba55fe

                                          • C:\Users\Admin\AppData\Local\TempHADEO.txt

                                            Filesize

                                            163B

                                            MD5

                                            db5fb29b75a252060468cfdd4d7b5b0e

                                            SHA1

                                            57bcc43986652c7770fa1abe231211b87756f306

                                            SHA256

                                            b7eedc6f1b60537bc29268a85887d5956369b9fc00057d26ea3e2cbec143ffec

                                            SHA512

                                            07619586f22c1202466381d9ec4e0189764f6ba34543cdc1550c5a2fef72e243b836032152971f1e126b0b79e12a2334891f319bbd333561f223232d5360864e

                                          • C:\Users\Admin\AppData\Local\TempHPBIM.txt

                                            Filesize

                                            163B

                                            MD5

                                            0e20f5ebcdd336c68a8df289877a6c77

                                            SHA1

                                            8fbc19b51c051d46668b14500736fcf153e0d638

                                            SHA256

                                            e12b63e09936a547322a0753d689c180429f4f299c612cc876595c197b77220e

                                            SHA512

                                            b500945bd195eb60abaf72798b5d9f0580b86c2ed8d7db17420c5394f342f2e31a6d38d8d2e0f23c48a77952a54cb3bdaf28ef2991531cf42e9534029a04182c

                                          • C:\Users\Admin\AppData\Local\TempHPCXB.txt

                                            Filesize

                                            163B

                                            MD5

                                            b57a11e88629e531c5a4eef8c515393e

                                            SHA1

                                            2e3f916956ab54ab9ed4ff349f33dd8c8763e7be

                                            SHA256

                                            a044de7ae3f4ef52e038503ab02c6a3971c7883a35ccd6d95359c86009fb0ac0

                                            SHA512

                                            28a57b7cb1a96d2ec841b0e1fdc253de4700d8c022fee2b85f5100fcba36cae2a0ae40ac92d26815ec96c6d8a81b6f434605c5256d77ae69914e674560cdd1ab

                                          • C:\Users\Admin\AppData\Local\TempIVWWB.txt

                                            Filesize

                                            163B

                                            MD5

                                            b908e1090d474d1bc06c62cb0a36950f

                                            SHA1

                                            3e8cfda42c5494fdf507ff418ddab262fae021c3

                                            SHA256

                                            565015ce2f55bec05ee6939168b51b1211c6d992d78b29a3e8f3f8a6b6ced35b

                                            SHA512

                                            64cf079bea352a11cfd5bd11ebddc65f37bf74da2ccdcb4c8265c34b48c8291cb1c24baa2b75483b9229cc063b7149692b424a2b65c984778f2eb9352ccce5ac

                                          • C:\Users\Admin\AppData\Local\TempIYLSC.txt

                                            Filesize

                                            163B

                                            MD5

                                            62828818534e6d2960464c250edb4842

                                            SHA1

                                            874cda1521db1f47c4c28b5e6382f08ed08bd07f

                                            SHA256

                                            b75ffc3a8ec8f1c01c984af28e12da053ab66031ed57363a2e905444a757134e

                                            SHA512

                                            611ec89e655839776031288b07cfd6877d76f73353d9958d03d2fa33b48e0eb20de67a7922633706053c4b83b29f4012f53cfcc1ff8f88142890adc27ba4ab0f

                                          • C:\Users\Admin\AppData\Local\TempJGOAH.txt

                                            Filesize

                                            163B

                                            MD5

                                            c74edd6c4ce203f00a70a6b1de6310a9

                                            SHA1

                                            1fc7a4e39e6aa74af9a6b3c29c8798a305a4c11b

                                            SHA256

                                            dcfc7e09ab970a0e0852b5554848a8fb6303f2d996e4267d27c3f65f72ad5840

                                            SHA512

                                            4f1da00d63ee409221835c8262d9516d005267cd2ab85f2d8f894038287e537466ecb1b14b17ad5d7ea27ab90aaa759e8dd3c64c31727783ab76191c32d0d66a

                                          • C:\Users\Admin\AppData\Local\TempJKHQC.txt

                                            Filesize

                                            163B

                                            MD5

                                            b86099f3542512c7dbc00e9321f85070

                                            SHA1

                                            c0f2b7f78e948bc3b3dc985bf7578151969449ec

                                            SHA256

                                            2f0c377431e0f2a24518b65ea703471d3d350c57d3cd796922f2477eba885831

                                            SHA512

                                            04d42c85b7e35d3cb7345bbb222a862909ea9dbe4830f8872d0932a3d18ec559669ef6676b06000c119c77bef9c34e3dc0119737c49758beaa373a98a676e087

                                          • C:\Users\Admin\AppData\Local\TempKYGUT.txt

                                            Filesize

                                            163B

                                            MD5

                                            1c95cf0a551ea20f4178aae177d34802

                                            SHA1

                                            20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a

                                            SHA256

                                            8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48

                                            SHA512

                                            82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c

                                          • C:\Users\Admin\AppData\Local\TempLIRDJ.txt

                                            Filesize

                                            163B

                                            MD5

                                            99f13b36a689164b35d050f9a61f18ab

                                            SHA1

                                            125d94abb561e21e44fc89915c72d54b54ed8ec3

                                            SHA256

                                            4598ca2c379eabee04c8e41a255d6595bfd2c199f2aef1789a190eea72f1227a

                                            SHA512

                                            c9d02c4b642b970868faaef0d4a993216d5d48ce9ae47bc07b32550b2c21e527392004de1da500f6e2418ebda9731d996636d6add21dd2baa8adf1e920b0e75e

                                          • C:\Users\Admin\AppData\Local\TempMJSEK.txt

                                            Filesize

                                            163B

                                            MD5

                                            6088a7b709602153faa14cc20b97cab1

                                            SHA1

                                            b02f8804235535fb01ea71d71d8ef5b9425d38ad

                                            SHA256

                                            3d26063b062ddec9f5a27f91ea49c3d393e68a53ae21b3fb37b5a31bc0ea9bee

                                            SHA512

                                            3e630811754642c32c5f0f9efb1dbe603f99b69e9747e1cbbf639de8f3ddcfe7bbf11a9dd38f179dd6026bbf4d6f8ae48f9f02b647595f0a7a72a7f856a9f8b8

                                          • C:\Users\Admin\AppData\Local\TempNIBEF.txt

                                            Filesize

                                            163B

                                            MD5

                                            fe1ecb9c57f0de93a512466e2be0aefe

                                            SHA1

                                            97f0e8cd5dc1ecd74293fd02921ff4f77eb7c76a

                                            SHA256

                                            044cbd5020747a02837f97615f28737ee79cbec0e69642b1c5b93b4d6ce67bb9

                                            SHA512

                                            8440d784d0b46b7d6fe376f0c58dd7d1622ddfb2f22ab433824aafed651eb3c524c553974df215dea59279418dd600bba5189c05b2752efe1617a28bc4d71766

                                          • C:\Users\Admin\AppData\Local\TempNLPDG.txt

                                            Filesize

                                            163B

                                            MD5

                                            9ebcd45fe2a547f982759546b5393a86

                                            SHA1

                                            827f31fb1700575bedc81ec84e3492885dd34f1f

                                            SHA256

                                            797b6280225c1ff222195156ea350eea6c880a6424139939fc70df0cd5bf3062

                                            SHA512

                                            ec5fc9fa602bf06899c17d090eeaa97cb087076cb0c32bb1057eb5302b5972265cb52bad48eb1fdc9534a34419ded23e2058a45a7dd1868fa49583ed8a1fe451

                                          • C:\Users\Admin\AppData\Local\TempNLPKS.txt

                                            Filesize

                                            163B

                                            MD5

                                            8f1012487c4d0eae893688f24cfcd9dc

                                            SHA1

                                            dcca6cfc7d73cd8d8f39faebf6d8fa384712bcb4

                                            SHA256

                                            1ec882d67159aa1d02e0694c1f215171856651ae682b5042fa921b334cd82b93

                                            SHA512

                                            1cf3a988561e4ecf68964d551737c6a30155b5db769043fbef2da1c5e289af722ef3d4d365244249511667ac0ea3f980bf3f01f5884806d633eb6087fb3ed9c3

                                          • C:\Users\Admin\AppData\Local\TempOJXWI.txt

                                            Filesize

                                            163B

                                            MD5

                                            c2b1f1aee91002f968818f11d47fffa7

                                            SHA1

                                            d628ec8e54904d99a1514a3fc8b7c0213271b3fa

                                            SHA256

                                            5375db52ba6c6212b32b77b61cb686a0b9a302c83bc8990197cde586a9a03c4a

                                            SHA512

                                            4c4c1fbe3871736b0bfe9a39e6626a19a8889306d61a473f838118db986879f4d4e70bbe74a8023ea47129340fff4b3b41e2ba0ca4b8698ef2baff6dec1056d1

                                          • C:\Users\Admin\AppData\Local\TempOKXXJ.txt

                                            Filesize

                                            163B

                                            MD5

                                            bbcba080f74aa2b1f066df621ba2c56e

                                            SHA1

                                            7f4d7e934406ff949e209ef6df6e1c79ef62b360

                                            SHA256

                                            dd38ce5046cdc489852a85feae011b6b3c2c33a6ac39496248e7a6c377b63d2e

                                            SHA512

                                            40d2e31125ba8aa042ebbefa850c34fc3f78023a0772677acabadc82867c2aec1c32703f2d806b680dc4f09c04ffe8983af86b2dbcb4972a9f7eb89832a74cd1

                                          • C:\Users\Admin\AppData\Local\TempPBIMA.txt

                                            Filesize

                                            163B

                                            MD5

                                            513d90bbf2d7e36326b48ddae2cc139a

                                            SHA1

                                            e88cd3dbcd82fd87b0d1cf96b9367d7c3ec56d88

                                            SHA256

                                            be12d7598930517ac57036d7c763fe92532a7efb93d62de5a031f0c3371c6e6d

                                            SHA512

                                            8db08159607cc18284b8cbdea29cb7b41752a483abc8d1160b93640148f8633613ea425cede1c6977c7414918018e09a96e3d249a7469e0900601f7f55ac6bff

                                          • C:\Users\Admin\AppData\Local\TempPENAW.txt

                                            Filesize

                                            163B

                                            MD5

                                            b201c10078a62c2a99e7cfeca4e3f43e

                                            SHA1

                                            5078164bf6e44ca9abcda98f6229b15033421ec9

                                            SHA256

                                            a7ae47c5ce602ce6b505556844a987207afc82858775fcf53cbcec47149d53fa

                                            SHA512

                                            530e5a4a79ed67ca13bbb1c377d4e7b9e85b73ae96ee5253874a75177d85fe1886ad41b7e4790ca6de0ea2863f0718dbe7b3190888c770cb3aede724df99774d

                                          • C:\Users\Admin\AppData\Local\TempPXATT.txt

                                            Filesize

                                            163B

                                            MD5

                                            b5a806e22ed0abfc04f934f184018e84

                                            SHA1

                                            9ce5a58dfaf6cb300315c9bbd16d4f1cb2481885

                                            SHA256

                                            7d3771478b2492ac38e33b6a9dee340c3be8b7498a8dacff62a8188d6c4744f3

                                            SHA512

                                            b57b0c3469e954e3e56d5d811f67e826b4df471147b4fc8116724d07e0e5562c62ea3d88b3f3e221fe3c703c52133e4d63bddbe4e56a4f376069062a0c67822c

                                          • C:\Users\Admin\AppData\Local\TempRALSW.txt

                                            Filesize

                                            163B

                                            MD5

                                            9c40475388fd040907f742e7c15cf05a

                                            SHA1

                                            a0a21af34c561b5621e03ae23136d5e34f626770

                                            SHA256

                                            0c2d35d0fa959eb18c1d476fdd0abd79de1bfd83115e65f05effd18b8135237e

                                            SHA512

                                            e1e3898e83c760ef011c449b917bd1a2091ab0738b304c87a23f219a4efc4bed8523e66fc62a8c744c12bc23d09b8e617d9debe349d9118254b61b4ff2c5b243

                                          • C:\Users\Admin\AppData\Local\TempRDAFA.txt

                                            Filesize

                                            163B

                                            MD5

                                            7c798abd8934060badccd224ea734451

                                            SHA1

                                            3c1ad8b95afed0650acc7c1464b8654eeb1ce270

                                            SHA256

                                            d0e7ee62a6f62569f71d734f2faa542d27c7e384931c74612b830f5d04ce28da

                                            SHA512

                                            ac499aa7d3d2264408fd3657e808a9f9af6ef5231de8f5f18a316f83ff92d2e08d84d5565f1df6fb988ce26e638d165cb392f9f101cb7afdc1be7efd564cb1d5

                                          • C:\Users\Admin\AppData\Local\TempREBQY.txt

                                            Filesize

                                            163B

                                            MD5

                                            1ffb98006093436d5a649eec89c19425

                                            SHA1

                                            67f3bbcbed0f789a77f7245f13c175d4f517f3e8

                                            SHA256

                                            dfa282cb2fe666bbdb1c559702f491066b2d8a763a4775fbee71fde42321ccb5

                                            SHA512

                                            fe12f09eb5c9e13275cb7b17953dcd54fb0a74261cc08965c4ebf7439b0089b5bde99aad4f5c374a00d8ed08c60074926369a7e1515d713eccc07c0397a31c1e

                                          • C:\Users\Admin\AppData\Local\TempROXJP.txt

                                            Filesize

                                            163B

                                            MD5

                                            da43c49f7ca754d61a922977215e3d56

                                            SHA1

                                            f885398eb53a3ee99fdf8917d9ed56835a25cbfa

                                            SHA256

                                            60a3044cfb513de682816cbbfdf7b12f40b7992af29fc3265e979bf98af2866f

                                            SHA512

                                            e55dde81880138eb196c71ebfe65f14a0f7ef59deefc93f50aca5872209fc24323f46d0bfbb034662d4ea27e46815b333250400158b9b7c22fbabe289d6225f5

                                          • C:\Users\Admin\AppData\Local\TempSTQLR.txt

                                            Filesize

                                            163B

                                            MD5

                                            c958b5d06371adedd154fa410e2038b4

                                            SHA1

                                            4dce9202deb1cba5eb0739a5f4fef4303edf1acc

                                            SHA256

                                            6b7920750cc87e9d22cbb5f39739554eba0c10a05705a041e4d93b37bdbe7b28

                                            SHA512

                                            00eb39c11a011c0170c7d8a11f1624cac795b2464ff241cf92564f86b67487e9b13e819167c10834c3cac0858df806fb87fa60b7bb4426a12a782ddafffde654

                                          • C:\Users\Admin\AppData\Local\TempUFEIV.txt

                                            Filesize

                                            163B

                                            MD5

                                            80fcdb7f0d083ecadec5420f5524c4df

                                            SHA1

                                            04f86b3afa07b6fbe7e2591bdb3799cc2e78750b

                                            SHA256

                                            743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa

                                            SHA512

                                            7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

                                          • C:\Users\Admin\AppData\Local\TempUGMRD.txt

                                            Filesize

                                            163B

                                            MD5

                                            aeda33b8e33f74ae220388442eea8f72

                                            SHA1

                                            f3ed95ecc7092b015c70ad52fa9d25e49f295fab

                                            SHA256

                                            f3ff7133ce2f5db2c19eefed19127af5c6e9bf8c1d7b850a02f1368e3393fb8b

                                            SHA512

                                            e70f4dcbceb2e2a79dc97d9d59dcb9f869dd381c41c123254775926088e600decb85a4eb15ccf071ae3e7b72af6b397868ddb4ea59815d5dbdc452ddcf090ef3

                                          • C:\Users\Admin\AppData\Local\TempVHFJX.txt

                                            Filesize

                                            163B

                                            MD5

                                            80e9dadead05662d6617aea90188dbe4

                                            SHA1

                                            899035a614c72bcb26b31011eb63aa89b5142914

                                            SHA256

                                            a144536a2fd5a2737935170ceea701b469b573f32d564d65d1fa1f3f144d93f0

                                            SHA512

                                            33f4dd56d6d3377c72374ada5fa4541536259f456c8e4235e25cbbc6cccce126582e413dd414575dff9e2b4392a3eb057e974667c8caca33fda2929cb6d70463

                                          • C:\Users\Admin\AppData\Local\TempWFFOK.txt

                                            Filesize

                                            163B

                                            MD5

                                            3fb6f383a6569a2644b9b521c3c29c63

                                            SHA1

                                            11473a58356b244d8a54c78626a17d72b634a474

                                            SHA256

                                            d3db2bf635e6d3a7e421257da4ec663bbdee3310bfcbde23237e73d8ad371335

                                            SHA512

                                            195c1c7a17fa85fc9953131516727c008a75f3ba97c625ae1ea7fae417a880159a6baf906f0a9fa2e3e69ef8707fddc54b472788a8e36948cbb94ca54ef1bde1

                                          • C:\Users\Admin\AppData\Local\TempWLXIH.txt

                                            Filesize

                                            163B

                                            MD5

                                            beb7827ed78d003005c06a6e75d39ca8

                                            SHA1

                                            b53687b4ebf0261ab24f931cbe49fdcd4462254f

                                            SHA256

                                            eadc4a0bd95f17102c5a1e0f5395919eaba58e5c21a9dc773f89d3621b1f8ff4

                                            SHA512

                                            02e1fb2f87d0c388c7f55e6de1a3b78c505e53cec5722753e0ebf950c9de247252e723adace937912bf4ae8954fabe9e31f070e311d7a2b38c01fcc962cbab72

                                          • C:\Users\Admin\AppData\Local\TempXEFCL.txt

                                            Filesize

                                            163B

                                            MD5

                                            20bcb72f1fa6e4c82242f065f4017009

                                            SHA1

                                            ba5a1b6d5142230a36a60c41ea58394309611f67

                                            SHA256

                                            e18c91c2222ec2978c3fa932705ef430ec15d186bb071104df27641d87d70d06

                                            SHA512

                                            e90b22f3a3734e45f6641c9a6107ddf1b74cec5d408c5cf5ea085abbd82f54cf5c43c5df4015741ab8a9da1d2e34c8f07c48ce9e7b44d4599e6d7bd4dab8a742

                                          • C:\Users\Admin\AppData\Local\TempXJQUG.txt

                                            Filesize

                                            163B

                                            MD5

                                            e3ebcc56b7907ca8b7fba58d5c507564

                                            SHA1

                                            ab5d14ba5f17e3b7516b3e3bd9003c087dd25d32

                                            SHA256

                                            4fa9a33d2bb2167877d27880ebf871ec024e0c0530e58ec9d71cf92fba9dfdc9

                                            SHA512

                                            95f288b00fb2efa45cb281e44726e09dc4995e6a0ee24e5e2628eb9a859ec290c07cc4ef2a1c76cdc7d8deae181ccd6648e79c1f1b6e2677066e789c477d4b4d

                                          • C:\Users\Admin\AppData\Local\TempYVBTX.txt

                                            Filesize

                                            163B

                                            MD5

                                            8d838174ee8ed3220ee3100477da63b9

                                            SHA1

                                            2cc94e920b38437218cc484daf44a3a0cb3a00db

                                            SHA256

                                            e66207d4093fd122c4413c37f7591fcb16b877ac283757947547a7f0a1a0a398

                                            SHA512

                                            e6374bec6072403fe490e4770fdd106182fd3941a2689e63c7d7e2cda67125303d7b133235b8990e458b63c55deb6726bacbea8948714592183321bfc8b0eb79

                                          • C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            738107204a72c49ccdb597de9569fd30

                                            SHA1

                                            64457bad3c72ac6f6add083d708ff1f081b5e523

                                            SHA256

                                            261d70a808f902716ac0ca9cf549875d328eb10d368b4d6cdf9537a7acb96423

                                            SHA512

                                            f2f99e6b4cbdd91570c00a7b8e22dbb6f5f38744625cf5954ab52ae716d982e1d1437a8725c4302cdc72cbd3b834c82e04afc081a31c7a3d1cfa180eeeb702af

                                          • C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            cdcde536ec0365d9fb6da997ec1086c7

                                            SHA1

                                            a4a2f66455b166a591dd92563389ffce5a2fb968

                                            SHA256

                                            bceef303246face3c834c7a27b5c89a63d26f9b2c4615bee5b9e3537c2a135f5

                                            SHA512

                                            aebd3f815df842d6126dbf6d5c928db1138bbce0ac18f8c49ff7f45b1859d027fd3ec792c239e8322d6021477ac1b3a8e6b9aba7342001cffe5777e9df2fd8f3

                                          • C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            c10a9464dd11c14c79cd32fcf61c8feb

                                            SHA1

                                            76521edfa18020253e7ceb10cfb1a33bed50b6e4

                                            SHA256

                                            e08182b47f6d4b7b0a15a882cada320c7c3d34ab9863db348e0575122ea89fd9

                                            SHA512

                                            a908f94e8643d463caf8301eb2f821025cfa2f29eda6ac7ee45f2611823d393675124129af888ffa726988b0b8573dc6bf75ac266ea610407e143331ffe70e6c

                                          • C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHYUUC\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            c5ef1ae20bd3d52a80513b237586b1f5

                                            SHA1

                                            021826bd83ece34564d4c19490695ac4993aaca4

                                            SHA256

                                            2cf15ad46d269f8edaa44da24fbac9ab2acdbdd301e4b071c224d5331612edac

                                            SHA512

                                            ee806e389e0114c71fbafec3ff1c979b1d82014d751a93e481f834366896eac0086f2952188569850556ccece016604d1892afc12e108a4a00d1e07334301a30

                                          • C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            2d396ce7795a2a0e6fb6159d0e47ae86

                                            SHA1

                                            fac74ed98bfd5fbde0083dac5f7ee5a7d36c6ede

                                            SHA256

                                            1b3195dd4b1836f2919b304520edfa078d677d94a9050eee736353a0b6d7aeb0

                                            SHA512

                                            0c7b8f55014b05308919149dde89e1c817a2d329ec9c95d91a883dcfb42c2ce7f5b7824fad55543b851c7db96e5bc02c30ae8aaec9b5dbdbdd5617b57e910bd8

                                          • C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            f2de50cb9ed930d494b9e5a60234515c

                                            SHA1

                                            7e01eb1f36466e3e85a6272512ca7b96ea324dc8

                                            SHA256

                                            35eaee6ccc0ea19608f18f7c4dfc8691fbe7ddd029d1a18071b04f28b05060cb

                                            SHA512

                                            005b1dc0ef142740c8d1ea7c00073e658b2d452b46b992a810b62f32876d8b40bf15168326ffd1b98eacdd52751f130cda2afb83e90480f4851bc0f582125c4c

                                          • C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.txt

                                            Filesize

                                            520KB

                                            MD5

                                            e9be840b7ebb3fdecda6e35bf2b6eb27

                                            SHA1

                                            ad3edb8a095e03ffc6d7e3d44c3ebf55c576f8c2

                                            SHA256

                                            c8ce38daf1b4260ccd7c1d9b174a66b639735d0387b1c79c0dd24998a31c5e15

                                            SHA512

                                            e7dfb16c01c7a8ff1951c9932519a113ce805d91bf4fda0a4bfef5023f2e0bfc7992f059af6f103117a26e04fc2087c98c555bb949e3df5c5384ba6fa35452cf

                                          • C:\Users\Admin\AppData\Local\Temp\HRIFATXJKHQCINA\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            7a28728772d8366fd5aaf97e278ec9b5

                                            SHA1

                                            37177582bc6e2af13404f5572227faec24914ac3

                                            SHA256

                                            c98e88ff4e5bfcfc636a58d260826084a26a474b648efe6b5148c6c1f1dc1376

                                            SHA512

                                            2266bf18a368df97dcebd64009b3f59ea0596492b9bfdb552d36258ab360c77e9861bcb0ca04d3e7019552aba5764e8c544112c86697e4b0c96d5e5721ba23ce

                                          • C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            b8601ae7246d168fdffd524574d1dfcf

                                            SHA1

                                            974ea7b0564596580a3253502a5827d089b5ceb1

                                            SHA256

                                            32e134979bf7cbfd4cf48267dee52cee12547c67d508b13e62d3122052bbee5d

                                            SHA512

                                            b95d1c7a8d925e8765ea3cb5765fa0151b29228f4dcfe251b9f48161457181430a6d014f1df85ba99ed04e203f58ddaa2ada126f6985376622d6c1d727495f39

                                          • C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            eebfa915440d8e4d6119e5d099a955d1

                                            SHA1

                                            c3a9419f8b2c366b21cb38b6702534975edfa32e

                                            SHA256

                                            772494431589b270861f9c92371bd4b5c9f0ada90a771f24ba1bd2ff570c3fcf

                                            SHA512

                                            2fd14486d8ff3b41eec7a79ecbaade52af286d1ee93ae7351866b2d4fc20b4400e4a6ce37985955089c75c38304e001c9fc91db02c586a25225f5bd7d317abf0

                                          • C:\Users\Admin\AppData\Local\Temp\MFUEMAAVBRMAHBG\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            e00e833e283e427b5e4464e88f7e0ab5

                                            SHA1

                                            2f573408aab8d546414ef1964b769b569fd34886

                                            SHA256

                                            8a975db2c674c67c619cc8bd29d768e8e667b04bc1ab1c0457a1473ebd3a77bc

                                            SHA512

                                            83051bdc4d4ce8d64102d25cf3489272bb8e1da1cc9006687d0f96a089212bae00f76892c9b1f0c92fd11d8a7fbe4ce078ac00c4ee31bdd43be7cebda35bebe4

                                          • C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTNBID\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            9ab633592d2f33b82e97bffd1cdc4c01

                                            SHA1

                                            b74ccf586fbd07c967f6547d1dca65618d04abf8

                                            SHA256

                                            657f1dfd898d71c2187a34628eb980360ea8c4cadfa334081490705f3a9f9a13

                                            SHA512

                                            bb55daad76f11bee9637d47efbf880e23551487d491c4398acba9c544a747bddf4b843eacdde2fcaed108add1dd26e19f665a132c2f19daf58a0488e42d11d4a

                                          • C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            80ed6bf178396d7f224ee9cc80fe69fc

                                            SHA1

                                            896715ef307993046dff77dd74247cf68283567c

                                            SHA256

                                            a2ce9060ea36b0d8659a1cbd47fb9e6b7d8f3ced3dec1eba75b693082866f975

                                            SHA512

                                            8928a415e3a9f67b96949a797ef3a2b37fb1242c78d4aa5c1f7129996538aaee4c4b1b7973d49880d6abfa8d480796529bff556a5b4634f86f0ffe164c066e6a

                                          • C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXCTOBJD\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            bad57e7069fca39ed41925b1d2c81a43

                                            SHA1

                                            d30cc65758bedba4c0aa7c557320cb9b08a4ec0f

                                            SHA256

                                            3f1c9c3262a9f7c194f90356cb479cc4ff9ae326366835f07ade6f740d31bfcf

                                            SHA512

                                            58f42fdb608bc441a623026c2aeb277d470a0e5e7219da365f82331534cdc1a7a1572d89e219cfa1fa886d92c7dae06b0af9f0d1c0f9cfdcc5914fb95aab472c

                                          • C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBMC\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            35f0917f7814aaf2f5b9417f84eb9fc7

                                            SHA1

                                            e7c72ab18038e8d06e76eb28091b31788e7c9f46

                                            SHA256

                                            f4b5fba3cd44b1971493cea4878b1cf85bf045f76808f1d0ba30f9c3697015e1

                                            SHA512

                                            209703ebc1158f777663bb9f031ca972cc0acfc8fa881464c722e45e98732508c6e2b8a7db10a3e051a908440f22a0a64beafd35504f5a279ad77d05561e9e11

                                          • C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            7fb9b6e1f4d32d58c84ba8c8acaf9938

                                            SHA1

                                            fb5caeaca5dee6ce9c9cf6b8bf3a88773d5401f6

                                            SHA256

                                            b8dbcb918412a414969fdf77721b05e0985b286f8af9f7af734a473295f4fd1a

                                            SHA512

                                            ba581ee4c41a94ecd4d39808c606b1a47cbc8dc758dc3a09bbf04ea49d9f5694adf5cafb1afb57c136cc941d82e1e4c8a41d774fbb3a945acccd101c3d3515cb

                                          • C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            28c8467e4b29874416185bdf3f43d63f

                                            SHA1

                                            145894a91a71ed5bca1d78bd7b31a6f471d9c7af

                                            SHA256

                                            fe17f6b824beeed7219a97417602b1b4d64882c09f401b11affd345efce4fb4f

                                            SHA512

                                            c89961fe7b92ee02efc2f76b219dfaf0b22bb6e1a5198df785fe08e97c3d17c26d5cd70152df66b17aff1a6511e7923e80c112c6cbae243ac1d6c95aaa997d57

                                          • C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            37b238846ea89488bd43bc1ccbaf50f1

                                            SHA1

                                            f2e9ba0e264cd7d57b7a502c5bf7c12d8ede55d1

                                            SHA256

                                            0bbaa22cf0c5cb818b15fb37b4c2b77ef2cbf2f7cc542df2545af8bb1746f8a2

                                            SHA512

                                            eda3cfb384610d8536b3b2eab6ad3e39a8f449cbbcb3b20b79dd058c6b3a164f226172671ebe267e9ce8eace68b905c0862c127bbf62b3987788980bb340d26a

                                          • C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            18b8f9905bc4286d0eb8b46563a7a521

                                            SHA1

                                            b97c3f05f73ff51a8f50c8c21af370ed1700a27c

                                            SHA256

                                            a186413fcf8253b1c68bb74a41425aaec3df97c039e7c6b29ca2939d454067fc

                                            SHA512

                                            866f0b009b0b8f6fa919eb3d3f7165cacc184e4c8bb9ad1cb40403ec9ec0e10b77dde19dea73080129b88cdbe5f0374f6816cfe63d470a343ef5f8d3493328f2

                                          • C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            f4b22fa519c0dbeecede6f2979694b7a

                                            SHA1

                                            a96e3fb9acdb2800cc0cecb2989993b50b1df29e

                                            SHA256

                                            edad83521295e7185505290c0106e8de6213f334b7e207863ef79c1651c0ba00

                                            SHA512

                                            74421a8442a45f0a95da8fd172332ac1a98fc4b40431a64b66002fe0b962a045942f3660f4b9817f0cc59fd9a3709d3285b935203e3fe93ced201b77b0c7cdc5

                                          • C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe

                                            Filesize

                                            520KB

                                            MD5

                                            9200c8d039b5023cd7307f108671d04a

                                            SHA1

                                            317c82e053179d2ab3e004f0fdd505f90c554570

                                            SHA256

                                            9705a1c6136adcbf63658f0aab788a42de1d7824986393cf013bc03552dc49d2

                                            SHA512

                                            fcfade3e77905069649901a6e3529ddb14d45dc5ed1104b080765174ff43e3d73bf5fb4ff0dcc493431f72b81459c05f23bda0ee24dccb97c3179bea4db1072f

                                          • memory/864-1002-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/864-1003-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/864-1008-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/864-1009-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/864-1011-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/864-1012-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/864-1013-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/864-1015-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB

                                          • memory/864-1016-0x0000000000400000-0x0000000000471000-memory.dmp

                                            Filesize

                                            452KB