Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2025, 23:44

General

  • Target

    161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe

  • Size

    520KB

  • MD5

    ecf0e1633aff0a2cb8b263f7336ddd90

  • SHA1

    902a8eeb6eaf50a2071ded889fd9fe13e29cdf36

  • SHA256

    161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81

  • SHA512

    f2340f674a0d7a93ddb5c8ad5e5bbbe279d4b006f75953dc3a42332b2ed9e60e384c91e5b161335908d5e87aca07c989b47d1ec2d344f206539963d33b0e3211

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX8:zW6ncoyqOp6IsTl/mX8

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 7 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 38 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe
    "C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempOLPKS.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDXUPCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe" /f
        3⤵
        • Adds Run key to start application
        PID:2696
    • C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
      "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFNEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2780
      • C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
        "C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XXKLHFHXLSBMRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1532
        • C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe
          "C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2592
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\TempQWMKO.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBXIYDHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
              6⤵
              • Adds Run key to start application
              PID:320
          • C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
            "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2168
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCULICSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe" /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:3068
            • C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
              "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2068
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\TempJJSNW.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2432
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGHSYPNRMUIJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  PID:632
              • C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe
                "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1344
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\TempVHHFN.bat" "
                  8⤵
                    PID:1284
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
                      9⤵
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      PID:1252
                  • C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
                    "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:768
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2976
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
                        10⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:2844
                    • C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
                      "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
                      9⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:2008
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
                        10⤵
                        • System Location Discovery: System Language Discovery
                        PID:1596
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f
                          11⤵
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:1248
                      • C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
                        "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"
                        10⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:2060
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\TempWSSHP.bat" "
                          11⤵
                          • System Location Discovery: System Language Discovery
                          PID:2820
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f
                            12⤵
                            • Adds Run key to start application
                            PID:2612
                        • C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
                          "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"
                          11⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2916
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
                            12⤵
                            • System Location Discovery: System Language Discovery
                            PID:2616
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTKHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f
                              13⤵
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:3040
                          • C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
                            "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"
                            12⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetWindowsHookEx
                            PID:1532
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
                              13⤵
                              • System Location Discovery: System Language Discovery
                              PID:1832
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
                                14⤵
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                PID:2664
                            • C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
                              13⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of SetWindowsHookEx
                              PID:1916
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "
                                14⤵
                                • System Location Discovery: System Language Discovery
                                PID:2000
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCRBRSPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe" /f
                                  15⤵
                                  • Adds Run key to start application
                                  • System Location Discovery: System Language Discovery
                                  PID:1156
                              • C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe
                                "C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe"
                                14⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetWindowsHookEx
                                PID:3064
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
                                  15⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1856
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe" /f
                                    16⤵
                                    • Adds Run key to start application
                                    PID:2480
                                • C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe"
                                  15⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2316
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
                                    16⤵
                                      PID:668
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPKJLBOWFQVFSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe" /f
                                        17⤵
                                        • Adds Run key to start application
                                        PID:1068
                                    • C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe"
                                      16⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2032
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
                                        17⤵
                                          PID:1208
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGSWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f
                                            18⤵
                                            • Adds Run key to start application
                                            • System Location Discovery: System Language Discovery
                                            PID:1756
                                        • C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
                                          "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"
                                          17⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1528
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c ""C:\Users\Admin\AppData\Local\TempKUQDA.bat" "
                                            18⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2412
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
                                              19⤵
                                              • Adds Run key to start application
                                              PID:1784
                                          • C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
                                            "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
                                            18⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2548
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c ""C:\Users\Admin\AppData\Local\TempVSQUP.bat" "
                                              19⤵
                                                PID:1692
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ESSGHCADYTGNINK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe" /f
                                                  20⤵
                                                  • Adds Run key to start application
                                                  PID:2884
                                              • C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe
                                                "C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe"
                                                19⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2752
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "
                                                  20⤵
                                                    PID:2852
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
                                                      21⤵
                                                      • Adds Run key to start application
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2720
                                                  • C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
                                                    20⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2824
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
                                                      21⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2876
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f
                                                        22⤵
                                                        • Adds Run key to start application
                                                        PID:1776
                                                    • C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"
                                                      21⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1260
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
                                                        22⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1832
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MAVRMAVHWBGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe" /f
                                                          23⤵
                                                          • Adds Run key to start application
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1520
                                                      • C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe"
                                                        22⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2704
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempEJYWG.bat" "
                                                          23⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1608
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQDAPXOCDYUPCYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
                                                            24⤵
                                                            • Adds Run key to start application
                                                            PID:2700
                                                        • C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
                                                          23⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2168
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
                                                            24⤵
                                                              PID:1844
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
                                                                25⤵
                                                                • Adds Run key to start application
                                                                PID:908
                                                            • C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
                                                              24⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:408
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTE.bat" "
                                                                25⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:1508
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVPAQPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f
                                                                  26⤵
                                                                  • Adds Run key to start application
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1524
                                                              • C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"
                                                                25⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:1648
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
                                                                  26⤵
                                                                    PID:604
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f
                                                                      27⤵
                                                                      • Adds Run key to start application
                                                                      PID:2196
                                                                  • C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"
                                                                    26⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:1924
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "
                                                                      27⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2032
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYHTQNS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f
                                                                        28⤵
                                                                        • Adds Run key to start application
                                                                        PID:2952
                                                                    • C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"
                                                                      27⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:560
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
                                                                        28⤵
                                                                          PID:1528
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe" /f
                                                                            29⤵
                                                                            • Adds Run key to start application
                                                                            PID:1048
                                                                        • C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe"
                                                                          28⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:2556
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempDPVMJ.bat" "
                                                                            29⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2548
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABVSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe" /f
                                                                              30⤵
                                                                              • Adds Run key to start application
                                                                              PID:2736
                                                                          • C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe"
                                                                            29⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:2956
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
                                                                              30⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2752
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHOJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe" /f
                                                                                31⤵
                                                                                • Adds Run key to start application
                                                                                PID:2816
                                                                            • C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe"
                                                                              30⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:3052
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
                                                                                31⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2796
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe" /f
                                                                                  32⤵
                                                                                  • Adds Run key to start application
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3028
                                                                              • C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe"
                                                                                31⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:1300
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
                                                                                  32⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2904
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe" /f
                                                                                    33⤵
                                                                                    • Adds Run key to start application
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:1412
                                                                                • C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe"
                                                                                  32⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:1848
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempUGEJW.bat" "
                                                                                    33⤵
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:332
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe" /f
                                                                                      34⤵
                                                                                      • Adds Run key to start application
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1544
                                                                                  • C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe"
                                                                                    33⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:572
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "
                                                                                      34⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1964
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f
                                                                                        35⤵
                                                                                        • Adds Run key to start application
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1724
                                                                                    • C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"
                                                                                      34⤵
                                                                                      • Executes dropped EXE
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:2040
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
                                                                                        35⤵
                                                                                          PID:2244
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /f
                                                                                            36⤵
                                                                                            • Adds Run key to start application
                                                                                            PID:1884
                                                                                        • C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe"
                                                                                          35⤵
                                                                                          • Executes dropped EXE
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:1436
                                                                                          • C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe
                                                                                            36⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:608
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                              37⤵
                                                                                                PID:1712
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                  38⤵
                                                                                                  • Modifies firewall policy service
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry key
                                                                                                  PID:928
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                37⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2572
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                  38⤵
                                                                                                  • Modifies firewall policy service
                                                                                                  • Modifies registry key
                                                                                                  PID:2952
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                37⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2068
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                                  38⤵
                                                                                                  • Modifies firewall policy service
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Modifies registry key
                                                                                                  PID:2976
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                37⤵
                                                                                                  PID:1284
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                                    38⤵
                                                                                                    • Modifies firewall policy service
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Modifies registry key
                                                                                                    PID:2992

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\TempDPVMJ.bat

                          Filesize

                          163B

                          MD5

                          ed9689e07fdf60cab6c2bca4ade0a238

                          SHA1

                          68b7b1813ea1e258adadfa1703feb2535fb94988

                          SHA256

                          908bbf857152b33eeffb703091070e2fdc14df83a892787e1a618962face28b3

                          SHA512

                          55eaf7d70572cd9d28ea9debf315a6bdae049672db74a7a5f6baf0a80aecb4e03b430131279e440cdd32b15f1c2fc7c05d0a265e8f94269a72f10ea18d6dd581

                        • C:\Users\Admin\AppData\Local\TempEDHYU.bat

                          Filesize

                          163B

                          MD5

                          6ace3a1d3c3e050077ebaa5e3386d2e8

                          SHA1

                          dad913340c8192b784aa438fd4653ba816902d06

                          SHA256

                          65554738588a1fb152c213282328a472df15c728258091973231b602799c9e04

                          SHA512

                          d89db4790834504db4c6889d79e778e7c631ac51e30b47b45258b0fa6c2ffc3e9d87a973400b64a68f1e6a3a3c37be85a09be59d9b0de39d6f03da8920d663c1

                        • C:\Users\Admin\AppData\Local\TempEJYWG.bat

                          Filesize

                          163B

                          MD5

                          6b5c47a03120f6484baa505809363ac7

                          SHA1

                          f47dc43b7a3c5ee3935b2603c323ab80deed9cfe

                          SHA256

                          69652aac0f2bed2d1139661efcf3c583f885bd643acb9421c1ab2215dc6b76a2

                          SHA512

                          8dfd82f42deb4c52b78db1d6bc7304fad8ba5f2661484c45d90cee320a15f82a62f8b5ba326dae62520c0ab82c7665fbcfce2824fbc7f5704c845cbacd192520

                        • C:\Users\Admin\AppData\Local\TempGFJWA.bat

                          Filesize

                          163B

                          MD5

                          6f2cf50a62a16cb7fa6b57880d901e18

                          SHA1

                          c31130c5581bb2c672d184800d61c3e7a3217bd8

                          SHA256

                          d77beddb0fe4ccd067e5ff2ae22ff746338db624a86bebc6067210885984a916

                          SHA512

                          b8c15169106c31ccfad7436e321d1dbbbeeac0c2ca9a2c666e92501da6612b9c004b99616e8c837d92d67097a86d2c15428f9c62b3a50b7fe60ef91e9365e63c

                        • C:\Users\Admin\AppData\Local\TempGPBHM.bat

                          Filesize

                          163B

                          MD5

                          9e578c30d5abd782192c456c0842e749

                          SHA1

                          b6d0203ff08a568627ea690ad5762f1a4c333113

                          SHA256

                          c05d870d95723502bb6fa7614405ccf842932240675b4c4f539a3b66740d5f2a

                          SHA512

                          23301b106ca4f3c463daf119ea2949c9a2d8bbca9a3430f55e2056a76d289a1c06b1a221527229c9b4fcfc2ba55045c2da972d7f2b01bd9317afc35193c440cb

                        • C:\Users\Admin\AppData\Local\TempGUCQP.bat

                          Filesize

                          163B

                          MD5

                          9d8c823aa9d6fc3f009d667a0b5c2aeb

                          SHA1

                          9cc26bc83d1c543b737c4880b73e40a6ed254bce

                          SHA256

                          980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4

                          SHA512

                          66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42

                        • C:\Users\Admin\AppData\Local\TempGYXTU.bat

                          Filesize

                          163B

                          MD5

                          6e31c43788d7301741672ff4f3bf894d

                          SHA1

                          6eafac35c57f27c3a82a823234c33cf252297ad8

                          SHA256

                          f491f70f2aede6268defd75e90807d8b78950ca0b8e06f36e24132e6332372c5

                          SHA512

                          e00289ea72da234d58e338a41a2b8fe3a120bc27afa68b8379e0c4f21362188a876d7ed5cb026987f923464f831b313013469b603418df56a74e726f5388f07b

                        • C:\Users\Admin\AppData\Local\TempJACDR.bat

                          Filesize

                          163B

                          MD5

                          d1f2e014c99667f1790fb29c6759c62c

                          SHA1

                          ba5add390cbf847484cfe9ef87ee50ff6705c531

                          SHA256

                          f7f2f97bbdb25c9b940ccc189306d8cf2db72688d4a8e779f70088f3f2357f97

                          SHA512

                          39ca1ed5043e399af93fa00f90636360e5a8162e270b8ca1617ab7af51c78051d4c989f1f6f32b9d78bc6b6d4557ee0fa891488c127ec7d9aff17aeeddde072a

                        • C:\Users\Admin\AppData\Local\TempJJSNW.bat

                          Filesize

                          163B

                          MD5

                          90f9d90f63324bf9badfa9a326fcebbf

                          SHA1

                          af2e43a04ae0ec176817b1e36dd9ca32ebe6ad07

                          SHA256

                          c01205e63f576371dfacf06fa331b24a01ef0f2cea9c36338c8cb9eafcbf27d5

                          SHA512

                          6fa356dcc471bcd3bd149ccbcb5c03b26044088d60cc2874a3710d579131b980176e2fd1d6b53c7c40f97278c244f7f4f23b16009fa1851336557bc0cf73fb34

                        • C:\Users\Admin\AppData\Local\TempKTFLQ.bat

                          Filesize

                          163B

                          MD5

                          d55e6f40d7cd30b45c4d53f24c07ffa0

                          SHA1

                          858e175f6baa0cd28d08af0fa4a81323378c5444

                          SHA256

                          e1f38603ef277b3320508246e951856963b81f2e98862f9ce6bbce6d2d631763

                          SHA512

                          90b2938eefed287196c17a415d01882c0b8ab07ea54e226762f76cd86fd395ca912c880c88048a06fb0fb89d09b63c1aad8732910a5d7d395d978bcb5f00a584

                        • C:\Users\Admin\AppData\Local\TempKUQDA.bat

                          Filesize

                          163B

                          MD5

                          0887f8a053b6634da227e398c394d81b

                          SHA1

                          7e302400941306dbb1fb3a489a23add27b1209d8

                          SHA256

                          2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c

                          SHA512

                          e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8

                        • C:\Users\Admin\AppData\Local\TempKWHGK.bat

                          Filesize

                          163B

                          MD5

                          5afdc54e0196cc5ab4ea6bccfc4f6092

                          SHA1

                          8377d18b05d5424aa9ab36ab527fb133d9e6b581

                          SHA256

                          5d43c8fbdd4e5f11bcca6a5ed4fc910b9bbbb671294783503e98928423b9cc19

                          SHA512

                          fcb0d4ba0ebfdbe270a8950cd347afc1c05eca3cc11ee4bbff2b97298ad00e2e5d01bc3296c5009fd01c78d8a6cf0ac388327d258ef7a9a1d169baca70bdc17a

                        • C:\Users\Admin\AppData\Local\TempMJSEK.bat

                          Filesize

                          163B

                          MD5

                          3f2a24c78a1e0062c3333fa133c76e55

                          SHA1

                          caafb642051e937a2658adee1f4553a4109af72a

                          SHA256

                          9694f3dfc741c18a643f8518244c2820f3e20aaf7cb099c49eba1013d922126c

                          SHA512

                          fa33c87b432c960f4d379cb104b9cb3b802629dbe852d94f1080b1ee017e54839c07f020f19b7c57703d025be5388a2128cbc09de9f81d591c7a170015d41e5f

                        • C:\Users\Admin\AppData\Local\TempNOXTA.bat

                          Filesize

                          163B

                          MD5

                          2f639433a90ffd80f88b06472aaee1ca

                          SHA1

                          dd95f3059098502e98cb1f11ac51b756c509fb67

                          SHA256

                          1adf52f8a0dd36c614052aa308038793d2c314af5e50719c6d987888c77f4866

                          SHA512

                          24bf0e75536c0e50be3e88c7e95ef7fcf6f9fb17e54620d35e05bbaf251556a81a552f0d5cae5d1c1d8d79d62d87e3ee591e3126de0c0fedacd2c684820db5d4

                        • C:\Users\Admin\AppData\Local\TempNOXTA.bat

                          Filesize

                          163B

                          MD5

                          a15e4aed73dcc45f662f2fbd31d1de31

                          SHA1

                          c40ea805fcd1fbb8a644045a5cbef752f84fa2b6

                          SHA256

                          f4e5edc4ac3d5fc73fcc6c5aad72fceb96c9581b0a9bb1043c7e78316bf07f51

                          SHA512

                          7a5fb4cd4715b33b075551ab4dd52f798878c69b6be91645a2d957a363cc4bec7a2950840ad220334eef3137a10d2c9ed8c7796bdf1c613f401cda1429a9727d

                        • C:\Users\Admin\AppData\Local\TempNUJJK.bat

                          Filesize

                          163B

                          MD5

                          408103db4ad9374528e4599b6139e839

                          SHA1

                          d978ef5d7ca78c78ba70647e9e4948d7b62a82cd

                          SHA256

                          d8a8526ae5fb68c815226e1671330a8f579af0970b766652981ef7e8c144af68

                          SHA512

                          5b79f24248eed96faf5237dbceb8341c8b52f9a53eb9de978f7782dcca5322b23103de153890712c33f651dbf80ad54c11ce8c55b3432fe7c7494ec6d6b663cb

                        • C:\Users\Admin\AppData\Local\TempOLPKS.bat

                          Filesize

                          163B

                          MD5

                          4bf9ebf7456231a305cb90bb1dfec04b

                          SHA1

                          cf29746638f8a435a640514ae9fe04cfc3d643fd

                          SHA256

                          19cb655bd25868a95249b402e9f4c80d05e89664f3733db2f4f3698e145af463

                          SHA512

                          0e1c3d34b9faa99d672f1706bdace4e922605160c3de146a65acb56bd34c128202e6ab62ca366b0b5e446e287a193af740c23293a9cb538f8606228d52a4b58e

                        • C:\Users\Admin\AppData\Local\TempOVLJN.bat

                          Filesize

                          163B

                          MD5

                          e95acfeb457237af6afe96527da371f7

                          SHA1

                          8bc3b050182199c2801b82e3d0667c83d723aa37

                          SHA256

                          d5749216b228c5451b89f8d627155996545936afa22e06571f5bbaf77b30815a

                          SHA512

                          972d3bca56c1517464dbdb84afa9a9df48201010313582bffe921f5d586f703d4979019a6582fde443477895bdee0db983d9d3aae13c1bea987a45d2178fb0e2

                        • C:\Users\Admin\AppData\Local\TempQVGEI.bat

                          Filesize

                          163B

                          MD5

                          ff9abd1864688e58231b836533082825

                          SHA1

                          4e9d65dfa8db6c9f9d03821b9155f362e16596f3

                          SHA256

                          f560c1de0c8a6c41ee379d9b0c473782792f198e767ec0cbe8b4468ef090a342

                          SHA512

                          88bca29511ddb1b282d9ec78c3ee07a8f8763e1c5df58a6cc8c37a12cffa75117f3ec916399d21fbf72ac1f7cd7a860b55d4770d9f9b698906d7b9eeaba8c7fe

                        • C:\Users\Admin\AppData\Local\TempQWMKO.bat

                          Filesize

                          163B

                          MD5

                          0dc97faab010bf174db702381c9ba478

                          SHA1

                          a515e6ccf579eda7e6aaae83ab4117c18cb73290

                          SHA256

                          0a4fcae90e3b4dc146f1f7a0a9fb11ae9c7ed566fd6029eca327b296929071fb

                          SHA512

                          c1ce922250bfd779f2eb09d8745c712af490d93e2ef6376b8a7ed624be9758208b4437990fa4a0cb53e426e971e4696ba358556e23cc7811bea22818ae4af716

                        • C:\Users\Admin\AppData\Local\TempRVQYM.bat

                          Filesize

                          163B

                          MD5

                          4dd0704bf70b7b2cd6dba3eba341befe

                          SHA1

                          860564bfcb7fe35b15edf5cf68ea9d234451c946

                          SHA256

                          1d257f770fd370cdfb4a94abc88a1f46f6779b26afc818fcb46fb7d30db5b1b7

                          SHA512

                          3d7a3306837482e3d979a2c6cddd0279d713739a7acb27d602d124ef253056cd3ae8ae5a911ff57d21e7d7d150a83aeb1305e07f8273c054820d22665915be34

                        • C:\Users\Admin\AppData\Local\TempRVQYM.bat

                          Filesize

                          163B

                          MD5

                          4d890f959a4d385e04d772ea987acbae

                          SHA1

                          41689789e4ff64776249ca571f2cf25d73569352

                          SHA256

                          6d52454135cf46234a716e74e7b284df88f76661ab37c31c21f56b62f9864ba1

                          SHA512

                          20f75f9081b01bc1354a411d3d8e3f7862f05fdd8b9dd5578e53e372d0456d4aa3850a4c71357a4a22a3fa6e695ce210e17487de535b6484d4f9183710038b22

                        • C:\Users\Admin\AppData\Local\TempSDWWL.bat

                          Filesize

                          163B

                          MD5

                          f12eabc05ad07e28998bba3d0c4b7517

                          SHA1

                          21aa28ea0e9786833d2cea38e7f8176560945456

                          SHA256

                          d6ed466f36738b8d14060e25c85244877190aeda44d43d0bd7b71203a44163eb

                          SHA512

                          e25d3d9b2ace750368e8a212701ef5415922669b72231abd716faec01db65ba14ae93cc3e5d8d9c4fd65e9edc69e0c6650268b6ef2cd9d1d0445a58b23f1561f

                        • C:\Users\Admin\AppData\Local\TempUASWR.bat

                          Filesize

                          163B

                          MD5

                          455c8a6689513eaa82789d6053a1c49f

                          SHA1

                          316ee3812705351df713e6c2e2fd8137d35a7d6d

                          SHA256

                          a8d343b3418d974a4a3c11511a5f827664bc00e103b3d2a8dfbaba0701df82e5

                          SHA512

                          6f03a8bbb981589a1df53ffdd53ed07d77aee6a1f1b2b63bd0c2bc516ebc6698a7c5d39d712ba4fefdec248af97c2d02ef2c683bee8d8180c31e809f6b5aa5c5

                        • C:\Users\Admin\AppData\Local\TempUFEIV.bat

                          Filesize

                          163B

                          MD5

                          80fcdb7f0d083ecadec5420f5524c4df

                          SHA1

                          04f86b3afa07b6fbe7e2591bdb3799cc2e78750b

                          SHA256

                          743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa

                          SHA512

                          7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

                        • C:\Users\Admin\AppData\Local\TempUGEJW.bat

                          Filesize

                          163B

                          MD5

                          c6ad413703313815cb7b72e3d5e4d387

                          SHA1

                          702afd950c3d5cfbf13ea5e27932a792ef9c2e5c

                          SHA256

                          28d8d55a537d91dfd6c059ba0ecd06b85cb84da39e4a2ba1a9a3794dc8d61f84

                          SHA512

                          f1b5250a66c6b97546ed4caaca5cd56924a9471c91063e08758ac349350b28b5843b4b1831b425d3e9054609ae421923bc0354687fe7678f66702fa93cb79bb5

                        • C:\Users\Admin\AppData\Local\TempVHHFN.bat

                          Filesize

                          163B

                          MD5

                          f3d85b1490cc1409c6bfce0a010ae5f3

                          SHA1

                          b376eb0754003174f008dedfe3630f349fcc08af

                          SHA256

                          e5e0628933cbf4d42dd18f33809c3ed733a310c3b9f78215b2e90b3cd581cd2a

                          SHA512

                          c4746df7a565fca73690936004acb276c8354f3935525a50e2b690dce42224531a9b1133f25ca65eb1fb798cb9cb2d4e0edddc31489e4425ab06a8d6b22dbbf6

                        • C:\Users\Admin\AppData\Local\TempVHNSE.bat

                          Filesize

                          163B

                          MD5

                          ff557665b57d32a1d0d57febe9e3ae15

                          SHA1

                          fc9a0b568f1f1fffa70b59b2c03247faab516782

                          SHA256

                          fd67bb00ddb9e7208443ed698310f77eee63ff2fa1f5f6f434fdeb498993e86b

                          SHA512

                          597d26df5000871b3e1b339baa304b0c5026e7f378f0e02b83c78497bff7e3f3835904bb57438df903fac516e85a8d5eeaacb58a0965943621e43b25195b9838

                        • C:\Users\Admin\AppData\Local\TempVSQUP.bat

                          Filesize

                          163B

                          MD5

                          1faffc24a0f82a32b5098ebaba7e5779

                          SHA1

                          e565672cf80edcca0869335def7879961b3f133a

                          SHA256

                          976506a63c340ebca8a3df8e58eaed7c86d43dbab986067b68cf71eb3a682dfa

                          SHA512

                          c2828fea9899cfb2f33b6c737d7fb158b942645abd256800da9a2944a937fb2e58fec82a978c95fd22869c7cce2a5cc81b61ac59c3c7ffe04fb5a8a889738cd6

                        • C:\Users\Admin\AppData\Local\TempWCUYT.bat

                          Filesize

                          163B

                          MD5

                          797a05802a5f3d6699024252559afe38

                          SHA1

                          ab85f1b33d35de1a5d5f55187c816bb4237eeca1

                          SHA256

                          16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074

                          SHA512

                          73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d

                        • C:\Users\Admin\AppData\Local\TempWCUYT.bat

                          Filesize

                          163B

                          MD5

                          f14f65a51922cceb01f79b7baf0fc4f0

                          SHA1

                          0c58371e5b61d929c770c82dc432f27daec53956

                          SHA256

                          4f9c96fea692435be2bfc5faf4bf4f4d4d1f541ab8987bb73f5c9a09f4633dc4

                          SHA512

                          db41a1bdc10804a936dcf21748268a6e406c5ea1ff4ef57a83dae942f1f51a07eb5da53c678b6895b2c4932c574473c0c4951e70ab94a48d5be284321ee97622

                        • C:\Users\Admin\AppData\Local\TempWIOTE.bat

                          Filesize

                          163B

                          MD5

                          21343373fa3df55d7326902ef73a77d2

                          SHA1

                          18c1af04af5f2a7699781f70ba94599e0866d9be

                          SHA256

                          4c4fc3782a2dabc1adf075d4b2d1898d81994c4077e8dfb8dcee670243d41911

                          SHA512

                          6a856d9fe66d101a76ae0119d1a18b36dd9802624c6759b53948fc0ee6c8b225369b3d4e6203a3d17988a0a252f8082d033b9cb4e86ec25dc73e38468dfacd4d

                        • C:\Users\Admin\AppData\Local\TempWSSHP.bat

                          Filesize

                          163B

                          MD5

                          40fd2eb397fe6438934c7f2717fa4b27

                          SHA1

                          dd83f066f368c414a1f4379271d1de36847c1aa5

                          SHA256

                          935322d22cb8d3a8cb22dc881d77bb0af719fc0a3bd7abc154c45274d5c8ffea

                          SHA512

                          aa59d8b6e5313279b59b9c4ff9d5392ead400f43cc450b0f74d42997c7a6c6841b5cf6296d9863ec94b97da627b6fefb35208633886421d3701bb924ec26987b

                        • C:\Users\Admin\AppData\Local\TempYGOFD.bat

                          Filesize

                          163B

                          MD5

                          1c8a1be9bc3ebb31b2592214152bb854

                          SHA1

                          ad9dc2375b15466336615991e8f93396679cd5c7

                          SHA256

                          8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb

                          SHA512

                          0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81

                        • C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe

                          Filesize

                          520KB

                          MD5

                          ad9fd9eb993ee9d7bed406251c0a984e

                          SHA1

                          0e04fbccd53af56a5e63c66e64a98e07300d90b8

                          SHA256

                          4f277874512d6fc429cd94a2afc9ad25c8ef17ba223d1d5614ad0200a7b44f61

                          SHA512

                          1cebc45a5cfcbf686e6a694a3e001818e285c66d67f224ad3c840164f40148ba24d6d6d75a63946a84519d21f3414ba3d72bc5f1ded04ad57743d5cd36efba8f

                        • C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe

                          Filesize

                          520KB

                          MD5

                          d5f4360aaf2cc327769a75d857b0d386

                          SHA1

                          f545fe874f94595645bf725df2b39e94044bc456

                          SHA256

                          35b074085cfccc31a050ef13d28d98f1d596becf53ba5ff0d7054d8abee7a838

                          SHA512

                          cfc168c6a16e0119a769170e2541948b93ab791840c53c8f625574d77ac63244bbccb6c2abc98a0d7676ae9e1685c1b3779c7439763cbdfeaf356224c3965d3a

                        • \Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe

                          Filesize

                          520KB

                          MD5

                          4cd83155cecce673213f902ca5b9e17a

                          SHA1

                          a6e4e450c5ab58957f67428b298aaf27392e4f83

                          SHA256

                          2b563c97556b9fb2e30c3d814f8652e4d0546f20630f204ec45cb7aceef44d1e

                          SHA512

                          765cfade47e19f886f7a00da3d686045cf791670e215b004923cc277e2a63fea23d50f62305ebd0b401fc71949b06214c07f1ef5000302b7884d8a0440b25e0b

                        • \Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

                          Filesize

                          520KB

                          MD5

                          8eed8d03ad85803aed4771912d611482

                          SHA1

                          db81b3b615e7a1fc015fd8d00f41953af22fa0ec

                          SHA256

                          69b03e83834cb1fa8294fea57c7cd2d790e61ab7b59b3a273f6dfa674fccb1cb

                          SHA512

                          1762f4e77903f387c389116180a4466c7da95baa8d915534e7cc372bf16bb0cdf4df77a4f8b3ff999850c17c36f2d47d535fbb4f986a91d18e367045e10c5973

                        • \Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe

                          Filesize

                          520KB

                          MD5

                          bfe9248b030e141c13685852201ec4fc

                          SHA1

                          645a64bd3fddd87a0a6f7a63a6c13cd350744325

                          SHA256

                          82a2a333c89767720771b68136a27dd22a926bcdce09d6ae427a16513a4bd27a

                          SHA512

                          b6f21b03a6dd82a489fe670aab0a780233ea886f93101873251b404ec3e29d5d6728176c0a741ee34453310719cf6a6d5b9b62f1e45eee6a664cd23bb72b093f

                        • \Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

                          Filesize

                          520KB

                          MD5

                          a3cf53030f08bc4263bdc06fccd83ac4

                          SHA1

                          e43817d102e92e928f0f35159874d32fd23778e6

                          SHA256

                          ddad055af5291634668d0a107d29ae7d9a6e072fe266a43aaa84401df7c4310b

                          SHA512

                          95693d9359054cb50ed59c70d12992e7c9e17413f6eef7de0d767695aca2139b637cf42588b515ebb8ce35131d28d2bbfeaeaf97f8df27b7f048b59410416a4e

                        • \Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe

                          Filesize

                          520KB

                          MD5

                          3676bc6839df9c1bf92d1263a8b200f3

                          SHA1

                          0b8e63c37bd904a299f0a9f1ae2adb418b575912

                          SHA256

                          815cfb6bf56a04199c44612816cb0a1f708dbede71fdc0fc38565d2b29edae6f

                          SHA512

                          149a50df3e2f771bd38ed37e08852856be7a61e6e7408bf938c423dafc1724360408eb697e4f79c9445b0dfcbbd8c41de452f0c203e5d81f1ec07bfb151c0d28

                        • \Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

                          Filesize

                          520KB

                          MD5

                          022b169d1e086151326d71a2b92de51a

                          SHA1

                          d7db8891855c200ed56a0f3c9863de0d3678b844

                          SHA256

                          c19ee64b62d0f53f81d551311068d0c3fc63d3ce487699406718d3c23c6c2339

                          SHA512

                          57bc173569a30fa87eb2ea4989aecca8325b11b97134d979cfbc9c9bf6f07fc5570361ba4383ebc2d92fc7453481d277c4c3ce00fec19c812843aa5c39487a8f

                        • \Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe

                          Filesize

                          520KB

                          MD5

                          c72d801462f1a79b04260288c27c80d5

                          SHA1

                          b5d6769237be8d097101c4480915be15208c436a

                          SHA256

                          389d730ef161ff5a11fa4cd6a4a18b4b8c2fa15fe70bbd86fd2e6e89b3a1a484

                          SHA512

                          684508043baffd5da06fa358620c68b6ea438cc34204d7306e628bcffbda3f1b000d9e431a38c0ff6182e4fa4e497ea9401128f654db044ba04e6fdf3bb69595

                        • \Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe

                          Filesize

                          520KB

                          MD5

                          5c610ada6a4a0c7267400cbea202205f

                          SHA1

                          89052e5fcb2fa1d4ca545ddd84e06328790df5a4

                          SHA256

                          e0df19c9eb8bae068b6fc602ee8ca8b2bfbd3b7b11a5d018224ac862becd91c5

                          SHA512

                          ea4433dea3eea00ae7447a698c4bae2b7876a7de46e656fee72a7d110d0b1ecccdff98089921fae7c2a10bc7ec0c99934061f0c31336b063f53f208fc79f6402

                        • \Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe

                          Filesize

                          520KB

                          MD5

                          5c042da6033abc6074cd9d2f2981f17c

                          SHA1

                          d204bd415b19a4d9c00ad6d316f0fded8f441705

                          SHA256

                          d63fa41f0e5db4e677758f1f31e5e8d56f2433e6366af6c224cd4478e7037d0d

                          SHA512

                          4aaa3588de6c1961fb2665f8a1e48f521ff0675ddfc65c569028e1cee8a25d1a56c90055a29ba7e49115f4f4768130dee8ffb857ba0a327f82366af3031c7c65

                        • \Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe

                          Filesize

                          520KB

                          MD5

                          8322743a47f8ee339b4b9c76f47e0ee3

                          SHA1

                          0c19e631275e1852ad24cb88a76e492a3de1f67c

                          SHA256

                          07fa79c2844314a16c26b685e338d78da1543ec48517ae5bd9ed5e13f808a98b

                          SHA512

                          9bf8594e7fa59213c7afd91a89bafea42ba24c08b56f71be0c01780e72a195617ca964793274d3b7ef41ee9a26504b4ffeabdcb9ecdf89bf1883f9cb04ac1320

                        • \Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

                          Filesize

                          520KB

                          MD5

                          741ec9fcaa526c688db6f17ae25b4c4f

                          SHA1

                          4aac1365b27edb0869281b68e9036285443299aa

                          SHA256

                          b416e86bc3d5133e86d6e63ebdc76e2ffa4433e10f1316038b3f1a63f3155b39

                          SHA512

                          9721a9d541c26103dc151c23a9785fdba691f9e0afe3c49648d27760bebd9a6eaabb2214a7b94c67611aeb87d03dd318b21a7445f1d4195da124434747fd8b28

                        • memory/608-882-0x0000000000400000-0x0000000000471000-memory.dmp

                          Filesize

                          452KB

                        • memory/608-887-0x0000000000400000-0x0000000000471000-memory.dmp

                          Filesize

                          452KB

                        • memory/608-888-0x0000000000400000-0x0000000000471000-memory.dmp

                          Filesize

                          452KB

                        • memory/608-890-0x0000000000400000-0x0000000000471000-memory.dmp

                          Filesize

                          452KB

                        • memory/608-891-0x0000000000400000-0x0000000000471000-memory.dmp

                          Filesize

                          452KB

                        • memory/608-892-0x0000000000400000-0x0000000000471000-memory.dmp

                          Filesize

                          452KB

                        • memory/608-894-0x0000000000400000-0x0000000000471000-memory.dmp

                          Filesize

                          452KB