Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/03/2025, 22:06

General

  • Target

    3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe

  • Size

    520KB

  • MD5

    05dd4591907c614bc68aebeaed6193b8

  • SHA1

    be46e28b8082177adde63329fdd3aafabf310d9b

  • SHA256

    3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7

  • SHA512

    233ba57c60b19621203deefa73f4a3ff4ec3923fb423c05f3dd2089e407fd75a872080d3f99ed6654e40aa6035a6473cd0df70f7988cdeb7dc192911cd8311a9

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXr:zW6ncoyqOp6IsTl/mXr

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 10 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 57 IoCs
  • Adds Run key to start application 2 TTPs 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe
    "C:\Users\Admin\AppData\Local\Temp\3307b04fba0c05baca0c7f0245b72e2052ff1eb6a7a3cde92f73c9a5f875a7b7.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSVQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2240
    • C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
      "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTKHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2828
      • C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
        "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIEBSYQGGIDAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe" /f
            5⤵
            • Adds Run key to start application
            PID:1468
        • C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe
          "C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\TempNVHOS.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYPP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
              6⤵
              • Adds Run key to start application
              PID:2684
          • C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
            "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUR.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:788
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGJYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:688
            • C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
              "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2660
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
                7⤵
                  PID:1080
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe" /f
                    8⤵
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:996
                • C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:1616
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\TempHIRMV.bat" "
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1736
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLSHIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f
                      9⤵
                      • Adds Run key to start application
                      PID:2132
                  • C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe
                    "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1968
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ""C:\Users\Admin\AppData\Local\TempOBXWA.bat" "
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1476
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSQUPXLMFMMVRQF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f
                        10⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:2284
                    • C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe
                      "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"
                      9⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:2260
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\TempLITQO.bat" "
                        10⤵
                        • System Location Discovery: System Language Discovery
                        PID:1604
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSFCRQEFBBWREMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f
                          11⤵
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:2544
                      • C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
                        "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"
                        10⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetWindowsHookEx
                        PID:1648
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
                          11⤵
                          • System Location Discovery: System Language Discovery
                          PID:2900
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDXDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
                            12⤵
                            • Adds Run key to start application
                            PID:2752
                        • C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
                          "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
                          11⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2880
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "
                            12⤵
                              PID:2768
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f
                                13⤵
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                PID:2664
                            • C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"
                              12⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of SetWindowsHookEx
                              PID:2344
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
                                13⤵
                                  PID:3040
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFNEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe" /f
                                    14⤵
                                    • Adds Run key to start application
                                    • System Location Discovery: System Language Discovery
                                    PID:2840
                                • C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe"
                                  13⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2608
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\TempBHVDR.bat" "
                                    14⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2860
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOBFBPVNEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
                                      15⤵
                                      • Adds Run key to start application
                                      • System Location Discovery: System Language Discovery
                                      PID:480
                                  • C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
                                    "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
                                    14⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3064
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
                                      15⤵
                                        PID:272
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULKNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
                                          16⤵
                                          • Adds Run key to start application
                                          • System Location Discovery: System Language Discovery
                                          PID:836
                                      • C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
                                        "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
                                        15⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:996
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
                                          16⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2660
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /f
                                            17⤵
                                            • Adds Run key to start application
                                            PID:2428
                                        • C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe
                                          "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"
                                          16⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of SetWindowsHookEx
                                          PID:608
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c ""C:\Users\Admin\AppData\Local\TempLOPUB.bat" "
                                            17⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:1248
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQAVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe" /f
                                              18⤵
                                              • Adds Run key to start application
                                              • System Location Discovery: System Language Discovery
                                              PID:2144
                                          • C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe
                                            "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe"
                                            17⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2368
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
                                              18⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2232
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe" /f
                                                19⤵
                                                • Adds Run key to start application
                                                • System Location Discovery: System Language Discovery
                                                PID:1496
                                            • C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe
                                              "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe"
                                              18⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of SetWindowsHookEx
                                              PID:916
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\TempTFMQC.bat" "
                                                19⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:984
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe" /f
                                                  20⤵
                                                  • Adds Run key to start application
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2984
                                              • C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe
                                                "C:\Users\Admin\AppData\Local\Temp\GCXQVOEOIGJVWES\service.exe"
                                                19⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:1156
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempUPYPE.bat" "
                                                  20⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2732
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
                                                    21⤵
                                                    • Adds Run key to start application
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2716
                                                • C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
                                                  20⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1808
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempRMUII.bat" "
                                                    21⤵
                                                      PID:1860
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDKFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f
                                                        22⤵
                                                        • Adds Run key to start application
                                                        PID:2736
                                                    • C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"
                                                      21⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2332
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
                                                        22⤵
                                                          PID:2024
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
                                                            23⤵
                                                            • Adds Run key to start application
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2840
                                                        • C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
                                                          22⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2340
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /c ""C:\Users\Admin\AppData\Local\TempBQYQK.bat" "
                                                            23⤵
                                                              PID:1944
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTPNSERTOHLMVRE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe" /f
                                                                24⤵
                                                                • Adds Run key to start application
                                                                PID:2020
                                                            • C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\ENXFBPUGHEMFJYA\service.exe"
                                                              23⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2856
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
                                                                24⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2216
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQHUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
                                                                  25⤵
                                                                  • Adds Run key to start application
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3052
                                                              • C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
                                                                24⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:272
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  cmd /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
                                                                  25⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2604
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
                                                                    26⤵
                                                                    • Adds Run key to start application
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2000
                                                                • C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
                                                                  25⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:2280
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c ""C:\Users\Admin\AppData\Local\TempGFJXA.bat" "
                                                                    26⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:892
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUJV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe" /f
                                                                      27⤵
                                                                      • Adds Run key to start application
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:692
                                                                  • C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe"
                                                                    26⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:1724
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      cmd /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
                                                                      27⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:1508
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLUYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
                                                                        28⤵
                                                                        • Adds Run key to start application
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2404
                                                                    • C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
                                                                      27⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:1732
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\TempLHPGE.bat" "
                                                                        28⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:592
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXIGKFNCDVTCCW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
                                                                          29⤵
                                                                          • Adds Run key to start application
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2368
                                                                      • C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
                                                                        28⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:1592
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
                                                                          29⤵
                                                                            PID:1872
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /f
                                                                              30⤵
                                                                              • Adds Run key to start application
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2008
                                                                          • C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe"
                                                                            29⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:2304
                                                                            • C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
                                                                              30⤵
                                                                              • Executes dropped EXE
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2208
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                31⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:2084
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                  32⤵
                                                                                  • Modifies firewall policy service
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Modifies registry key
                                                                                  PID:2884
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe:*:Enabled:Windows Messanger" /f
                                                                                31⤵
                                                                                  PID:2912
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe:*:Enabled:Windows Messanger" /f
                                                                                    32⤵
                                                                                    • Modifies firewall policy service
                                                                                    • Modifies registry key
                                                                                    PID:2632
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                  31⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2740
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                                                                    32⤵
                                                                                    • Modifies firewall policy service
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry key
                                                                                    PID:2736
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                  31⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1648
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                                                                    32⤵
                                                                                    • Modifies firewall policy service
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies registry key
                                                                                    PID:2768
                    • C:\Windows\system32\conhost.exe
                      \??\C:\Windows\system32\conhost.exe "1256077130-19809539862075354116666173343-936477909-1791692471146198283-1175637388"
                      1⤵
                        PID:2664

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\TempBHVDR.bat

                        Filesize

                        163B

                        MD5

                        b8382e28e36c2f79e4c6aabc88e01934

                        SHA1

                        4e0d6b24e341d2c38e2043978ff08d6a962a765f

                        SHA256

                        4aaf2c1c77ad5f3e02e53ac5a383d88f2a933e530dee51dc72c7d0a18f321129

                        SHA512

                        d5179a9bbd4a238041217dc5a41a28420026424357e30f9e5c553e90ca230a29779185d9679224d8919a6b59edaa181b2f10ac582323f9f5e6aae9583a5dbb65

                      • C:\Users\Admin\AppData\Local\TempBQYQK.bat

                        Filesize

                        163B

                        MD5

                        17cf9170b56378d3bbb545e259d3e76d

                        SHA1

                        55d59651b9c39d1c9125bc731a81d358977cf8f1

                        SHA256

                        414c9b611a779c7e9a378a2c0557fbc601ac4208ffabe3364340b37958be106a

                        SHA512

                        b0e90ee079af8ffbb3f5fb43d9316da430ae1a7d8e2edb95a6bc990c82a5d6d107a10737d1b9d1d6a49531e14b3b1dd4da82933a5e82653bddc58f426dee3d11

                      • C:\Users\Admin\AppData\Local\TempCIWES.bat

                        Filesize

                        163B

                        MD5

                        ba429fd56ff7582c4de4880c49452a09

                        SHA1

                        f39ab13e597a4092461eb550a4a343404828677d

                        SHA256

                        15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf

                        SHA512

                        83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a

                      • C:\Users\Admin\AppData\Local\TempCWAMY.bat

                        Filesize

                        163B

                        MD5

                        5e76b3709a497d84ef8391f01020354d

                        SHA1

                        51f78c55afb17aec3a11666e0637754de54d5692

                        SHA256

                        11f9c23493ae6b7ce035de587469c88606ac0caca9cd7d7e71cabf66ec179258

                        SHA512

                        a73048f7a378e12bc6a2150a082e1000f527320a71914939f98085f8527b0076a7a188d91c47b2989b57f947383a707da2253e23593cec274273974f32092ce3

                      • C:\Users\Admin\AppData\Local\TempDHIRN.bat

                        Filesize

                        163B

                        MD5

                        662efbf888c6d75769e8c5c0dec1d01e

                        SHA1

                        3181e950587a5f94a137cf768dcd15f46c0772af

                        SHA256

                        b32b596d5872682dbfc521ee0f94fa698be838962b81585fd54c2523bd621736

                        SHA512

                        f56692d07d039f1af97946589fb878bf6c93a7cb2e7d8fbd4b2f24716cdf0cc10dd904e026894fa5128bfe108058403a6b1ff5fc4e1f3bdd53f5eebc4c484c8d

                      • C:\Users\Admin\AppData\Local\TempEFOKY.bat

                        Filesize

                        163B

                        MD5

                        8960ceb0ef08479b59c50fcc23ca918c

                        SHA1

                        612ba9e7f7164a0cef4c3ecece208314043e2227

                        SHA256

                        e05147f640ec22eeac45f62b5bf63850b795ef82db932886796ff3b486a9b978

                        SHA512

                        7aec155be1f37f296ac20eb0d9fbb5dc45b82703116c60951b0e9308941d754151dc61dfd563cb1002f07d48bbc4c69a5b68a5f5fdd291f953d8f34ded257fe5

                      • C:\Users\Admin\AppData\Local\TempGFJXA.bat

                        Filesize

                        163B

                        MD5

                        cce4e39402c0ca1121660d705291b9e3

                        SHA1

                        dde080ecc6eb827eb288f886f21b405dec14234b

                        SHA256

                        f26d37b64a96bf0fae9afb9c11ae3e401feced2f485dc77ba4e2ff445c6c2d30

                        SHA512

                        501de9b077aa45f1b598b78ecc56e80e6048c15debb6117ab275df5c042aa9e903cefc564f01b4b83c05c038f6158f0566f27b0b05feca921cd1de96285ac678

                      • C:\Users\Admin\AppData\Local\TempGPBHM.bat

                        Filesize

                        163B

                        MD5

                        42d069ae459273b0a7ad18a831237702

                        SHA1

                        4ac36f878a22a4f32a153863e791d23da67ef06e

                        SHA256

                        36deba68c43c38607fde36f0f8a8df91154377fce462c42e90ef01b53f87a8ac

                        SHA512

                        182174d3a9a7a7985612ae379c7ea082b48bbfac6af0bb54ae3dd4b93daba4d8090d9f629a356215204093a62c4eb025711e0b039af56a5e77abb17d0e918eee

                      • C:\Users\Admin\AppData\Local\TempHIRMV.bat

                        Filesize

                        163B

                        MD5

                        8537ec64ab9c824ea1b462610fbd206a

                        SHA1

                        ad65ebd0e4cefe33fe48c62e9b89479a0c298f52

                        SHA256

                        66605e0d67a3c79ef3eaa349748ee9941aef99836743aa0967ac48a5cc3d76fc

                        SHA512

                        a57dcf092df0d45ab464156efede8641d338c56e5179169086585d03bdc1d01fc7610d849203947958e913feff07a58e22491a20114415604d26e245910b81dd

                      • C:\Users\Admin\AppData\Local\TempKXFOF.bat

                        Filesize

                        163B

                        MD5

                        b196951fba48b5977560e9753b785b65

                        SHA1

                        e22f3e6d2c9c03545b5dc31252623bf766673f4a

                        SHA256

                        8b7922292951a99acead0d2660c90515a483da5780dfefc2417325f37d807731

                        SHA512

                        bd899da3d81da6bab9cb78167b9426efacab052eda353821e30afb1585749bcba973f92cbb41868a111a57b6917a8f0d0ae6019ac78690e822534923133b9aa9

                      • C:\Users\Admin\AppData\Local\TempKYGUT.bat

                        Filesize

                        163B

                        MD5

                        bfe87af784bde263c3f6cdf5cd36b72f

                        SHA1

                        f72c588450099da0760b82d9d48f1759a71e27a8

                        SHA256

                        aa48511caeb9d17d096dafc2f0f10cdb98e9347cfa9803888d1c03f8d038868d

                        SHA512

                        6aba5e69540ad6d6a9b9c3113693d69235566e75746b5481261173765460c5a033656ab3e697dbcd790089597bf61863069df9ec4b9725c6d65bd3431f79fbdb

                      • C:\Users\Admin\AppData\Local\TempLHPGE.bat

                        Filesize

                        163B

                        MD5

                        e5d7d66600fb7c912eecfe106fa5a67d

                        SHA1

                        f34a574f0ffc4890e2e7d6981481e18ab208dea3

                        SHA256

                        00cceb49ee80e693ece75684e20569c4fa0ddc50dcf2859d005b90171e6c65e8

                        SHA512

                        18128099ea696f50404d53a3b4b4791717859f8bf3b1deedcfee2788f39bf83f2c05f8c51ff9de8831db96b759b63e31c563469c2d7308a5a8d4ad6bcb48957a

                      • C:\Users\Admin\AppData\Local\TempLITQO.bat

                        Filesize

                        163B

                        MD5

                        e5bb269c2b3d0ccebe68419445efa181

                        SHA1

                        cade865c3df69b58e5659e8270fd0fe85b4fd6fc

                        SHA256

                        e71d4c9983a769f9158cdea6cd811ec94d1e0d95b5408c9b7677ede1fa00726c

                        SHA512

                        f15a101d4784f22da543173396be8f1e63ff46a6fdc3a40f0dada7c2d80aa25d79152b37e6fa10eff443126f8ab7e13215768bf7594245bdf0434a9ef4624a8d

                      • C:\Users\Admin\AppData\Local\TempLOPUB.bat

                        Filesize

                        163B

                        MD5

                        587e12d87de4bc405dc1f2c0213887d1

                        SHA1

                        525338665cf885af5842a685341059bb0b59ffd6

                        SHA256

                        9df74a9b259ecc06dbf590345a4ce80dbdc70825170c2aa8058715294b817569

                        SHA512

                        fc324a3b890b30196143bb4180123297bd82745dd4b3d72246ac5b83268b7fc571c32b12f47f2ea2a2fcff662cab3030cd5a34581c3cda7ab974b2adaa71fe30

                      • C:\Users\Admin\AppData\Local\TempMJRDK.bat

                        Filesize

                        163B

                        MD5

                        22edd2e5b814b8a48238457e9eaa458f

                        SHA1

                        de9135a97c6e976de887c1acc3c3ac55ac6344dd

                        SHA256

                        0c02ada924e44b30e8d742287f0df8685fde155925f0dc44257ee33eec9cd0a9

                        SHA512

                        c40434c243412d6201a5d7835d06472744eea06c65d2e5ec9d07df0823d09250659dca0eae55ef3175c77eb1bedf65b344fb8618213d8f874e3fe057f97d3bb1

                      • C:\Users\Admin\AppData\Local\TempMJSEK.bat

                        Filesize

                        163B

                        MD5

                        3f2a24c78a1e0062c3333fa133c76e55

                        SHA1

                        caafb642051e937a2658adee1f4553a4109af72a

                        SHA256

                        9694f3dfc741c18a643f8518244c2820f3e20aaf7cb099c49eba1013d922126c

                        SHA512

                        fa33c87b432c960f4d379cb104b9cb3b802629dbe852d94f1080b1ee017e54839c07f020f19b7c57703d025be5388a2128cbc09de9f81d591c7a170015d41e5f

                      • C:\Users\Admin\AppData\Local\TempMNWSA.bat

                        Filesize

                        163B

                        MD5

                        a4d004ad29d3b8175a96f922359cc315

                        SHA1

                        0fa15cba7e806e78247ff7a5a5aef1172dbeed47

                        SHA256

                        3e67df9708b257edbe5dc59a43ca15b93a69924b932332eb540da0ef422b729c

                        SHA512

                        81259fbf60b4f0153dbcd04484d0ad28ab3fecce6d4945a3a72b8535d6d120b20ceea5d1be9bbf32c5f35c1e7ca97cff84ecde6f288ebd29019b98f1783af423

                      • C:\Users\Admin\AppData\Local\TempNJXWI.bat

                        Filesize

                        163B

                        MD5

                        f3b8ddc4d4fad0bc32f84eac08e8b5bf

                        SHA1

                        e01268ff601b676b24a9523067c804a7acd5685e

                        SHA256

                        645541f0f595c8bd565536eac2333a00019fdb7cb74fe9ffa313dc4c64ed881b

                        SHA512

                        d0ca064e5ade826aa3a5e80f30dab95565ff2e7ed104edbdd2e036412559cc78c9ef5090705e95f079c0ad6bee1386f5a4beb75b2b5bed282dee5762a27ef865

                      • C:\Users\Admin\AppData\Local\TempNVHOS.bat

                        Filesize

                        163B

                        MD5

                        fe72326b3a174bcff560600751c53971

                        SHA1

                        184d49b39de1e9a1abd3015e3981144db6917076

                        SHA256

                        c538538b47345374ccf2c2a6e0786b5b6816f61668d507c1c6964e53e958034f

                        SHA512

                        0266ccd90a4c6d135b2b7b6d3b42ccc31ad777f5b31a6abf4d5c4325fd4b90da9dbb468784c160c44bee09414317486c2df0d0a70a0495918afd57d85525ec5e

                      • C:\Users\Admin\AppData\Local\TempNWSAF.bat

                        Filesize

                        163B

                        MD5

                        afeb668f213817d4b1a9be76781efc92

                        SHA1

                        ee411b15b31e74668760c6336509caf7c1ea4014

                        SHA256

                        67e6ee9618639ad12271873b3ca1a28f253cc564a8824b20ccaa02d987ca7e12

                        SHA512

                        84a77b223af978e42dfd83be7a7707a174f3547843128ab0a384c73dac443ea15fa2844c39b4c220c6c1baf45962557095b711a90b16d3426a0af14442ddfa04

                      • C:\Users\Admin\AppData\Local\TempOBXWA.bat

                        Filesize

                        163B

                        MD5

                        9f77972fb8a0a4da90e05dae340d35f7

                        SHA1

                        0d7f668b96138ed2b05f9e77ddddf35cdc0612a5

                        SHA256

                        4525e254e96e5a9e6de49ebf7358d55221138f1944e966063ee513a3b4b74584

                        SHA512

                        d487087ea1f5b14027062d67ac8ad637ed53e51e1b467b226cb70ff7cef6f35321cc63d734f3826a061f4e9cce7db214215eb4a8601747fad64cd18335aad64c

                      • C:\Users\Admin\AppData\Local\TempQRWDE.bat

                        Filesize

                        163B

                        MD5

                        836fe23e586a2a27bd49efd04c4d0645

                        SHA1

                        8d152e3915ff657b20eebe46d838f0367fad6027

                        SHA256

                        d34036cceb63725f50d8c9a483713375b79cf61792bba6372bb4863d6c06faf9

                        SHA512

                        c85d6b09c3b8cadb7ee1ca7e9df203bcb84fcd8f8f9380b02223d57d71de9fc141437c35e2ae857cd583ea336e7e7d502f703e1898721b25bb13dda9f37032b6

                      • C:\Users\Admin\AppData\Local\TempRMUII.bat

                        Filesize

                        163B

                        MD5

                        bb27e4c24484dbe2d39e8d88d55b3c2f

                        SHA1

                        86007d26b8075efcf83cc8f6ef77c6d381291658

                        SHA256

                        cfe74a40b353c29cb95f1610b3290f8e32a0f0122d125dce317f63d35031a5f2

                        SHA512

                        52f774bad56549147e26e62d2688ff06df16a3bdaab619d8e98c3b0cba2525f2530515ff868ec444e773ad05d5066fdc7dcfb086676c0cd831a47b83ec2126c6

                      • C:\Users\Admin\AppData\Local\TempSDXWL.bat

                        Filesize

                        163B

                        MD5

                        c26a343b011df42b16a20eb1e4b21ef5

                        SHA1

                        0dfa155e2a600c60d6aea6b62fa10c27c158ed79

                        SHA256

                        c00ea0b40282a342ea5dc7b6f7b0dd8ddfa38da65187885a09b2248e05bf6460

                        SHA512

                        e8c62eb5b6ba83728fff93efe994b9e4b237b050671f877301934169d1e469ee15a63007fa16af308181ad5b662121ec9d51fd372fe2d5830cf5cac2778a21c9

                      • C:\Users\Admin\AppData\Local\TempTFMQC.bat

                        Filesize

                        163B

                        MD5

                        188df0165b88e92710b2dfd28f60e38a

                        SHA1

                        0c22203e39030479aa2fc6cd1ced2cfa909db766

                        SHA256

                        8609b544ac5ab107c17ecbd7cc5922aa2c7b179a7e01a0d840ea7f1345017d55

                        SHA512

                        cad8fcf2b2f5268e7aac8e7a0cb78fd78ef7411630a030a3725e818e7aeffb5bae285c37448f4a797c836015a0018075d2b3035e938dd4fa7369d412ffc4b32d

                      • C:\Users\Admin\AppData\Local\TempUPYPE.bat

                        Filesize

                        163B

                        MD5

                        abc643b0e8eeb7605f8e2cc38f040705

                        SHA1

                        cbd9c2cfd3024d23a49fb163833402c984be3b83

                        SHA256

                        c0627fd5a2860cce90b14cac3f9f2993a120414767c4e3a29ec6003bb008a1ff

                        SHA512

                        490d75709db51fa09dafab2da82420f3f03caa78671f289a6f2ab73a7e787455f77071066f35402c01386f620c4313d509436179971b05b597432c9ace4be3af

                      • C:\Users\Admin\AppData\Local\TempVHNSE.bat

                        Filesize

                        163B

                        MD5

                        ff557665b57d32a1d0d57febe9e3ae15

                        SHA1

                        fc9a0b568f1f1fffa70b59b2c03247faab516782

                        SHA256

                        fd67bb00ddb9e7208443ed698310f77eee63ff2fa1f5f6f434fdeb498993e86b

                        SHA512

                        597d26df5000871b3e1b339baa304b0c5026e7f378f0e02b83c78497bff7e3f3835904bb57438df903fac516e85a8d5eeaacb58a0965943621e43b25195b9838

                      • C:\Users\Admin\AppData\Local\TempXDVUR.bat

                        Filesize

                        163B

                        MD5

                        7c6b33b25d35867115c50b05fb15d28c

                        SHA1

                        f5f68fa6d475b45caa2b11fdf94f3fb337076a67

                        SHA256

                        065d97e5c0a93d56928136cc5a1e1bda166f3bb2d6d15edadafb7defa3897ab2

                        SHA512

                        4664b3f2b417375889cd0f404be9f2771a261707e07c782299f90b0efef80cf43e6278a8faec5a69f303b588c0d49d7e9d71ba2b8ef6051c6f258ce735db8b93

                      • C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

                        Filesize

                        520KB

                        MD5

                        0ab322fdca88a8032b2397e41deaca79

                        SHA1

                        d11c6c4afc4c304bf14bcec3ce04aadc3bfa3d10

                        SHA256

                        f31a1676a54b285fc3520b0bee6430d0e0dd237132779ed92b4984f2ab312e85

                        SHA512

                        1e934cd45561d8889a9bd4981c3650832ebab6c40746e552f04c41428531a525c6487379adb70697eb7fa759e136550879e7920dfd022036b7869852da6d3091

                      • C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe

                        Filesize

                        520KB

                        MD5

                        ca8898fdd4d6837d903a3ec5e1de9ea4

                        SHA1

                        b2082ab532f9f0a1a2eb10249c885261afb608f4

                        SHA256

                        b1ba9299b5e553924e2a2224ac7e3f20ea9c191ce8811c242cd84d8a00e10784

                        SHA512

                        e530b7964db89d64b0f5ad583f1cc37d01ca8bc4999b9fdec5460e0ec608eeef7054ad87934b30077f32ac48d61f9989f0bf2acf8856c9ef719bc4e7ef820053

                      • C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

                        Filesize

                        520KB

                        MD5

                        529e56f1dd193c7fc52f02c18cf6d788

                        SHA1

                        c8cb43500ea442c34a30af99138205aaa49c7a60

                        SHA256

                        a142fb82b2e69c277f044a8ad3fa0ed2a5afd85714553b84f780c99ed99aa42f

                        SHA512

                        b77dca00b7de32cb89909b4fc16d8711e333eac4a3b14b8bc09816a5bc6cc7d5a989076fab67632295db4be254fd9b991e6d819c14b380ebcb894a8944043b6e

                      • C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

                        Filesize

                        520KB

                        MD5

                        7b5f718cb808bc1411a725fb8fe785e5

                        SHA1

                        1d677917326eecb7edeb00495a93c2e25e999534

                        SHA256

                        b4c419df723723e9c876b46096ab9b38d8fd6048fafc4ee9df1290f7e245b9ef

                        SHA512

                        0e41976de73369e43465880ea54b1e01adf80fbbf5c33b4df97da32379054c80032fb9d25cace36d08fd55a1d06831c37d545b3b7f9e5d0d498c53823e98870f

                      • C:\Users\Admin\AppData\Local\Temp\LNDVUCWMCHQHGQO\service.exe

                        Filesize

                        520KB

                        MD5

                        edcb39204c01d4abfde1a8622d81c095

                        SHA1

                        16632354f8c1356f201b7a5364d06c411f124f66

                        SHA256

                        1b11dcdb496b79c25b2d8fb1ed946ab47cb1f5dbf094af85d21f6a4028106a44

                        SHA512

                        b02b5a5beb1b5f7968d714b9be331936d3f94522c1e0319ce2585c84240c8a69ccd140d6af813057958bfcf5c0bb44888ec43aa198c774091e5355d2dddfb8a5

                      • C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe

                        Filesize

                        520KB

                        MD5

                        3b1eac28a825b60506ea3b73eacfed6b

                        SHA1

                        cc18a5362add0dbbd61eda35f02025ad91078475

                        SHA256

                        14e34c74609c89a77bbf97aeb1e96e59d97b1eec5c53d6f2eb4ec667da204734

                        SHA512

                        55064f192056c0e1c6ee7c1e6fd17679aceeaf31f6b462ee01f958a3850eda65ac17717d412fd2e5027de2401d7d293418245712947babea8efb5811b34be6d3

                      • C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe

                        Filesize

                        520KB

                        MD5

                        a2eb188cf103b8896556a99446b43b2b

                        SHA1

                        e13a17f0e7390d8c6fa8e5f7b556bcd23b5cb777

                        SHA256

                        96f663f5980c765f29df6eda7207363ee1167f4ba57c4e38f90d24d2cab3dd02

                        SHA512

                        aaae2c2c991cc25686b658e42339ef73cf19fb09cc13f8d3e7f20634d37cf2c52630c244969bc766f910eb5220583bae551b2c990b68cb10e2c4e1863abdc044

                      • C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

                        Filesize

                        520KB

                        MD5

                        cbfcbe88c203d087e325da01024c1f22

                        SHA1

                        e53b7868bb326ade367d624764b5ed903a69922d

                        SHA256

                        59cd2c7b14ab855201bf0cca42b840f69dd1f4da59e4c27c88addd67b48f8268

                        SHA512

                        b2d3df78404f81bd6b582fe0615de6d61af0eedcff0ef8e7e17e239cf987ec3fa3eb7ca83db146bd6e15ee8d672ece1b6572970f661755025e48427e40d50279

                      • C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

                        Filesize

                        520KB

                        MD5

                        95275019dcbcf3447f988204555d23fe

                        SHA1

                        254870258f3482ab850d31867a685df9933f9850

                        SHA256

                        5ec17d9f8135736b248bf01a3f5f0bf5fceef1cca1b18bcfd2ceeef713c4d974

                        SHA512

                        e99c8f73f0bab118fb14fd2444b10bb82154cc87470005aa9d0ffcc54d838313dbd1dc902e372df41b2a6042fc0ee70b857fbfde9ab9954435baf8a94a52d9fd

                      • \Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe

                        Filesize

                        520KB

                        MD5

                        75e1d21da74e0801441a4cb630088787

                        SHA1

                        b6aeded4ee7122b37cbe00b55d3d9f7fa09622fe

                        SHA256

                        cd1e3c0c63a7cad1af673419d377431d1a98a5ad21c0e461d35beedf7d375178

                        SHA512

                        9dde8f43009694858bae88886c0453e70972ab2a7f54cf3830f993befef154eb39915f0b0a1da0a8f8dec3b98e72870f34fa41ef2c6328e697dce5a527b46562

                      • \Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe

                        Filesize

                        520KB

                        MD5

                        be649c619c054faa8bafd08217ff7ac2

                        SHA1

                        96a72dde89c9752b787aba430c4248c6da86ab5f

                        SHA256

                        8b92eacbef0e22014f91271e9c6e2148f734041e2ebf0dffe4752b8178994774

                        SHA512

                        e7e471a89c03d2d620a04ef4e7d82bc9f0ce2d1dcf22597839a426a4c7d444a20f0066d6191ae7827780fd4f1d899c225ddfa8f66d0ba62732f2076f387ea81c

                      • \Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe

                        Filesize

                        520KB

                        MD5

                        8dbf637064960cd8e1074d84a03e7b75

                        SHA1

                        10041307e7bb2b705d15ea001b7bf0ebda7238d0

                        SHA256

                        7ba47a492675e7d377047fc7179db8f51ad16e1dad1112d47e0b4152877e78da

                        SHA512

                        acb31feccf90e5aedec11da65b2a3b9f1f5ccc1c7ba8f0f62a6f181e0e258245c54a1f1ca6366fd27880a457b2057a1dd2d4a62ca896fdc2a3b09c4e15ce6e16

                      • \Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe

                        Filesize

                        520KB

                        MD5

                        e5922b7f386619aafde16caa92aad7c0

                        SHA1

                        e9e6c556e11b1ecfe8234fc1098eb8c92e36379d

                        SHA256

                        ce5b26b9201a8cf87d481874e10bff914efc81ea02a9bc489eec170aef09be7e

                        SHA512

                        47360da89fd9a66400de0e7f8b07835cb1045703d891524ced68cf47e0d3ad38f01145cb1aa3709bccbae58f0ac2371fd30eabceb00e09afe11c487f87afffa6

                      • memory/2208-738-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-743-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-746-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-747-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-748-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-750-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-751-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-752-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-753-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB

                      • memory/2208-755-0x0000000000400000-0x0000000000471000-memory.dmp

                        Filesize

                        452KB