blackshades | b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Size

520KB
MD5

9ad804a81fe08950e54547454d6bee4e
SHA1

a10ef9d0f0c53035435c8fa5af655cd7969bd4fd
SHA256

b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e
SHA512

ee54de0bf577925e3103630dfb27a727d2c872f5c1ae1fbe489192d9ce55afc5632fd766f60d7555f2dc7e5a0f45d07b6653cf8ccdce599cd514a4b961f5d0ce
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXm:zW6ncoyqOp6IsTl/mXm

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral2/memory/5108-1002-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/5108-1003-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/5108-1008-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/5108-1009-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/5108-1011-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/5108-1012-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/5108-1013-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/5108-1015-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/5108-1016-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVUKUNMOAEJXWI\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 39 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 40 IoCs

pid	Process
4144	service.exe
5088	service.exe
5016	service.exe
4052	service.exe
1524	service.exe
372	service.exe
5108	service.exe
1588	service.exe
3680	service.exe
4536	service.exe
2192	service.exe
3936	service.exe
2924	service.exe
2804	service.exe
4576	service.exe
4136	service.exe
320	service.exe
4024	service.exe
2712	service.exe
1928	service.exe
1924	service.exe
1640	service.exe
4896	service.exe
2748	service.exe
1220	service.exe
2724	service.exe
4940	service.exe
4628	service.exe
3500	service.exe
3100	service.exe
2412	service.exe
3692	service.exe
1840	service.exe
3004	service.exe
3656	service.exe
1604	service.exe
4944	service.exe
3508	service.exe
1968	service.exe
5108	service.exe

Adds Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPCKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWPUNDNHFHYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GKFNBYCVTCCVLYG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYWNXQPRDHMAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGKGEUSJJLGCDMI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHBBQROXJP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NKJNBEAOUNDDFAH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OXVGCNGHXQTUGHE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTNLNDIWVIQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVJKFEGWJRALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUDXNRXDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACSOPLKXENXVFBM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMIGMIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ETURAAMSXJGLGNC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKXAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YAWUMCQMJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKUKPHYPDNE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SRDLDUMIDTNNXNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYHQGLDULKAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKJLGDEN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJTR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BFAHTUPNQGTBKBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBLYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSYPXMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVCLYUSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTEFSYQYMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MMKSELPBDGRTOMO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NKJNAEAOUMDDFAG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LRWIFJEMBYCUSBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJVWES\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVCLYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTEFSYPXMWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNSOCOAXCVUQREJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMHGMIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJDWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAJASKGBRKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTMCMFEGXTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECIEUHPJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AITVQORGUCKBWLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVLWPNQBGLYKS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GPYWHDOHIYRUVHI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVUKUNMOAEJXWI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVIKFDFVJQLPAMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FXWSTGMTTEXXMVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LTLAURLVGWBGVWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OBEQRMKNCQXGSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQDJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVMUJTJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QOTGKGDUSIIKFCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXVEYOEJBSJHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VIMIGWULLNIBEFO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWUMCQLJYOBOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTKPHYPDNE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BGVWTCDOULJNIQE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJXEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPMVHNSECGBJUVQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIHNJMTDO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEYDQGUQNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOYAAOTLTHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KTPKUFVAEUVSBNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 5108	1968	service.exe	263

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
528	reg.exe
3120	reg.exe
4696	reg.exe
4464	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	5108	service.exe
Token: SeCreateTokenPrivilege	5108	service.exe
Token: SeAssignPrimaryTokenPrivilege	5108	service.exe
Token: SeLockMemoryPrivilege	5108	service.exe
Token: SeIncreaseQuotaPrivilege	5108	service.exe
Token: SeMachineAccountPrivilege	5108	service.exe
Token: SeTcbPrivilege	5108	service.exe
Token: SeSecurityPrivilege	5108	service.exe
Token: SeTakeOwnershipPrivilege	5108	service.exe
Token: SeLoadDriverPrivilege	5108	service.exe
Token: SeSystemProfilePrivilege	5108	service.exe
Token: SeSystemtimePrivilege	5108	service.exe
Token: SeProfSingleProcessPrivilege	5108	service.exe
Token: SeIncBasePriorityPrivilege	5108	service.exe
Token: SeCreatePagefilePrivilege	5108	service.exe
Token: SeCreatePermanentPrivilege	5108	service.exe
Token: SeBackupPrivilege	5108	service.exe
Token: SeRestorePrivilege	5108	service.exe
Token: SeShutdownPrivilege	5108	service.exe
Token: SeDebugPrivilege	5108	service.exe
Token: SeAuditPrivilege	5108	service.exe
Token: SeSystemEnvironmentPrivilege	5108	service.exe
Token: SeChangeNotifyPrivilege	5108	service.exe
Token: SeRemoteShutdownPrivilege	5108	service.exe
Token: SeUndockPrivilege	5108	service.exe
Token: SeSyncAgentPrivilege	5108	service.exe
Token: SeEnableDelegationPrivilege	5108	service.exe
Token: SeManageVolumePrivilege	5108	service.exe
Token: SeImpersonatePrivilege	5108	service.exe
Token: SeCreateGlobalPrivilege	5108	service.exe
Token: 31	5108	service.exe
Token: 32	5108	service.exe
Token: 33	5108	service.exe
Token: 34	5108	service.exe
Token: 35	5108	service.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
4552	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
4144	service.exe
5088	service.exe
5016	service.exe
4052	service.exe
1524	service.exe
372	service.exe
5108	service.exe
1588	service.exe
3680	service.exe
4536	service.exe
2192	service.exe
3936	service.exe
2924	service.exe
2804	service.exe
4576	service.exe
4136	service.exe
320	service.exe
4024	service.exe
2712	service.exe
1928	service.exe
1924	service.exe
1640	service.exe
4896	service.exe
2748	service.exe
1220	service.exe
2724	service.exe
4940	service.exe
4628	service.exe
3500	service.exe
3100	service.exe
2412	service.exe
3692	service.exe
1840	service.exe
3004	service.exe
3656	service.exe
1604	service.exe
4944	service.exe
3508	service.exe
1968	service.exe
5108	service.exe
5108	service.exe
5108	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 2396	4552	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	90
PID 4552 wrote to memory of 2396	4552	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	90
PID 4552 wrote to memory of 2396	4552	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	90
PID 2396 wrote to memory of 1592	2396	cmd.exe	92
PID 2396 wrote to memory of 1592	2396	cmd.exe	92
PID 2396 wrote to memory of 1592	2396	cmd.exe	92
PID 4552 wrote to memory of 4144	4552	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	93
PID 4552 wrote to memory of 4144	4552	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	93
PID 4552 wrote to memory of 4144	4552	b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe	93
PID 4144 wrote to memory of 3424	4144	service.exe	94
PID 4144 wrote to memory of 3424	4144	service.exe	94
PID 4144 wrote to memory of 3424	4144	service.exe	94
PID 3424 wrote to memory of 624	3424	cmd.exe	96
PID 3424 wrote to memory of 624	3424	cmd.exe	96
PID 3424 wrote to memory of 624	3424	cmd.exe	96
PID 4144 wrote to memory of 5088	4144	service.exe	99
PID 4144 wrote to memory of 5088	4144	service.exe	99
PID 4144 wrote to memory of 5088	4144	service.exe	99
PID 5088 wrote to memory of 1752	5088	service.exe	102
PID 5088 wrote to memory of 1752	5088	service.exe	102
PID 5088 wrote to memory of 1752	5088	service.exe	102
PID 1752 wrote to memory of 1688	1752	cmd.exe	104
PID 1752 wrote to memory of 1688	1752	cmd.exe	104
PID 1752 wrote to memory of 1688	1752	cmd.exe	104
PID 5088 wrote to memory of 5016	5088	service.exe	105
PID 5088 wrote to memory of 5016	5088	service.exe	105
PID 5088 wrote to memory of 5016	5088	service.exe	105
PID 5016 wrote to memory of 1268	5016	service.exe	106
PID 5016 wrote to memory of 1268	5016	service.exe	106
PID 5016 wrote to memory of 1268	5016	service.exe	106
PID 1268 wrote to memory of 4020	1268	cmd.exe	109
PID 1268 wrote to memory of 4020	1268	cmd.exe	109
PID 1268 wrote to memory of 4020	1268	cmd.exe	109
PID 5016 wrote to memory of 4052	5016	service.exe	110
PID 5016 wrote to memory of 4052	5016	service.exe	110
PID 5016 wrote to memory of 4052	5016	service.exe	110
PID 4052 wrote to memory of 832	4052	service.exe	111
PID 4052 wrote to memory of 832	4052	service.exe	111
PID 4052 wrote to memory of 832	4052	service.exe	111
PID 832 wrote to memory of 4428	832	cmd.exe	113
PID 832 wrote to memory of 4428	832	cmd.exe	113
PID 832 wrote to memory of 4428	832	cmd.exe	113
PID 4052 wrote to memory of 1524	4052	service.exe	114
PID 4052 wrote to memory of 1524	4052	service.exe	114
PID 4052 wrote to memory of 1524	4052	service.exe	114
PID 1524 wrote to memory of 2116	1524	service.exe	117
PID 1524 wrote to memory of 2116	1524	service.exe	117
PID 1524 wrote to memory of 2116	1524	service.exe	117
PID 2116 wrote to memory of 4956	2116	cmd.exe	119
PID 2116 wrote to memory of 4956	2116	cmd.exe	119
PID 2116 wrote to memory of 4956	2116	cmd.exe	119
PID 1524 wrote to memory of 372	1524	service.exe	120
PID 1524 wrote to memory of 372	1524	service.exe	120
PID 1524 wrote to memory of 372	1524	service.exe	120
PID 372 wrote to memory of 3516	372	service.exe	121
PID 372 wrote to memory of 3516	372	service.exe	121
PID 372 wrote to memory of 3516	372	service.exe	121
PID 3516 wrote to memory of 4144	3516	cmd.exe	123
PID 3516 wrote to memory of 4144	3516	cmd.exe	123
PID 3516 wrote to memory of 4144	3516	cmd.exe	123
PID 372 wrote to memory of 5108	372	service.exe	124
PID 372 wrote to memory of 5108	372	service.exe	124
PID 372 wrote to memory of 5108	372	service.exe	124
PID 5108 wrote to memory of 2328	5108	service.exe	125

C:\Users\Admin\AppData\Local\Temp\b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe
"C:\Users\Admin\AppData\Local\Temp\b3496dba53d734aecc4b824e42917f0d59d1a8d7d04d67cea729c213dfa43a0e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRCVV.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSOCOAXCVUQREJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1592
- C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe
  "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYWFF.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BGVWTCDOULJNIQE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:624
- - C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
    "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDFVJQLPAMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
      "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHUBYY.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FXWSTGMTTEXXMVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:4020
    - - C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPCKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFHYUVD\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFHYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFHYUVD\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCOULI.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LTLAURLVGWBGVWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBLYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPGEPN.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKFNBYCVTCCVLYG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
        10⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTGMR.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SRDLDUMIDTNNXNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYHQGLDULKAU\service.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\PSHBYHQGLDULKAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSHBYHQGLDULKAU\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHXQT.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACSOPLKXENXVFBM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGMIYLT\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGMIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGMIYLT\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTEDHY.bat" "
        13⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OBEQRMKNCQXGSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQDJ\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQDJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQDJ\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPRHUC.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPMVHNSECGBJUVQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVHPH.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TGKGEUSJJLGCDMI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMNWSF.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEYDQGUQNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDVTCD.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ETURAAMSXJGLGNC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        19⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESAIT.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MMKSELPBDGRTOMO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUCQPB.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NKJNBEAOUNDDFAH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
        22⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAJASKGBRKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DVNTMCMFEGXTTBP\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYJHLG.bat" "
        24⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKUFVAEUVSBNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECIEUHPJ\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\UMLTIHIECIEUHPJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECIEUHPJ\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJXWIQ.bat" "
        26⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKJLGDEN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJTR\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJTR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJTR\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNFKAY.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OXVGCNGHXQTUGHE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUCQPB.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NKJNAEAOUMDDFAG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        29⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVJKFEGWJRALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKXIGL.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BFAHTUPNQGTBKBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOYTA.bat" "
        31⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
        32⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOTGKGDUSIIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXVEYOEJBSJHS\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\NPFXVEYOEJBSJHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NPFXVEYOEJBSJHS\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRXDE.bat" "
        33⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYQYMWMI\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYQYMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYQYMWMI\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKYGP.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LRWIFJEMBYCUSBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe" /f
        36⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYXJR.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VIMIGWULLNIBEFO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTQAL\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "
        37⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWUMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHJSOB.bat" "
        38⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUMCQLJYOBOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe" /f
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLFDKTKPHYPDNE\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIHLYC.bat" "
        39⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AITVQORGUCKBWLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFOAGL.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GPYWHDOHIYRUVHI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempCOULI.txt

Filesize
163B

MD5
dcd0b1410ff241ad766a143ae3f983a5

SHA1
f3c9e738b352c1f52b5826e778dd5ef3b2a9498f

SHA256
c167c3bbaf702652c04b6b2149143505d4898d0ee5aabb9d95baf54cdaf1b76c

SHA512
063cff9acb03175c50ac1eb45c3230fdf747fab50cc0c998f81cb79f69635ae31b7a75bf70dcb2fe91a0b3da96c69e00567a6ee218eb4dc13440f18c3b46b42e

Download Submit
C:\Users\Admin\AppData\Local\TempDVTCD.txt

Filesize
163B

MD5
07957918da211c13bb3fd7e7ca8e344a

SHA1
4bfa13a2e3dd9f0949c18dfb0ccf62ffea249e34

SHA256
084c1618761535c0f1212a2047176e341320c400fd93dd9b3a830d57a73ce3c9

SHA512
5dbb2a756a2feb6a7f0dcdc0f5cf968196ae50399c9dca7ba82d7de0847c5403e2bc8de16ccd1497ab0c7c7681659cafed431fc5b04d358f50ff9b8fafe77d6c

Download Submit
C:\Users\Admin\AppData\Local\TempEIJSO.txt

Filesize
163B

MD5
604f9a349912404b79f36a00ff580e44

SHA1
44695701694f6859082fda33380e97c86543e0f4

SHA256
8238fb6f37bb7fad279bfdb835e296bbd9dd92e8a340c4cc58b6d7a80d1633ef

SHA512
d9f803b15736c45dfb654eeafc4ff303bb3b0d43557042db6dc08b2134cb45d5eacafbe576947d62276b0552b5383f2b2d177b01bf40aa71ec98b3fb1febde18

Download Submit
C:\Users\Admin\AppData\Local\TempESAIT.txt

Filesize
163B

MD5
9f1dd4ca885267ddd7a9dfe8df0ee9be

SHA1
dbff01edf60e8a3c16de0d2af6eeb3c895848d9a

SHA256
9ee9fe43e4843d3da7fa06023b2ab450354b7bc1b0aaed19c6e9f27fa52eb2ee

SHA512
ead91a04a443c6445555889d89e427755ad98552590737a3f08ef83eb771296100a442154ee08ce69fa63648b7033bceb780dd3edc3a55f4d25181f5050184c9

Download Submit
C:\Users\Admin\AppData\Local\TempFOAGL.txt

Filesize
163B

MD5
4e9a906fdf757d9d229fae21a9f14475

SHA1
ef73eeaf6e68093470b002ebe39d9a8d6f5cd083

SHA256
0352b80dab57a1ea88a823a91917f9255399b2b178ca776b9612771b8a9e85ef

SHA512
755ec8fee9e3b7a35be80bf412c0100cd3ca4f21ef11295476804db1dd3cdb255629d94331565eb376903227a316679b647b01b161f4a4433b2efce30288e13c

Download Submit
C:\Users\Admin\AppData\Local\TempFYWFF.txt

Filesize
163B

MD5
52e73add71afb6ea81f38a11ee60ae81

SHA1
9ba3181478e4dd3f43ba744e337bba14bd495031

SHA256
d02c5457f3d43b1b54eb9de7301743b283590306bf1494aa00bd67bd056c3856

SHA512
1aba80403087fc783881f2dd62ea6c9a0b7d55ace265cbbf722f057786a48e84c785471c1351c6157a27b523941ed1d9198481f91623588cb3e6e5074a88612d

Download Submit
C:\Users\Admin\AppData\Local\TempGBHVD.txt

Filesize
163B

MD5
eef7357c045170887b4993762e5dd5cf

SHA1
21031e1a02aa4160baff2c33dcb5e923facf65f7

SHA256
86bab36c4455d62e74523fa3fff5943930a38b858fa9043df93eb6906a01999b

SHA512
be86486ed0ec7459c6306edf10196a647aebb0e46f453d001b0838c064e9e233f16dd4532e79840365f2051110335a11ef60b0f22a5d97fd9f17804050a297fd

Download Submit
C:\Users\Admin\AppData\Local\TempGHXQT.txt

Filesize
163B

MD5
105e569d9f812740efda1414a86cf93e

SHA1
925134a832375e7d6d812282694a664e093a7177

SHA256
d731136679db03c43f776f861f973afee57e5622bead84e31b0e98fbff9b2e59

SHA512
31246437a35d6b1506573e0b4783b4dc18a5f998218f705d6c336c79364873f4fdd29569616c93b07404cbc954050f1b35d67d8d63c512abe9fb642fbe5324da

Download Submit
C:\Users\Admin\AppData\Local\TempHJSOB.txt

Filesize
163B

MD5
d5b42124a1ec00265595c03beda17c79

SHA1
60c7ab6de7d7f9e6e3f23f4c9f68c53b066740b5

SHA256
aa664cc6e60297fe391f3ed90b2ead1fe17d4dc0647ec25530e403903b722a0e

SHA512
b4e185432b89c15ad8b21d65e870df23d5bda77a5eda29fd1c8308056689c94007cfaefc9a297d743d1b889bf1fda889df84c046887de7506f5046da81156459

Download Submit
C:\Users\Admin\AppData\Local\TempHUBYY.txt

Filesize
163B

MD5
32a1a069c224d96eb742509b527018ac

SHA1
6394764838e70bce869cb27519132571e887d298

SHA256
d2b47d821ffc09a19a0e6c6a3fa084e698c6ad729ce531f772df2a680736ae5b

SHA512
1de527a6b8f66d2bac10ecac4f9c2cfc04c2ecf6700371dcbfe5962bd6ae11c7ac39d983472cb94446e26f24d44107d33d9ce23ab71a5c7dbb25c1610e07dc66

Download Submit
C:\Users\Admin\AppData\Local\TempIHLYC.txt

Filesize
163B

MD5
ed00f2142207be7f2c779b127916ce31

SHA1
2dd5e730fd2c3443d71b03a4bf82cab5bda20a37

SHA256
f4747e9976aa04947cccf8c8f2e0569ed78e057309d8f7733c368043ec73045f

SHA512
1e50fd004b534c355eb7afc642ce42601b9f44f4c7cb612b06e8258e781bc7ece84b36281d524c63c39b3562a1ef727ffbbefa94bc8bebffe72a5a5678ffaa4d

Download Submit
C:\Users\Admin\AppData\Local\TempJXWIQ.txt

Filesize
163B

MD5
247802c8dee01e5f37f79fb3326ad820

SHA1
7e1021aabd23534d75976efe4fbfca6e4acb2bc5

SHA256
8b45fc7926b08cfd3d88b0a6890927786277ea68b0652778548a73b78d8bb70e

SHA512
c46dae036086fa7e35fd57fceab8b27ed9e6f946c18161dfb7bb198f8fec7406405bb20fd990109b425cd88cc1f238486094272ae23ab2e25b87bc0bbb47dd77

Download Submit
C:\Users\Admin\AppData\Local\TempKXIGL.txt

Filesize
163B

MD5
d7105f1471fbee7bd896c3cf027674e3

SHA1
7d28e6eac03d0fcafd6e0e70c91d30a6d195515c

SHA256
c0953e3c85a6cf57be769941dbd874a3f5c19f996ea4fb4a19b1573d6fb2ca50

SHA512
25eb2260ff383e27b951918cd52268d56973800d8f09047cd19c3e62300f7d9f95c3fb36e1a7f5103f0e4f663d082d5b2931bf581ed0087af9611ba0569c5355

Download Submit
C:\Users\Admin\AppData\Local\TempKYXJR.txt

Filesize
163B

MD5
c238f0069e8347b223df122c29ab53db

SHA1
6d4f2e4e35b43641af5aa8895721673f571a23ad

SHA256
3e37658644fdbba0051095395a6d6f3729722c3cdb291436348b5fd19bc0cf7b

SHA512
3b25e442accd2301cb65dfc26658ddd563d63af84cb538f1eeebc2664b50468d13071001683af7e9191dbd88ea45adbd6886ad007233d16efaff9df3a66948ce

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
9fb89caec6f093f5b98a120aa434a6e6

SHA1
7ac90bdec43895a090525864e7e03191b1e9862b

SHA256
0487f19665acc64817da8d7c6566bc0f2e05de4fe3dda344f2da61e9fbf6680e

SHA512
1959f45c5cae5618a7dd50a2a1417022db08067257cf996b8f80711c2d1a2efee2a733b175708eb9508d930032b37379190877f864ac36c325a32cee0d06d2f5

Download Submit
C:\Users\Admin\AppData\Local\TempLTGMR.txt

Filesize
163B

MD5
a1f9875102e666367eee4e2213e2677d

SHA1
171e4c4f0281c1c5a201e7c2d3027d2af5ce9b33

SHA256
912b0f281ccb7c33643e50295b33e5975de8666282142b65243b13b3515da816

SHA512
81be5c0b9ae21b1c7b3056c2978c9c0c5d111b2df330d581e4cf565975b00b0f3b9172efd2a3894fc3563bb4ae512a2da73ede606e613c7f5eb316e90b90a989

Download Submit
C:\Users\Admin\AppData\Local\TempMIWVH.txt

Filesize
163B

MD5
c540a6b02ead119f9521c034687981d7

SHA1
fb540ea11eaaa855b9a857ce7678b5e3d4c8e675

SHA256
3004b390bc5396469d19733217eba7cda26d457904e5e0a4d15cb920609f489a

SHA512
17fd27d0957941399c644afa28683d1629a448eb005f6e88f3a704698c97b2508f992a81d783fb6d9b3dbd15a43b2af4ddb1cd707e4c2adf713397a8f9c6b79f

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.txt

Filesize
163B

MD5
66d8b90dff6628537438a9e1c971be78

SHA1
64fd65b26db59f1ef221240064d241f2ab43d73f

SHA256
0dd2b735e9d6aa632251ef6c9f84e0b32201084351069ad7bc6d691bfe4d463e

SHA512
38036674ca6ea7aeecb799c67c486defb8bb58e067c9693d1a5a4becb9ef6d0d16ff6df5672da71566d990c48499838c9fe1a25ba23f92218f4434c29ca71806

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSF.txt

Filesize
163B

MD5
c92d52208d21fe7e04960e70dfd54d32

SHA1
64ebfca26c1432fb578afe99f00ca825ddbef098

SHA256
2f63775e3d3b0274d703718b502775b7297c37e41c4d8391c7c1e89ed36c3ac8

SHA512
945c4d447801dd96e7f3b768a110127e3e8cf21d8914f193efb43968daaf0ac2d59c746f50c82f30967b7750bc4c06cb29e7edd1f26b94ededf76b860c8835a0

Download Submit
C:\Users\Admin\AppData\Local\TempNFKAY.txt

Filesize
163B

MD5
1143f4de56d4cb9967d06bcbe7128288

SHA1
5fcb600934223081e40859c217d7b50709f25e4f

SHA256
187196834002f04b94237f58725d55051c70009a459597e6affc34017f1bfffe

SHA512
8392f74abf1413ca5ef88b090be48aa875f8d6356a36f27a82fcb0987d9964eafe6bbea1cda8cc73c9a9445f1cce5a04a3c0485db1f587abfe02eabf4e9c432b

Download Submit
C:\Users\Admin\AppData\Local\TempNOYTA.txt

Filesize
163B

MD5
954308906078f9e09c3ff65de31927e8

SHA1
0b3af553e5b0acd913b6acaa2ed4248c2d1ffbd0

SHA256
0c4b5ce6bd0f3f0430629bb565c1be8ff35e4c43a41537584f208111e917c3ad

SHA512
e7aead48359b5ef9b479865bb16fc8a5ab5fb34c15653cd30bd221b6eba11bb4ad3cc05404b2942c4363681504669a8d2c8c4fb9cfac785c6dc674315fa4fe84

Download Submit
C:\Users\Admin\AppData\Local\TempPGEPN.txt

Filesize
163B

MD5
472f6d2b1a705d4faf74fc2e0c5eb462

SHA1
b4c015c9b748ceca0a9acd7240acf80d83f07eab

SHA256
5396449542f99d7e8936c282b04058cdc48c48e3e89819ba8de7814f91073b4e

SHA512
a7ae132dedf03fb313252234623953dd27f1c354ff9f4de893a1863f733d01d47e26d8191802fd7bdb8f8e1b57a1bd972e982f97a43eba3f4668b9eaf29a4138

Download Submit
C:\Users\Admin\AppData\Local\TempPRHUC.txt

Filesize
163B

MD5
e54aa239dd07c96fd705d18e57ce355e

SHA1
119bbb47fd543773dfb879a9202e01e285af928b

SHA256
88be10588576649ad8c011aa55558f8be113982cca039d8d41e7b5c0a82b3666

SHA512
7faa6b4de91aeeb4d709e1937480acc5e2a8e089a88ebe8dee10462da20ec860632bc0afd4f5e178a89fa49a02a51b6b165f70b73aa0e4befc055d8c359720d6

Download Submit
C:\Users\Admin\AppData\Local\TempQRCVV.txt

Filesize
163B

MD5
9bfa0ed07ad025448031fa50d4b4ba82

SHA1
62454b5e4285608de7806eddb98fbf02a028baa9

SHA256
0585eac524ac966f388e68c4122ac35b686a531facdaf51d48207d804d59cbf2

SHA512
8a9ad5e73c4d1764a73a93234937096362c8c8466b4fd7acf7d3615a6ef6a34096a386f654fa675ea9276f9839cffa7c2c81d27c5fd878b9e165a16da582334f

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.txt

Filesize
163B

MD5
2d6468762e26d933b77fd6f3e90fbb3e

SHA1
aca72fdeb9edfa3a1d7860d8d43684f6367508dd

SHA256
0d8d8f322afa22d071bf9d24a785e767c66b667c029d05e4888885c7fd3a1d77

SHA512
70abb501f3c9cf0238a45f36336b79cb202c3677ae6b3b759d76dcd0ba37147acd5d937d34ae013193d6ace41d7557f109d7495550806bc3ab723a7e324e2f89

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.txt

Filesize
163B

MD5
6e3815379c8f480ba4bf4314d9c8ae36

SHA1
d38d3f6a9c42f75504efdfd7e29b6854707c35e5

SHA256
050f9da0d56aa7132b7b3085d091415b9e80bc02528b3bcf2312220b928b2869

SHA512
3cee7e22d0d114305306070bd9af41383904d1d8a8bf2d290d86cf191a6bf08277ac930f47d59187a78c6545ff26c0e251501508fba62e76b89b9097d08b624a

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.txt

Filesize
163B

MD5
e4cdb6ff10e58ca35c4e3691a63b6fd2

SHA1
2cdc20bdbcbcd1a19db81e9df1d2025a6804fc13

SHA256
722d172cc6c28c4f1cc23fbb6a93b1bd4287d145f9074d3a252f26de09c6cb25

SHA512
be1c131141cb9afbe615f523a6b3bb96a7410e50f697237d4b332efb50b01013a7f1228c0e12e126a5b28cc54e9d2a822d02b410f707f344ebee9e557ca67569

Download Submit
C:\Users\Admin\AppData\Local\TempQRXDE.txt

Filesize
163B

MD5
95d00b5ea4e8e0ead19d31cc9770de5c

SHA1
b6bbdfe4b0ee77e4d112617e31b1efa83eb26b42

SHA256
a5697a2591aa39eb2ad492266eb67c3f00f4babc5f29014749bd34aeba318454

SHA512
e8183b638f6721747e804bdc2018879d8b326581c3c874434467c5cff045ca1e50033c75b5bf9f5114c743a01aed4698fb946f314fdeed97b9e4aec627e1ad77

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.txt

Filesize
163B

MD5
f12eabc05ad07e28998bba3d0c4b7517

SHA1
21aa28ea0e9786833d2cea38e7f8176560945456

SHA256
d6ed466f36738b8d14060e25c85244877190aeda44d43d0bd7b71203a44163eb

SHA512
e25d3d9b2ace750368e8a212701ef5415922669b72231abd716faec01db65ba14ae93cc3e5d8d9c4fd65e9edc69e0c6650268b6ef2cd9d1d0445a58b23f1561f

Download Submit
C:\Users\Admin\AppData\Local\TempTEDHY.txt

Filesize
163B

MD5
a1b64bf23e121fa5e17b54fc53451bbc

SHA1
9add06a008ee8e762f11caab6951be89c77e37a7

SHA256
330716923cb04f5bcb8e1fec5bf4573c20c5d8d95276781cfbe41f7aeaa311e7

SHA512
03bd92b7ceaa89c807de8e488319c424b937a57fa608ea24eea3efdd5fc24a9c843af769ad46a215b988e5f3d1f39459c582cbe0324cb59e13f14393483a92a2

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.txt

Filesize
163B

MD5
3eeaef369d92dfadc23dce501c625bef

SHA1
2f74ce8d22813b1da550a2ee9ef93e6dd9da6518

SHA256
7258b255cd3c56fb54d3623f471c7504f34223fe1772de00c9efab7c2233e767

SHA512
00240f6b1a2b0aa949d5e00ae1c692439277e69f273f734f2dcbdeb2ab52ae1ae10e5408952bffa54ba67d3e5f579ee272969f06114f8612745175e190239f57

Download Submit
C:\Users\Admin\AppData\Local\TempUCQPB.txt

Filesize
163B

MD5
68cfea2d3f636c80273f2d2b1e595bde

SHA1
3c84e67e10d886dd643679d5ff0f22fc608820be

SHA256
3c8980e14293eda0c3a93edd148e7c2aa3efc898e288e81fac38aff74fcec8cc

SHA512
ce5513792cef96a05fd6a3d8aa665f69a56fd0c5fb73e6b977a14fa9cf786233e3f3c8495758d9c179104225cce884ef1e8239c58830c8a37fb621acfb8431f4

Download Submit
C:\Users\Admin\AppData\Local\TempUCQPB.txt

Filesize
163B

MD5
6fd0d0ab519307a29889ab3b79d9ed0b

SHA1
8ba5855b3f779b715c2ec38bdcb466d7b148a29a

SHA256
348efddef9dc2d699c1ad40ed840fbe1b91cb37418662339b29ac55d3d5ca881

SHA512
5dbd63a7856b859bfa65d4a6408e6bac26ba5ed6dcaa3fd6100e435148f561fcbceae3a71211ae3a15dc8a8ede5676ceb50386a49f677e9a1699a0898442b69f

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJE.txt

Filesize
163B

MD5
ae509edd5dcf523ca66bbe9a385a6970

SHA1
755cc715ac1c910495d7ebe4938c14b5f3a5c7c1

SHA256
9a5316af50370d0e410c04f1e2dee52a446f21fbd412097d81d3e9662df06afa

SHA512
cf52c4cc6246f9b4c0dfe65559a2ef39b1c8e909a7d245ed77e46f696a37ed42241bf097e01809258ecc10003fe2d7fce68f874bbb3c29530b0e7c69fbbdcfde

Download Submit
C:\Users\Admin\AppData\Local\TempVKYGP.txt

Filesize
163B

MD5
1c010bbba020177b9a8cce648f262b27

SHA1
4aefe0233ed3af4bd8f4333aecd633fb7af1cacb

SHA256
f2e973cbd2c62d82d6fa0340ea81d9ce0a728f84bd9c36c0feb1f398ce67be8d

SHA512
09188e4e0f6a861fa15aaa5739df309323d3910dcc7523fe7c2c4a3e8b08a787320aa0aa4c6e17ce5841a489bb0b9cd784856b4efb43990f992c085330eebee0

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.txt

Filesize
163B

MD5
bebbf2fb943814ded9e6b5cde224d2e9

SHA1
cc04c5b4b4205990cc2f058c69a69d155a73ade0

SHA256
7b2f31524166eed29f26836fbd195c47b4c1c24b6a9d818c4e0b375ef18fc0a3

SHA512
0f454560bf5e4ac1d695ccad0546e1626338d92ba02312db177e6b155ba6f4c02498abd5d979a4e16d0ee26f36c1038c283c27190de5284e0bdc9798251ed940

Download Submit
C:\Users\Admin\AppData\Local\TempWVHPH.txt

Filesize
163B

MD5
58838ec9c33899b1d21a85457d6b9bb0

SHA1
18de19919a3b1772c28cde24b3157c9d8a519061

SHA256
aa942a8348fbacce8f326a5a7156d09f4f39b91adc92a4cd86139b0f32e3b9ab

SHA512
12ac5f352acfaa10a78c441d03e6252d104513c92897a788b006b58a9d7358be16007b92a1eca94a018f3015052dba6555e466bd3addf5a3953eb05f9148db5a

Download Submit
C:\Users\Admin\AppData\Local\TempYJHLG.txt

Filesize
163B

MD5
568547456952f6f5c201bb393e12621b

SHA1
c1d0419c928d364002a9209abf951ca7c120cb76

SHA256
e6cae876b3cc0c8b5d9a3dbbe4775150ca2631b9d1e07d996c56d3ed7cee02ef

SHA512
c1850384cee550b284db91e0d82081b94f7b6ff4627a716df9e5cc1a1ffdbebc75ebb8fccf80f342f41fc5abbd5485ce521958267a99b89a37ee80eaab3f1e73

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
e87d8e75d8f52084f1ccbf4acad09baf

SHA1
2df02ad285419221c7429924edc28ad147e68b61

SHA256
816100165f85129ce5120eed84ca5b09999e4d781cd18ee88e6cd16bfbff5389

SHA512
01c3590c4bc140743aeace39f3cabb9d96858523ba729686f2104d283140c491787d84b69cfa3e5235567555a89259e833a1296fd6374d8bc2382f7e4da71920

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQDJ\service.exe

Filesize
520KB

MD5
0c388d87199f32b71bd808c33f4332a2

SHA1
5bdfe49dc5177f7de5abe1a5d95ddddc739f9341

SHA256
6ddf0751d4080ce5e40fae0b1fd9e3254c48d2a527e817fb77db99968ed45850

SHA512
f605b6581d61625d36635864ee105f51eaade9e2726068cfbcc20be579d7fe092fe58ff32589788312ce41b4508a58958436a2d9605faa70f6b79c6f60862f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOKYWNXQPRDHMAL\service.exe

Filesize
520KB

MD5
da5d57f4ee63affba72ed945e571b170

SHA1
33ccd310632da580e07ffe11a9e06d9e6abe736d

SHA256
cc282e9d44967619d29926b967a61b72fb21c27dba7ab374086a5bdd973d9ad1

SHA512
cb8ddc034b6ef97ed29cb152993b561e7e13314fa074896e4f11f8fca782561cef39e85b9863f24beb15efbad4a5de504927167dff7650dfa107d7b4265f7fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe

Filesize
520KB

MD5
4814f9436326c095f000b121f2a049d0

SHA1
2560b1c55443a847e931b1c4a1e3459fb21801fc

SHA256
d85ec42b8ab1b5f85543f6bc8650ef73b3f6844ca6c5ba02f9c0e289fdb4fbab

SHA512
fa1d5b96cb0b39d3c1d48bf239fb17186cedac6920e5d430cbf4c4a22a869a6dbf19d46fa6adb7612a54ad23104df1dc6d4dff7411fca2888e2e81f0280a24bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

Filesize
520KB

MD5
de870cfca64f157fe66f7e6eee3c60de

SHA1
a2e4100c57127ff6598cbf62415e6673ddfb5f42

SHA256
b5d30140ded3e5a1d46ba13bf95e977861ea84a5f076e5903b9ba25c55104a12

SHA512
45abaed017c8c0cf20b22b3d35e7665a55d8adc48f62b92b2f9eb847e89c969b6f00f11beec2d2112f670b3aba94089172f68c33c6a71f142777858f223222c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFHYUVD\service.exe

Filesize
520KB

MD5
3b2f93b5f19bde0beb3d98a8e337fd4e

SHA1
67cc8cbb2e8963d46c94741702ea6b3476294e27

SHA256
230173baa0db5d52e22875f5a1804016137819b3cea51896b01875d103d62369

SHA512
0d5f1be632420d8aa149bd5509b20b82723db2f95a3ae5aaba31fa925807f2d0e7a67ffab346d395d2f6c1239637dededebd73b45dfbfd5a6279d23c9da68878

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe

Filesize
520KB

MD5
048bb8bc23c00fa0e08f052b0a704a91

SHA1
eca1011445557b4028d57d97bd56315ea097353e

SHA256
e862cf2cd0a9f6055cb385c5200c454b1b2e2ecea2b1f6fa4c67c58ed824712c

SHA512
1ccf60792a988db8d40203b82f959bb44841d598b84d113d4485f53716fa9f9bbf3b69058054c62b3e8233beda5ddc9d9f04cb5fb3e164d144e0fd349b1f7070

Download Submit
C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe

Filesize
520KB

MD5
0ad71bbde5c017431efe18b5018ddd2b

SHA1
24f56629f9b173473da5e9ff5ceeb29e04acdbf8

SHA256
a736e9b17618473e7c4ece03c7cbeb680c88f30dbe1fd5aa4e3f9f6faf30db70

SHA512
95358d9bfd0cb659402855c927230e245dd5bdb76035a46065b6eaa7913abec2333096b04861b26a1dcb0c72d5e8e603240051647aa86dbbf6c23458467b7abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPGYQMHBBQROXJP\service.exe

Filesize
520KB

MD5
f1dc1c56f1768322e820e8520e93d890

SHA1
07be3678e35d0989f6dc0ea26bff5b374f653656

SHA256
69a2e94b2351e0aad4893092a69c7a72bfbd5d74f3b3939c24aa6db800353f34

SHA512
e0e838fefef6b1a1f49f3ed7b70a716a019bdf5d3a5a1bc3abeee34600d20d47b06def61dc1283c2f5459aa60ba971b742ca6c43d81412ff9886eb579dc9567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe

Filesize
520KB

MD5
e7280b8768c4d51583cc9173c0ca32b9

SHA1
b9665afdd93edd50feb485b7f7654e2fdecc3301

SHA256
67642698e259c98697f48adf591c06afccdc583650bc98b07405133e36102a57

SHA512
965d32d50aec8c86d927ebcaf88771412d522c00172cd6fca9b54801eaa939e00f0774c252c1f9b80d90080f4ceb92702a9575f046f5b995eb7c5861e1ebab00

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

Filesize
520KB

MD5
52dc9b5eca409e40418af02d6cd5ca04

SHA1
a3bf51efa8ed6039abef8daaf4332d6aad92b50c

SHA256
2769e8053b87b2de69dca758dbd262f361e1ba9a0c86292def808bd8cb56cef5

SHA512
a3aef6f67d71e87335748e459d3ade72a7ec7d63335167684b414017aa24b85bd7309bd616d4c496851d13e7fc6fabfa4de6b6f2e309b5fe2c87080b74a01a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

Filesize
520KB

MD5
2c4c04bebd26545b542a4b7d21944df2

SHA1
9cb5ed4506d0b0979d9bac1b8c9a464bf48639d7

SHA256
c1890d873cff35b881de902f00adde1180371913964cffed71d2729f15f78d91

SHA512
3be2d75e2a4a17e31eccda6d2b7244e06a6babb75af332ec1b4a8211988f4cc1463465907011569cfef235188a4c8b311be54b63fa6b76e60e56b84ffd1c8698

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe

Filesize
520KB

MD5
34ec736df57b5b6471eb9432663bb6ec

SHA1
12b0292e82263fc95176d096d5be21f0feb42147

SHA256
db7a67edc050d8602941576c03ca2e2767fac50c5c4adc420c94a3df6b50f1f0

SHA512
a73ed8f892df70c2e62e53166b5ef18b4d2badb7d98ddf81acc98ff65dd0dea4841980f01986abab0bc5dfee02ac70a641965b0b9b9d144890cf734e5a91e248

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSHBYHQGLDULKAU\service.exe

Filesize
520KB

MD5
edd691a330a6ccd23786c86c96ec42ff

SHA1
39fd1dc71aba063d4ac47520b3e9a016fb8d9024

SHA256
3224b1ff2e9ee3ee57f6b70cf785d95d22c5a3d1504d449eabc0b899e8fa4bd0

SHA512
8716c15576b1e795107460b5c388235618fda4fab54eb306ebc807afdc9ebfa93af03ec58e702cfa74ce8f6a7287c4148ac48365a90584114b9f9c04f759c3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe

Filesize
520KB

MD5
d5b4dc1701a103a9ec643069f6fcffd7

SHA1
6f33ab9f821dc816fe784141061204eb29134753

SHA256
f4a813043ceebd4a245577b33d8f7765fab1492abf77d4115e736f195aa69df0

SHA512
a855a846e0cc5cb531cfbc9b78dc18751e6938ab3a89207de5210dcc98bc4756f01fc018a945d25e7d2c1b2aa58dddc884e6887650554c120d1e7ab6386ce87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

Filesize
520KB

MD5
78c829d3a727ddb21331ec2dea3f0e3b

SHA1
91a3f68f33a560608924132be54e700d54971703

SHA256
b4fe5f0ca5bb52026fe91348fe126de06bbe00f17c6a453f10f47cb2f5d048d6

SHA512
6b3bc6f4658cc4204c55fca9e38dbf57e97abb22779ba46431cc6261a627510075d7481d9ebeb3c544628ad04cc218d6939c2c503e746fe49b721a8469587763

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe

Filesize
520KB

MD5
f153d479789f9abc6229047d49734045

SHA1
b5a270da3e86d1f42c245e7c97d2b9f80f283c95

SHA256
df629399ade3f9b46736027f86c4607479317293717ce42a3e3d7e0516fc19e9

SHA512
0a3dc220063731cc6ce408f1eb04c66baa22ed17f35a4cca0a8f216280921a38b0d3ca0ee8f30fb478699e6e04f0d8ae14732af92253b6f0dcaf6811fff9bdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe

Filesize
520KB

MD5
b4f9d9814e565afb2fe907071b153c86

SHA1
fccfe03ec42de4657663ddc4584270557f144f65

SHA256
b44c212aca890f5304e2297769eea0adec302cc59c0670f1194c40ca1ecf8d91

SHA512
f8859bf8bc09fd665e191e6b82c2e02d2d804f1fb8c6a42685ac9fb3988d36c634715bb10e775f7e4b679b483474231d37fe701fea0cb8262efddc661bee5752

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHR\service.exe

Filesize
520KB

MD5
42446f2073dde3394c3c71ed1e130937

SHA1
54346db06954459f8c473e1e92e99fdb0a407bde

SHA256
17f0e5d06bb73c58c51dec98ab74d705946d3c9f4480a5893cf33ecef68745c6

SHA512
43cfad55b6177459afa90a94f9a21d23a3c60cea3a9cc0c74798645976f1069bf9b3adeafd18cfccfea50f2ba3a0534ce33eb69c240396c7795e8cbb6cef2a6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe

Filesize
520KB

MD5
d4fb68af72807a1d2d3cbcb93e6ac3e2

SHA1
1c2654c65c8b048b92297026754ccda1a68b4a22

SHA256
a7f9f268c43f607afdb46fd243a5bdbb649fdb01f18412fab275c5b8bd629ba5

SHA512
62f243530482f717b34073348da55d3a2b9136feadb97deb09bd46c689d8dccf3c9a6874b897be67f6daa883d8263ff09658f9fb27f6cf783d9cecdd162f7b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.txt

Filesize
520KB

MD5
abfd361f1d4c2eaa51e725804bd3a9b1

SHA1
8d44f45f58cb17f7d1b730d3977cf93ad27bf18e

SHA256
c1e5888c0cd71ed7edc4d08eab703dd50bc010ae70e6f34e3cfc5eac4b0fb70b

SHA512
d0afa1000e4436f5defca6909f0ab02a9f477377f080a451b69b9b5cf80d292b2e334a2268c34911b0ceab1fdea16aab546daa10f3c9197ecf5f4decb70ba874

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQPAXMLMIGMIYLT\service.exe

Filesize
520KB

MD5
5b9c87f9ca7e9ede40c6d6fb5b971765

SHA1
9a227e3e8df6696ba8f848c513b536d4183ab435

SHA256
75145dfc1d7ed209f53a99c9b94e72c26331456d31400984dd3bdc56def404ce

SHA512
456aafdc1fea91815add26b956ed9863a298e388e125f4c292a49d7294c2ea09f09a64c6b79e56d97ad0e45814e9585614c9e107f404d8e19414577e5b3f00b7

Download Submit
memory/5108-1002-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5108-1003-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5108-1008-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5108-1009-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5108-1011-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5108-1012-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5108-1013-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5108-1015-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5108-1016-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads