blackshades | 1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/03/2025, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
Size

520KB
MD5

9253bfbcd2397ce613b1ab1b59f4d581
SHA1

99165784f0e95d1c58722948a62160e84b15b2b2
SHA256

1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f
SHA512

4ddd56a125c5bdbbfc895df5c3b4f2906291aa6815c78e85d739c9e198612ebc9401f0a3f2a40c327fdbe24d61da65d57f9cec735c613bd42637051ae2ea3018
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX7:zW6ncoyqOp6IsTl/mX7

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 7 IoCs

resource	yara_rule
behavioral1/memory/1160-834-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1160-839-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1160-842-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1160-843-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1160-844-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1160-846-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1160-847-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQXJJDXBEUQR\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 33 IoCs

pid	Process
604	service.exe
2892	service.exe
1856	service.exe
1948	service.exe
2424	service.exe
1388	service.exe
1656	service.exe
1028	service.exe
2536	service.exe
2928	service.exe
1952	service.exe
1996	service.exe
2960	service.exe
1356	service.exe
956	service.exe
2400	service.exe
2328	service.exe
2944	service.exe
2536	service.exe
2568	service.exe
1204	service.exe
2856	service.exe
904	service.exe
648	service.exe
1772	service.exe
316	service.exe
1916	service.exe
2152	service.exe
2632	service.exe
1720	service.exe
1528	service.exe
488	service.exe
1160	service.exe

Loads dropped DLL 64 IoCs

pid	Process
2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
604	service.exe
604	service.exe
2892	service.exe
2892	service.exe
1856	service.exe
1856	service.exe
1948	service.exe
1948	service.exe
2424	service.exe
2424	service.exe
1388	service.exe
1388	service.exe
1656	service.exe
1656	service.exe
1028	service.exe
1028	service.exe
2536	service.exe
2536	service.exe
2928	service.exe
2928	service.exe
1952	service.exe
1952	service.exe
1996	service.exe
1996	service.exe
2960	service.exe
2960	service.exe
1356	service.exe
1356	service.exe
956	service.exe
956	service.exe
2400	service.exe
2400	service.exe
2328	service.exe
2328	service.exe
2944	service.exe
2944	service.exe
2536	service.exe
2536	service.exe
2568	service.exe
2568	service.exe
1204	service.exe
1204	service.exe
2856	service.exe
2856	service.exe
904	service.exe
904	service.exe
648	service.exe
648	service.exe
1772	service.exe
1772	service.exe
316	service.exe
316	service.exe
1916	service.exe
1916	service.exe
2152	service.exe
2152	service.exe
2632	service.exe
2632	service.exe
1720	service.exe
1720	service.exe
1528	service.exe
1528	service.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMLRNDQYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTQRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMIXLSB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CJNBEPRMKMCQXGS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXPGQJIKXAXFT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVUYLCPLJXOAOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLEDKTJPGXODND\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\AMULAVRMVGWBGVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XXKMHFHXLSBMRCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAYOTYFFDLEI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBACXSFNHMJURP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\KOTABHESSGHCADY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTHHIDBIEUHOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\IMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGLDULKA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHXUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEWNKFUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKXAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\KPUABHETSGHDBDY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRTOMPESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSELQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFIECTYRHHJEABL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCHAF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMGPWHDOHIYRVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFEUVSBB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\COTPDPAYDVURSEK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMMNIGNJYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQNBNVBTXSOQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIWRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLEJQCCPVNVJTK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXAYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQERCAFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKANUEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUUIJECFVIPKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKXTBWYMQVCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQNBNYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XYALQXYJBDRMMGB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUVJWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNTPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUVJWHFKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWGSSTOMTPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2836	reg.exe
2960	reg.exe
2968	reg.exe
1760	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1160	service.exe
Token: SeCreateTokenPrivilege	1160	service.exe
Token: SeAssignPrimaryTokenPrivilege	1160	service.exe
Token: SeLockMemoryPrivilege	1160	service.exe
Token: SeIncreaseQuotaPrivilege	1160	service.exe
Token: SeMachineAccountPrivilege	1160	service.exe
Token: SeTcbPrivilege	1160	service.exe
Token: SeSecurityPrivilege	1160	service.exe
Token: SeTakeOwnershipPrivilege	1160	service.exe
Token: SeLoadDriverPrivilege	1160	service.exe
Token: SeSystemProfilePrivilege	1160	service.exe
Token: SeSystemtimePrivilege	1160	service.exe
Token: SeProfSingleProcessPrivilege	1160	service.exe
Token: SeIncBasePriorityPrivilege	1160	service.exe
Token: SeCreatePagefilePrivilege	1160	service.exe
Token: SeCreatePermanentPrivilege	1160	service.exe
Token: SeBackupPrivilege	1160	service.exe
Token: SeRestorePrivilege	1160	service.exe
Token: SeShutdownPrivilege	1160	service.exe
Token: SeDebugPrivilege	1160	service.exe
Token: SeAuditPrivilege	1160	service.exe
Token: SeSystemEnvironmentPrivilege	1160	service.exe
Token: SeChangeNotifyPrivilege	1160	service.exe
Token: SeRemoteShutdownPrivilege	1160	service.exe
Token: SeUndockPrivilege	1160	service.exe
Token: SeSyncAgentPrivilege	1160	service.exe
Token: SeEnableDelegationPrivilege	1160	service.exe
Token: SeManageVolumePrivilege	1160	service.exe
Token: SeImpersonatePrivilege	1160	service.exe
Token: SeCreateGlobalPrivilege	1160	service.exe
Token: 31	1160	service.exe
Token: 32	1160	service.exe
Token: 33	1160	service.exe
Token: 34	1160	service.exe
Token: 35	1160	service.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
604	service.exe
2892	service.exe
1856	service.exe
1948	service.exe
2424	service.exe
1388	service.exe
1656	service.exe
1028	service.exe
2536	service.exe
2928	service.exe
1952	service.exe
1996	service.exe
2960	service.exe
1356	service.exe
956	service.exe
2400	service.exe
2328	service.exe
2944	service.exe
2536	service.exe
2568	service.exe
1204	service.exe
2856	service.exe
904	service.exe
648	service.exe
1772	service.exe
316	service.exe
1916	service.exe
2152	service.exe
2632	service.exe
1720	service.exe
1528	service.exe
488	service.exe
1160	service.exe
1160	service.exe
1160	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2396	2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	30
PID 2120 wrote to memory of 2396	2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	30
PID 2120 wrote to memory of 2396	2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	30
PID 2120 wrote to memory of 2396	2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	30
PID 2396 wrote to memory of 2536	2396	cmd.exe	32
PID 2396 wrote to memory of 2536	2396	cmd.exe	32
PID 2396 wrote to memory of 2536	2396	cmd.exe	32
PID 2396 wrote to memory of 2536	2396	cmd.exe	32
PID 2120 wrote to memory of 604	2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	34
PID 2120 wrote to memory of 604	2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	34
PID 2120 wrote to memory of 604	2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	34
PID 2120 wrote to memory of 604	2120	1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe	34
PID 604 wrote to memory of 2996	604	service.exe	35
PID 604 wrote to memory of 2996	604	service.exe	35
PID 604 wrote to memory of 2996	604	service.exe	35
PID 604 wrote to memory of 2996	604	service.exe	35
PID 2996 wrote to memory of 2912	2996	cmd.exe	37
PID 2996 wrote to memory of 2912	2996	cmd.exe	37
PID 2996 wrote to memory of 2912	2996	cmd.exe	37
PID 2996 wrote to memory of 2912	2996	cmd.exe	37
PID 604 wrote to memory of 2892	604	service.exe	38
PID 604 wrote to memory of 2892	604	service.exe	38
PID 604 wrote to memory of 2892	604	service.exe	38
PID 604 wrote to memory of 2892	604	service.exe	38
PID 2892 wrote to memory of 1952	2892	service.exe	39
PID 2892 wrote to memory of 1952	2892	service.exe	39
PID 2892 wrote to memory of 1952	2892	service.exe	39
PID 2892 wrote to memory of 1952	2892	service.exe	39
PID 1952 wrote to memory of 2100	1952	cmd.exe	41
PID 1952 wrote to memory of 2100	1952	cmd.exe	41
PID 1952 wrote to memory of 2100	1952	cmd.exe	41
PID 1952 wrote to memory of 2100	1952	cmd.exe	41
PID 2892 wrote to memory of 1856	2892	service.exe	42
PID 2892 wrote to memory of 1856	2892	service.exe	42
PID 2892 wrote to memory of 1856	2892	service.exe	42
PID 2892 wrote to memory of 1856	2892	service.exe	42
PID 1856 wrote to memory of 1752	1856	service.exe	43
PID 1856 wrote to memory of 1752	1856	service.exe	43
PID 1856 wrote to memory of 1752	1856	service.exe	43
PID 1856 wrote to memory of 1752	1856	service.exe	43
PID 1752 wrote to memory of 1808	1752	cmd.exe	45
PID 1752 wrote to memory of 1808	1752	cmd.exe	45
PID 1752 wrote to memory of 1808	1752	cmd.exe	45
PID 1752 wrote to memory of 1808	1752	cmd.exe	45
PID 1856 wrote to memory of 1948	1856	service.exe	46
PID 1856 wrote to memory of 1948	1856	service.exe	46
PID 1856 wrote to memory of 1948	1856	service.exe	46
PID 1856 wrote to memory of 1948	1856	service.exe	46
PID 1948 wrote to memory of 2848	1948	service.exe	47
PID 1948 wrote to memory of 2848	1948	service.exe	47
PID 1948 wrote to memory of 2848	1948	service.exe	47
PID 1948 wrote to memory of 2848	1948	service.exe	47
PID 2848 wrote to memory of 2860	2848	cmd.exe	49
PID 2848 wrote to memory of 2860	2848	cmd.exe	49
PID 2848 wrote to memory of 2860	2848	cmd.exe	49
PID 2848 wrote to memory of 2860	2848	cmd.exe	49
PID 1948 wrote to memory of 2424	1948	service.exe	50
PID 1948 wrote to memory of 2424	1948	service.exe	50
PID 1948 wrote to memory of 2424	1948	service.exe	50
PID 1948 wrote to memory of 2424	1948	service.exe	50
PID 2424 wrote to memory of 1780	2424	service.exe	51
PID 2424 wrote to memory of 1780	2424	service.exe	51
PID 2424 wrote to memory of 1780	2424	service.exe	51
PID 2424 wrote to memory of 1780	2424	service.exe	51

C:\Users\Admin\AppData\Local\Temp\1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe
"C:\Users\Admin\AppData\Local\Temp\1f8b996d7e60e59f3c2cb5fefa7aa6c1f36cfb8942c1ce0d5b9601760ed9584f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempTDOUL.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AMULAVRMVGWBGVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
  "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2912
- - C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
    "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
      "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2860
      - C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
        7⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XXKMHFHXLSBMRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYFFDLEI\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYFFDLEI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYFFDLEI\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRSDWW.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "COTPDPAYDVURSEK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJYMT\service.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJYMT\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQERCAFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKANUEP\service.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKANUEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKANUEP\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUIJECFVIPKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "
        11⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBACXSFNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJXFTS.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempHUUGO.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RFIECTYRHHJEABL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "
        15⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQNBNYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPYAUT.bat" "
        16⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSOQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWPVHD.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYALQXYJBDRMMGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPFSAJ\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPFSAJ\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVHNS.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEWNKFUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJABDR.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNTPFSAJ\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNTPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNTPFSAJ\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTGNIN.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KOTABHESSGHCADY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTGOIN.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KPUABHETSGHDBDY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKB\service.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLS.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
        24⤵
        Adds Run key to start application
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVGFJX.bat" "
        24⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELQ\service.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        25⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWDMDX\service.exe" /f
        26⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWDMDX\service.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQYH\service.exe" /f
        27⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMLRNDQYH\service.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEHISN.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYLCPLJXOAOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SVLEDKTJPGXODND\service.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQCVVJ.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTQRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe" /f
        29⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMIXLSB\service.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKNPYU.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIWRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLEJQCCPVNVJTK\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\YRLEJQCCPVNVJTK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRLEJQCCPVNVJTK\service.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWHTED.bat" "
        30⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CJNBEPRMKMCQXGS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe" /f
        31⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMVHNS.bat" "
        31⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXAYGU\service.exe" /f
        32⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXAYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXAYGU\service.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWRRGP.bat" "
        32⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe" /f
        33⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDBIEUHOJ\service.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIGOAH.bat" "
        33⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPWHDOHIYRVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        36⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe:*:Enabled:Windows Messanger" /f
        36⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        36⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        35⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        36⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBPYLK.bat

Filesize
163B

MD5
736488d919948b985d8c173d796c990b

SHA1
850cfe9d506f5a8de9ce7f853a8b9237e052e980

SHA256
20ec788015018915acea902b26d3c791ab57dfe69673871cce17f44c876ced37

SHA512
2b385e1717a7e3c98f749915b289cf4dbacfce3f2e0a82a8803edbd3cf7a27b181dadbfa9487bd8053328d68fe60d2106e4d67c4068cf8b94b2a63a72fb93c79

Download Submit
C:\Users\Admin\AppData\Local\TempEFOKY.bat

Filesize
163B

MD5
1333e399943e4112c292480711a14a9b

SHA1
863f0004610aea85de2ab4e512cff562ac0a7dfa

SHA256
382240bfcaf4afbe58b148f62bac857b6382af41e7facaff3b4b85e0fb9458ef

SHA512
32506265f04d6240dea72fdc86a323af0ddfffbd4b471430e95cf04d53af5076bb7b25522a527f01c972b3746f6b9486a6d54b91829933494fb99fb9a95798dc

Download Submit
C:\Users\Admin\AppData\Local\TempEHISN.bat

Filesize
163B

MD5
302d90a43a0fd7982404fd0a0fd99e5a

SHA1
6c22c3017dabeac519d4da517ba129981535c514

SHA256
49c93337435909f01c054e972aeb238b467f79fde188716e67f7a746e916c5da

SHA512
af1e97b69455307e4f89ad8b8899121d1a38718c26aa42b116237d4bc72c2a031343ad8bc912ac147bc4d87bdbe020cd0835d2d3a73aa730059c82f7c5c8730f

Download Submit
C:\Users\Admin\AppData\Local\TempEXXMV.bat

Filesize
163B

MD5
1fac9c14205e89cab424a3b3a28e8368

SHA1
4ba9ef3b87ac2b35465ab930ce135fb33178b296

SHA256
8d06f26623d6e2d921a2753871f1777f026070f946fa72ba624ae199cb6b2ceb

SHA512
bf81609174b74c63bf2467a0776a1d56a2963b3d75fca84acd0076e1dbb5929b93a430368125fdb2484d816a120ed339dd7210733c8b4b80fae9a0279dec351f

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
97e359d213fcb51913df3a876212a8aa

SHA1
53b7761ec8034d5a4003399450bf5f0a914068df

SHA256
45e426550bb39ff1bf172a2f66c9a791cf6c0f50175ebca2fed424dc7d69cbb9

SHA512
eeed7664ae96fcce096a66e448eba7d37058034567b022c46b6bf4a639882144ba838d41abd8d562cd90040425df64f9d62e3cde0a033660d6ca179d727d4395

Download Submit
C:\Users\Admin\AppData\Local\TempHUUGO.bat

Filesize
163B

MD5
b17ae49f938c3295ee6c4da1f98be580

SHA1
3a9515f60fc3dfb2bffb8b357815ffe73b826ba0

SHA256
bfd9923ae7ebf446f379436bcec9d57f09df969c3ae2c2a03c9a4fdc7f714f7e

SHA512
28f116ae415ebe498cc79b9ce8f4623171a729ca368e4f6dcf8eebac0d69e1e6d81de8673ee7aeb3b80b9d8c7ff4cb84191f013e8d301e82d442d16ba8e4dfe2

Download Submit
C:\Users\Admin\AppData\Local\TempIGOAH.bat

Filesize
163B

MD5
0fc3ef8c73edbb16ba426256668c2a93

SHA1
e769628c7e3d20f80c63625bfd613c49a359e876

SHA256
1946972bbe22806c0e9336a86cf36b80aa7af14dd26397d186e72f1b55004f49

SHA512
d5b0e6fd344050dd4a4b3c90e8265a1d081e105d8f0982a4c4bb7611dd9e8c3885a69ff07b14b18c7d81fd8836f6959230317cec279483eb6d7b4b452d19fb20

Download Submit
C:\Users\Admin\AppData\Local\TempJABDR.bat

Filesize
163B

MD5
aff24d6b7c36955ac006dee4cce1a4c0

SHA1
bf373c35565265b648c84508d6daed6d60dcad10

SHA256
5942b12f147a473c1233776b3ad0623bd6f6f642c9501f44f9b14e02f47699e9

SHA512
e392200a88822ef779dab1115c8b627bcb547c3d89ddc987b5237818ee1feaa0e021f5b072035bc47f52283753458f470d77eb8c2d583e2559b54363f6a9a93b

Download Submit
C:\Users\Admin\AppData\Local\TempJBDRN.bat

Filesize
163B

MD5
673c2623c6b29a46d29bbae0b058dfe7

SHA1
9f9e286f20d4206379b89bd1ae2f856090287de2

SHA256
ccca822ee465e17bec6b6a88c1e929915d7dc2f28d75c0387bc01cda1fa45188

SHA512
4173af8984e23052124d661b57775436246a6152fef1ea08f9cc5c9c0729ec263148c8735b2c0c33df3166888218c6ca438c5aa88f4004d641cfa4dd78fb6037

Download Submit
C:\Users\Admin\AppData\Local\TempJXFTS.bat

Filesize
163B

MD5
14bc128c2822df50a76a7d2bfc5a3b62

SHA1
3921b0142ff18f4f7dc109e8231fa637e5e0f99b

SHA256
7e2d6ff47243ac2a9a573824a90ed9e33f1cf74a6cfc5073a2dea040016cd7dd

SHA512
97f26e1ba5a955d4464385da622070436c261ab97436a82000261ebd2bf9bf4f8d9d4cad1d76a54da3be487e6c0e4e86b8ccade9c93e1782189bd7703a8775d0

Download Submit
C:\Users\Admin\AppData\Local\TempKNPYU.bat

Filesize
163B

MD5
a9bfdd55cf7f7b38f64437f619c8ab16

SHA1
d8753eef294e2c8daa93f074bef421f735ec86c6

SHA256
6addcb35aebf3132fbbba7d84d04f9e710ef0e66544c05622295dc11a4bc576d

SHA512
15c8282567b9f344f6f75c65e875e519dbff5775c1f842e8e0ecd04bdc2adca07fda793b100338085bc28c02a6c4e9ecd740547e0540e2150de7a2741672f02e

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.bat

Filesize
163B

MD5
3c95614d46738258e0480e1e01913088

SHA1
9b37177d9581e57c2c54a8dcadfd977210b2215f

SHA256
f7a0cec4ad5034063faeb523f4a2ba69b3ff7d08cb1a1f99a0e1de53ae30aee1

SHA512
8e2d16c23c9d390f730a7310d5a2b0ceb5f18d51d16c3abbdc8f4c210a5a8cc29b4c6ecb6623eff499c87839b79646b0e602842c5d4399ad1e3d6496ce149f7c

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
cf937b7d55932faad09ba835458e6a83

SHA1
1e3445e2c1ca834a6b29cbf5b5730873a42f8cd8

SHA256
8a75c414f3c319a6212bca79c0c2628c4bcbd12114d0f248290a5733d08ab9a1

SHA512
60111eeb8e2c72c0ee781a23f819c5889a07a553e7d945a67b1e4b1f85d1fd862c19e0ae101e3b90c615817bf48a8c9a40830d36e81877ae0f5c5ab2f7957693

Download Submit
C:\Users\Admin\AppData\Local\TempMVHNS.bat

Filesize
163B

MD5
9fa68add95d2f0d0c96668dca34c6d73

SHA1
b699e038bb8679dee4c5e63f91970ee0809611bc

SHA256
dd5637e6da14bee1f207dfb4f4038857f189b7285417431f11229fa8798ac9b6

SHA512
244d921266ba8dd6e3cffd6883809185f97a8257833aafbc4e8b53c79222794ef597ec9a9b21fd63afd4f76fd45dd2f8d4922b5bae33c5efdd5a0f85bd67f4d6

Download Submit
C:\Users\Admin\AppData\Local\TempMVHNS.bat

Filesize
163B

MD5
de8e5a9033acdb771c83765fb813a0ec

SHA1
aa6bc8487a8f645979ee72db87e0d2dc55861f34

SHA256
fd96eeccb18b64686c62b759d1d31a53be0359fb48d0feb05d46a9d4910c4870

SHA512
aa0eddac3b4d21d6ba00309f7dda057555928b8a31f3faddf0b51d0043f4fe8e428d8e3b343e2bf1d42b09635cbdb104a1ae88a4ffe2708f69088b518498c361

Download Submit
C:\Users\Admin\AppData\Local\TempOMQLS.bat

Filesize
163B

MD5
b217cd93f39c76822c7d59441e2bf72d

SHA1
b74743485601810ac45731f8ef0ccc2e3a1f6e08

SHA256
72ff7221c084a4507b65f996ba9e40a2237cd9ce008748e9383baa25ac9d5f53

SHA512
193521f7f1e1c0257c63db0eedbdcd7737f295107be6e7da3fd61685fd86a0f8f593c268a575342623a24bec0682b1b33a0d25514c73db45761ce9d7f911f4c1

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.bat

Filesize
163B

MD5
b04760ccf7d43806cb7e129456e3e703

SHA1
c1ab38d2d70fc0aeffb6da8bc45ee343860bcab3

SHA256
6df815ff0f0a28bba01edca40feb03fc9a80a69037c83f3c67058ffc14a74d7a

SHA512
fc29d8c3736d45181adce613a14232737bb27927d7bfa45b7c3ad113de923da12077c3fe6a8e31958b8dff32f6befbc42c8a81aef4d26f7b3c547206d4eb3725

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAU.bat

Filesize
163B

MD5
f675e50b96a22a67b72ebf9578730545

SHA1
d12c6f57ebead870a30c71ec67423a98473286a3

SHA256
b8a81e0db757b731a26a52faf865f8b1f8dcb21684642aa9f545b43d1a4d3368

SHA512
34fcadd712e71a735ef5f69c1ae953f77c7eb080fb8680e54f75e9cf3a09a2126cf9b39af8fbe860c8a1157eb5e51d35e0e2e15d822401069f8e9b012b314327

Download Submit
C:\Users\Admin\AppData\Local\TempPYAUT.bat

Filesize
163B

MD5
b81b242d63ca369b233fa36582c8796c

SHA1
91f2ba28d7ceea60b242fec5770d6faa8beb6358

SHA256
ff4fb56732f34d19d312008f66405600523da51adff0f06c9f86e163234ddb1d

SHA512
acd8f7db05de271fd445b31db9f4c1da515f48a5cbedeb77dcd949b1c986f23ba0452c57872a32a5eb011d59e95ec0ec0f9a21afa65a12a8c711b192875e8671

Download Submit
C:\Users\Admin\AppData\Local\TempQCVVJ.bat

Filesize
163B

MD5
4312a181e4cdda08330c6bf80067acb4

SHA1
f9f90def514dcd98d07c8a93080f0aa21a5ede05

SHA256
1ac8ea8a829ff31007b7d7c33e1f686d875f8e759c346b465c5bebb520b3d095

SHA512
310c6647c0939bd1fc546910ec36aa01602ce39220538920e8086580577088611fca4b8bce8c7ddfb35984560504b1f0618c4d028aa25a5e582967a038de9f67

Download Submit
C:\Users\Admin\AppData\Local\TempRSDWW.bat

Filesize
163B

MD5
7e68a5a55e353edcde2c4716ebb82c83

SHA1
6cb412c347f780b77c36dd7025740c522bec98b3

SHA256
26ccdd13bfa86eba1d781b4f85867ca7328058576ef66a06ddb68b230c043765

SHA512
54432d0fdfa63e9f8620652129d22bef990c3a8fd4440fa5f46b13b4889ed6e1cf54b11fb5261e9ae28ebf26f0ac6c39f26fdf541101a5debb12fc516340e0a6

Download Submit
C:\Users\Admin\AppData\Local\TempTDOUL.bat

Filesize
163B

MD5
5a5ef4d344cf0fc62e5726ac64037342

SHA1
03e9e38be56412ad535543cf1e83a8406fd7459d

SHA256
439358335aa27ec25ea6eaf1425503137f2eda546d1c96f98486999ba34c12d8

SHA512
b14214f07c2502960f2e10b8308706a656f5816d5e96bcd0085f4f916e7f98e2feb816dad52869ff91929dc67016effb00efa04f5e1b0caf6b1628d7887ca968

Download Submit
C:\Users\Admin\AppData\Local\TempTGNIN.bat

Filesize
163B

MD5
61535240a1c54250352bb47da7eca44f

SHA1
192ad13cd1f0f0e343b24861abae1837975f9fb9

SHA256
63a40e401b9a9ae93817174ae6a7ac4925d4c9ffd7d7eb47fbbafc9c4067b0bc

SHA512
6163509e26602e75329cfcc8635bf938d7441fab3b16f14cc7d6fb1cfa353ca6c063a205e80a7e02fa3404e65cb9746c82161da21b7496b9bc47ace14da49023

Download Submit
C:\Users\Admin\AppData\Local\TempTGOIN.bat

Filesize
163B

MD5
a898b672136abad353d6679048e6aae3

SHA1
43b94d92be9f9781e95c6bc6ff1b0087cbcd3fa1

SHA256
eced06281eac7175d956b8df614309c08e50e833f6cb3eb53caec1ba3946c9c3

SHA512
511db40ebc1173fe7ac43d770e1186ed5946c776bfd551c14c5a04231789a0130806e79bd9d5f741c6b0572a139b5da4de4cc58c919cf4f914bdc94ebb21d16b

Download Submit
C:\Users\Admin\AppData\Local\TempTOWKL.bat

Filesize
163B

MD5
96ce8c60001285fe9cd97003f00750b0

SHA1
3a3d19e8ce6223a8e3e6a3dd2ed57953d22bf2be

SHA256
81bd656a6c26f2aca043b13fd667486bbeab37fe07bfb9a84587b38531dd2d7d

SHA512
77fcbf75afdc194ba7ba44094c9e21de65822916e8eebf80dcd8fd0576bfc8e8c0b9e534262a9978524a95f48ee0da6974e3550adca8dd5b02b9c2ced43952b0

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
561a2619cf82099c2e4defc9913510f4

SHA1
5a386310f2288f7de4df581d5b555ffda2fd8588

SHA256
b3e66fff6c04128cefce587e729fe0e5aef59772b1b4fb4b1120d9282b703ac1

SHA512
7fa9d688a0b3651e4e3da103fcbfde3bed245c4c8790a24169aec71b86a6c0d20496fb7c9b4f07e1fe4d509997fd486e659a8c64e51dd4f076d38bd9fc3a71dc

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.bat

Filesize
163B

MD5
5a4384ad153eee40e71481f1b84e2979

SHA1
c4f6eaf1a1a7e034ead8fb98d9f946ae66547733

SHA256
e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935

SHA512
68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09

Download Submit
C:\Users\Admin\AppData\Local\TempVGFJX.bat

Filesize
163B

MD5
3fc18e073107ff6e274c754eb35843c6

SHA1
82918a069a2f830a67a1ad45b309d08648ed9bf3

SHA256
d40713b9e4d51b9fe44e985c3b3f7d84a13f6ca0a5e5fec85d5565202dcb813f

SHA512
9fc17c4e649f2d53edc5b7137379b55b0dd0d034f4e94f3e7c42fc3e3c9624b643e2ed69684adec4b09c6e5f8c6d6fd4f03a79d9bd37c33b64e46c09e67c161b

Download Submit
C:\Users\Admin\AppData\Local\TempWCUYT.bat

Filesize
163B

MD5
078d38b7cb33fc98ebbb54423ccb5dec

SHA1
7572899355fed3ad40c25abcab27a31231cf48b5

SHA256
eed21714b8654e445459a40ce8dc6a100980ed5ef69ac6d3c855bc1aa97c692c

SHA512
a0fc4214edd9d0cfc4720de0bbd93c0937dc9dbe6b7da4e7e70d9e5634ce2c68f3287fbaf7dd719c85e64be1f9ab6e23043906bd350fc25e5d84eeec8be18f61

Download Submit
C:\Users\Admin\AppData\Local\TempWHTED.bat

Filesize
163B

MD5
099634a530a34a811b726834ea8dc786

SHA1
db218ffdf781516e0df61022e1c945dd2541dda9

SHA256
88890fdc331645ac61ae59c35be801bbe2cbb86cab8a7b184d8a91f1c2d2127d

SHA512
d9d010e8e4030caccc71faf3a254816d3808836a597c5d97b727519c98eb97328f9d77bd1596ad87a283e3474ce14147d8b9b86f988c206e4dc70245a9916cf4

Download Submit
C:\Users\Admin\AppData\Local\TempWPVHD.bat

Filesize
163B

MD5
a90415d65e810c3a3c1fb8d7ed7b21b1

SHA1
d4293dcbdd221cce5a8af8c428e4c8b6815ba366

SHA256
cb1f57ee1284e3546b86103d17ac99d8a62d2aad29ab5797e466d1deb99c4e2f

SHA512
b25e6d70f6c224562008bb5d9e21eb1eb933137a3270a1042725818f0aec0c7bfa54fa5ec1485598904bbf463b6cd877eea1e466f6f893bff1c647d22abf152f

Download Submit
C:\Users\Admin\AppData\Local\TempWRRGP.bat

Filesize
163B

MD5
01b6efa8ecf31ae51b0a611035299518

SHA1
7c8b5ed44f6d5a23fc80695e47b28a784e7fd6aa

SHA256
b245a13d916deae9684417c4e5c2fd33ff44e2afeafe65807f1b8004e4b09bdc

SHA512
49c02295bb630b564277cb75acae6f06a56e68728ee047ce6dfaf20c6984356ec37e3b2aba0c54fdb2417d52dd64ea367e7f9f01810bb181bb9536a4552a83ee

Download Submit
\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe

Filesize
520KB

MD5
3b8d8e5500041b9a674ddce696ea25c1

SHA1
f24f3f4ce1843c89ad04ec3515a7367916989f73

SHA256
d9d956509797827aa238eac39492801d3637d67533105099075e80cb5b4fb124

SHA512
ff95cd2d0043e3374644e4ee85522676ac1f34a170e1a70d0284617188abc759209f3eb9cb4a099c2501421a944e9bf753699cfba6c6ba1beba585781eec1198

Download Submit
\Users\Admin\AppData\Local\Temp\DMWEAYOTYFFDLEI\service.exe

Filesize
520KB

MD5
297c20a945eda0f0c522c477ed71d038

SHA1
76d6f5e91356b3ab331dae3cd2d54276a6fae347

SHA256
e181e8e333acd95b0c1a2a55aa4fc6956e0f790aaa2886fe4e9c3b70becee45e

SHA512
9015b379368822e5b1255475cd3a49df7d298feb7e9705f1caab70d99805c0492cf770e029873cd2fa8b2fd632d472dad19fd0472a1853e5831520719a00fd11

Download Submit
\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

Filesize
520KB

MD5
85e91eb7cd411b06ab1d2cd54c65b8d3

SHA1
52b77f1dacebfa313e87e852b279928c40af2bf0

SHA256
b8b9879283b249e57d804ec412dadbc578de449c8e4666b8d50c6d0755df630e

SHA512
94535b6974470ba5a31933e0bdf628434230923f1837326c37af094bcaec30d7561989acc5febae273453a0a0cd78d14d6f8f34da4e9ee7aa8af57216d94d494

Download Submit
\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

Filesize
520KB

MD5
731f1c1a66ba174d39731883c633da7e

SHA1
a42aba2a75a94f8eee1d7a0ff694989adf3b6260

SHA256
3c28d2956f2f2c18f7938a12564178e17eb3ac3876d01a9979b0bb6154ec10d8

SHA512
3f383cd90214ac687a695f3db475e02e1b0d8a585273d7e403f133807965b4d1fd779063a5ec6c98dc14ce1a072c48c48dfb646d82291713180b6662491ef004

Download Submit
\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe

Filesize
520KB

MD5
6d5de01ef65361e23707ed15249652d4

SHA1
713976af31fff604bc05095ae9b74c23358ce708

SHA256
ce5cb70edeac261833a3021e92007cbd59ac3b70466a85db329f0dae399c4061

SHA512
d58b2b60a038478c880051e497d892ac15b16cebd75f3547790a75c4abbf82ec987a0c6ce4cce3bdb3220608279145f1362bd6d54f449f941837d81162d7b1bf

Download Submit
\Users\Admin\AppData\Local\Temp\KDSCKTPKFEUVSBB\service.exe

Filesize
520KB

MD5
1006aff7d8eed342f9528a87512a5d4a

SHA1
bb4f0f5b17c874aed235c61cd52aca76ff68fb8e

SHA256
2ecf3f1195d96a2cad9c0061366891be69c8c283b9aab52d317fa00daf1423ca

SHA512
c0a88788958a19fcade662575aab02ebf83d28cae3d58730e90b5f96bcd17ca41f3d5165e09206019c40c6bfe18eda15d3542355971e00845365fb630614a056

Download Submit
\Users\Admin\AppData\Local\Temp\KNYCVTCVLBHPGFQ\service.exe

Filesize
520KB

MD5
6a8575f9fc2adb8e4d09c4f3d911c215

SHA1
d00449fc1c1e98cd9a480d70d511a55dec055936

SHA256
ea8768ccb59b767851d59e28308e6601c5974da5a29a9fd0f536f12de7acc1d9

SHA512
8c36bfb6c0d868f1b6a90307923a2d29f5c7e55727c6f5de42de6763c74224c8eb81f2c4ea2be5fe9ae44c1de1cc62b7cf35b91c6aa8db6aa85a92c5dd9f7881

Download Submit
\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe

Filesize
520KB

MD5
5336998ec50fb2b6c3efc7981de5ebba

SHA1
baf1694484aca25b0bfc5089e96b54e22dd0e2a9

SHA256
0d3cafb02d9d519d61cf82f6eb4ecf858478f4e7a5aa4130a975c560554dc26e

SHA512
0480d6f282a0e3d2b052b46c47f1577223e7bd2e83313d45eb5f853411cd8ccac7fe821122550395154949eb11720ac5ad29e1e7761d9c1e690c478b28794cb8

Download Submit
\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe

Filesize
520KB

MD5
de1863514400ec22a50d2c63aec858cf

SHA1
0bad875d6ba969e367ef4c2091e453d9c3c51709

SHA256
78245326f0a5a09197dea223513bc72ee54ab39b310caf8e87ab5c3c881d83a2

SHA512
4bece524d7c1bedc481cc187db5d211c41cae5ef495f0ec547aebd06a62bc98e74be669c15799ff34cedae31cc293c8a68fac32989b11d2d978b6d9f8b6b6dc0

Download Submit
\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

Filesize
520KB

MD5
815e5cfe347a9fb9899c3249fe0ca481

SHA1
b6dcc4d7110c57a122c15b64e876e3fa0d6dc449

SHA256
ee2484fb91fc9137492877fc7e0bcce43c302f3ab8e5a6d006122635502eba4b

SHA512
4aa88116c812339376ed060eb65405e9a7edbe008fb7deee24b8b7d3e830f76bfd01027e1d162935abd46fa148169fc28cbd7eed0deee855e3e72930615d4419

Download Submit
\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

Filesize
520KB

MD5
8b4b148b7abb1bd76196459fa8ee1f2e

SHA1
d8d766ab559b19af069c28ebf6fb25949cac06ee

SHA256
06834b849d277c417aa500a327ea3c8b4cc98c8d45b08898681a8930dd217618

SHA512
e77118ba24bc28c472468232c25ab9f96b0326988285c83376fc2ad3d8e2fa527245316a3e03d7364f9fa9f7a796d2779f8f8ecc59e2b7c76537b55f40e151ab

Download Submit
\Users\Admin\AppData\Local\Temp\SRBNNOJHOKANUEP\service.exe

Filesize
520KB

MD5
835585bfd71f34d4f60f27c948ab7cea

SHA1
b131c7dc21dbb17c3e7009af8bf15c7658397146

SHA256
19ddcab55dc2313031a223e65741e6cbe4ec2ff9a543203a7364054d993007b0

SHA512
0a43a4632853c98a6ffd24922d3f484aaf65254a82c4505a0ca70ae6848805dce4cecc62059d47c865b8fefd3ff0abdfbe9db35df99f3dc25552a7e10013424e

Download Submit
\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJYMT\service.exe

Filesize
520KB

MD5
4d2352cdc4ddc5fff1a486e58a3d87df

SHA1
5dfe19faf9d72185c2bb93a7e542a1296a46087a

SHA256
30e33d9617f1e4e4812fdcf86e2cf9c3c0f3967f3a4d79602303b887b3f0feeb

SHA512
e4478bbeb084f1897fe51675accdadd1d32ba65a991fa82807dfebb4185998bef1cac508807d69d70e4f5bdc71034e493754d3d00ecdc3331e0acecfc65953a5

Download Submit
memory/1160-834-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1160-839-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1160-842-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1160-843-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1160-844-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1160-846-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1160-847-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads