blackshades | cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2

Analysis

max time kernel
147s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2025, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
Size

520KB
MD5

52addf8bd42614efa69dc85209d6e760
SHA1

755a0bd27dfff5247bd8af2eb3de71d8dee93837
SHA256

cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2
SHA512

7ca4732063b2f5420d40ea1a1235d31aa1cebd5d07bc4270c96d76d3508a1c4d5a2142bec4e9d9baf99f52cc95c1ac298715e8374542a9a34b02d44f78396989
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXg:zW6ncoyqOp6IsTl/mXg

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral2/memory/864-1002-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/864-1003-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/864-1008-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/864-1009-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/864-1011-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/864-1012-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/864-1013-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/864-1015-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/864-1016-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUARMGBGVW\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 39 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	service.exe

Executes dropped EXE 40 IoCs

pid	Process
2252	service.exe
5896	service.exe
2032	service.exe
5548	service.exe
2236	service.exe
1076	service.exe
1652	service.exe
1168	service.exe
5020	service.exe
5444	service.exe
2024	service.exe
4760	service.exe
5416	service.exe
4912	service.exe
988	service.exe
6116	service.exe
4652	service.exe
1916	service.exe
5640	service.exe
400	service.exe
6008	service.exe
4640	service.exe
4908	service.exe
3516	service.exe
5552	service.exe
5296	service.exe
5100	service.exe
5308	service.exe
5268	service.exe
2032	service.exe
4920	service.exe
1004	service.exe
5856	service.exe
4764	service.exe
5524	service.exe
1784	service.exe
5564	service.exe
5960	service.exe
3972	service.exe
864	service.exe

Adds Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYCUSBCVKYGPGDP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WXUDDPVLJNIQEGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONHQYIEPIJSWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKAKEYCFVRSA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUILHFVUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLCTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMAMYUASWROPBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMWN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XTRVQYNOAGNOWSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHYUUC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJLGEGWKRAMQBNV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWMXQORCHMLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPBINAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VUGOGYPMGWQBRAQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUARMGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONAIRYJFAQJKTWY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSLBLFYDFWSTA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PTYFGDMEJXXLMHF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CMVDAYOSXEFCLDI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OTABGDSSFHCACXS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNCBCXCTOBJD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CMVTDAYKEYFVORS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HRIFATXJKHQCINA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKAVSRVIMIGWULK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NRXDEBKCHWVJKFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KJURQUILHFWUKKM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVJKFDGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BLYUCXNRWDEBKCH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DVMJETNOXNOLUGM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPFTPMRERTOHLMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXYMRWDDBJC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HPHYQMHXQCRBRSP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOPLK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NHQYIEPIJTWXJKH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXNSKSGRHD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGSTOMPESAIAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WKPUBCHAETTGIDB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNJYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYXJRISOJSETDTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQXJJDXBEUQR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EJXWIQIRNIYSDTC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBBCWCTNBID\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JURPTOWKLELLUQY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DXTOCXJYEIYWFQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTRUFKPCOWOB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUILHFWUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTLJUS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QRNLNDQYHSXHUFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVQTXVYJNTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LUSDXKDXEUNQSXD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXIJGPBHMAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDMDVMJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBRAISOJDDSTQAL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RNMGPXHDOHISVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITVQORGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUHNS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUTXKAOKHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RTJDBISINFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YXJSJTPKTEUETUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMAAVBRMAHBG\\service.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3972 set thread context of 864	3972	service.exe	263

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
5244	reg.exe
3108	reg.exe
2124	reg.exe
4876	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	864	service.exe
Token: SeCreateTokenPrivilege	864	service.exe
Token: SeAssignPrimaryTokenPrivilege	864	service.exe
Token: SeLockMemoryPrivilege	864	service.exe
Token: SeIncreaseQuotaPrivilege	864	service.exe
Token: SeMachineAccountPrivilege	864	service.exe
Token: SeTcbPrivilege	864	service.exe
Token: SeSecurityPrivilege	864	service.exe
Token: SeTakeOwnershipPrivilege	864	service.exe
Token: SeLoadDriverPrivilege	864	service.exe
Token: SeSystemProfilePrivilege	864	service.exe
Token: SeSystemtimePrivilege	864	service.exe
Token: SeProfSingleProcessPrivilege	864	service.exe
Token: SeIncBasePriorityPrivilege	864	service.exe
Token: SeCreatePagefilePrivilege	864	service.exe
Token: SeCreatePermanentPrivilege	864	service.exe
Token: SeBackupPrivilege	864	service.exe
Token: SeRestorePrivilege	864	service.exe
Token: SeShutdownPrivilege	864	service.exe
Token: SeDebugPrivilege	864	service.exe
Token: SeAuditPrivilege	864	service.exe
Token: SeSystemEnvironmentPrivilege	864	service.exe
Token: SeChangeNotifyPrivilege	864	service.exe
Token: SeRemoteShutdownPrivilege	864	service.exe
Token: SeUndockPrivilege	864	service.exe
Token: SeSyncAgentPrivilege	864	service.exe
Token: SeEnableDelegationPrivilege	864	service.exe
Token: SeManageVolumePrivilege	864	service.exe
Token: SeImpersonatePrivilege	864	service.exe
Token: SeCreateGlobalPrivilege	864	service.exe
Token: 31	864	service.exe
Token: 32	864	service.exe
Token: 33	864	service.exe
Token: 34	864	service.exe
Token: 35	864	service.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
2180	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
2252	service.exe
5896	service.exe
2032	service.exe
5548	service.exe
2236	service.exe
1076	service.exe
1652	service.exe
1168	service.exe
5020	service.exe
5444	service.exe
2024	service.exe
4760	service.exe
5416	service.exe
4912	service.exe
988	service.exe
6116	service.exe
4652	service.exe
1916	service.exe
5640	service.exe
400	service.exe
6008	service.exe
4640	service.exe
4908	service.exe
3516	service.exe
5552	service.exe
5296	service.exe
5100	service.exe
5308	service.exe
5268	service.exe
2032	service.exe
4920	service.exe
1004	service.exe
5856	service.exe
4764	service.exe
5524	service.exe
1784	service.exe
5564	service.exe
5960	service.exe
3972	service.exe
864	service.exe
864	service.exe
864	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 5524	2180	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	88
PID 2180 wrote to memory of 5524	2180	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	88
PID 2180 wrote to memory of 5524	2180	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	88
PID 5524 wrote to memory of 4940	5524	cmd.exe	90
PID 5524 wrote to memory of 4940	5524	cmd.exe	90
PID 5524 wrote to memory of 4940	5524	cmd.exe	90
PID 2180 wrote to memory of 2252	2180	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	94
PID 2180 wrote to memory of 2252	2180	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	94
PID 2180 wrote to memory of 2252	2180	cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe	94
PID 2252 wrote to memory of 5100	2252	service.exe	97
PID 2252 wrote to memory of 5100	2252	service.exe	97
PID 2252 wrote to memory of 5100	2252	service.exe	97
PID 5100 wrote to memory of 3000	5100	cmd.exe	99
PID 5100 wrote to memory of 3000	5100	cmd.exe	99
PID 5100 wrote to memory of 3000	5100	cmd.exe	99
PID 2252 wrote to memory of 5896	2252	service.exe	100
PID 2252 wrote to memory of 5896	2252	service.exe	100
PID 2252 wrote to memory of 5896	2252	service.exe	100
PID 5896 wrote to memory of 5716	5896	service.exe	101
PID 5896 wrote to memory of 5716	5896	service.exe	101
PID 5896 wrote to memory of 5716	5896	service.exe	101
PID 5716 wrote to memory of 5316	5716	cmd.exe	103
PID 5716 wrote to memory of 5316	5716	cmd.exe	103
PID 5716 wrote to memory of 5316	5716	cmd.exe	103
PID 5896 wrote to memory of 2032	5896	service.exe	105
PID 5896 wrote to memory of 2032	5896	service.exe	105
PID 5896 wrote to memory of 2032	5896	service.exe	105
PID 2032 wrote to memory of 2660	2032	service.exe	106
PID 2032 wrote to memory of 2660	2032	service.exe	106
PID 2032 wrote to memory of 2660	2032	service.exe	106
PID 2660 wrote to memory of 2228	2660	cmd.exe	108
PID 2660 wrote to memory of 2228	2660	cmd.exe	108
PID 2660 wrote to memory of 2228	2660	cmd.exe	108
PID 2032 wrote to memory of 5548	2032	service.exe	109
PID 2032 wrote to memory of 5548	2032	service.exe	109
PID 2032 wrote to memory of 5548	2032	service.exe	109
PID 5548 wrote to memory of 4856	5548	service.exe	110
PID 5548 wrote to memory of 4856	5548	service.exe	110
PID 5548 wrote to memory of 4856	5548	service.exe	110
PID 4856 wrote to memory of 5572	4856	cmd.exe	112
PID 4856 wrote to memory of 5572	4856	cmd.exe	112
PID 4856 wrote to memory of 5572	4856	cmd.exe	112
PID 5548 wrote to memory of 2236	5548	service.exe	115
PID 5548 wrote to memory of 2236	5548	service.exe	115
PID 5548 wrote to memory of 2236	5548	service.exe	115
PID 2236 wrote to memory of 4644	2236	service.exe	116
PID 2236 wrote to memory of 4644	2236	service.exe	116
PID 2236 wrote to memory of 4644	2236	service.exe	116
PID 4644 wrote to memory of 1016	4644	cmd.exe	118
PID 4644 wrote to memory of 1016	4644	cmd.exe	118
PID 4644 wrote to memory of 1016	4644	cmd.exe	118
PID 2236 wrote to memory of 1076	2236	service.exe	119
PID 2236 wrote to memory of 1076	2236	service.exe	119
PID 2236 wrote to memory of 1076	2236	service.exe	119
PID 1076 wrote to memory of 4712	1076	service.exe	120
PID 1076 wrote to memory of 4712	1076	service.exe	120
PID 1076 wrote to memory of 4712	1076	service.exe	120
PID 4712 wrote to memory of 2932	4712	cmd.exe	122
PID 4712 wrote to memory of 2932	4712	cmd.exe	122
PID 4712 wrote to memory of 2932	4712	cmd.exe	122
PID 1076 wrote to memory of 1652	1076	service.exe	123
PID 1076 wrote to memory of 1652	1076	service.exe	123
PID 1076 wrote to memory of 1652	1076	service.exe	123
PID 1652 wrote to memory of 4220	1652	service.exe	124

C:\Users\Admin\AppData\Local\Temp\cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe
"C:\Users\Admin\AppData\Local\Temp\cc80550b8b312591756819836db0ab0c960795e80bf7ce84f022900b4b6466a2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEBKCH.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5524
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LUSDXKDXEUNQSXD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4940
- C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe
  "C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRALSW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYXJRISOJSETDTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3000
- - C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe
    "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXATT.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5716
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMAMYUASWROPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe
      "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSTQLR.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJXWIQIRNIYSDTC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTNBID\service.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTNBID\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTNBID\service.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGNIMJ.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTABGDSSFHCACXS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXCTOBJD\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5572
      - C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXCTOBJD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXCTOBJD\service.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPENAW.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JURPTOWKLELLUQY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJKHQC.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONAIRYJFAQJKTWY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPCXB.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTRVQYNOAGNOWSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXEFCL.bat" "
        10⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CMVTDAYKEYFVORS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HRIFATXJKHQCINA\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\HRIFATXJKHQCINA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HRIFATXJKHQCINA\service.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRDAFA.bat" "
        11⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DVMJETNOXNOLUGM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOHISVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDYTHO.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKPUBCHAETTGIDB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
        15⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPFTPMRERTOHLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNIBEF.bat" "
        16⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKAVSRVIMIGWULK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
        17⤵
        Adds Run key to start application
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
        17⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
        18⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVMJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHYUUC\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHYUUC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHYUUC\service.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXJQUG.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HPHYQMHXQCRBRSP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBMC\service.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBMC\service.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAMSXJ.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YXJSJTPKTEUETUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMAAVBRMAHBG\service.exe" /f
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMAAVBRMAHBG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMAAVBRMAHBG\service.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBTXSO.bat" "
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEGWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe" /f
        24⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJRA.bat" "
        24⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRXDEBKCHWVJKFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f
        25⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPDG.bat" "
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYCUSBCVKYGPGDP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe" /f
        26⤵
        Adds Run key to start application
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBIMA.bat" "
        26⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NHQYIEPIJTWXJKH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHADEO.bat" "
        27⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJURQUILHFWUKKM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f
        28⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIYLSC.bat" "
        28⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PTYFGDMEJXXLMHF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQEGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "
        30⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe" /f
        31⤵
        Adds Run key to start application
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBINAD\service.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        31⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
        32⤵
        Adds Run key to start application
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
        32⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe" /f
        34⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLYUCXNRWDEBKCH\service.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        34⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXTOCXJYEIYWFQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe" /f
        35⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNQTRUFKPCOWOB\service.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJSWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKAKEYCFVRSA\service.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\CTMSKAKEYCFVRSA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMSKAKEYCFVRSA\service.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOJXWI.bat" "
        36⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFVUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f
        37⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOKXXJ.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe" /f
        38⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIVWWB.bat" "
        38⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QRNLNDQYHSXHUFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe" /f
        39⤵
        Adds Run key to start application
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "
        39⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGSTOMPESAIAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe" /f
        40⤵
        Adds Run key to start application
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKTFLQ\service.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempROXJP.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VUGOGYPMGWQBRAQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        42⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        43⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAMSXJ.txt

Filesize
163B

MD5
d0d954c2feca1254478b636eb71fadfa

SHA1
a677f9446da89b70997e4d1b97f12348715e347b

SHA256
e5fb1a734cf7e835c7ce9fef8302c79d991735059caf09057ae0ec95ed27f6e2

SHA512
49f453e8d1d3b8d87137f4c3ff8131d936988c540679f049b05c0a5c95542c115bd23d1af73a80448fddd12eba898e45852fc9c96ec5021a12961baf206b7504

Download Submit
C:\Users\Admin\AppData\Local\TempBTXSO.txt

Filesize
163B

MD5
57cd62770d9c62947b6e697cc7083b10

SHA1
2996798f11f51871658d287d3a4da9e3f6b424c5

SHA256
e2cb556753927fd4e74431da49c1a0836ad2f63784fe9b0f2b53b9d439f9d7f9

SHA512
bbea2b0ec1d516c9a12e8cb20941bf29f90da137afaa0d08d125f892a49b1cabf3124c1dadfccb7c47af8475ffb871a80b8abcb9b8f35d349db410a110160c8f

Download Submit
C:\Users\Admin\AppData\Local\TempCGHQM.txt

Filesize
163B

MD5
3334a40a942cc16d2ad45a2889309dd7

SHA1
5f06d91a2023bd47d6729655e912c9b0132793e4

SHA256
bd44b83dfc2a3fa8ee12af65ce6f5e1e4981cb299e81e9401ceae3e6ee9a6ed3

SHA512
aaf549e556b882db67981f85c7fffd482b02bc3471ea7447993cc5e3493fd63de91e35e9df9ddddd1b08141007d2b132216264b8d424a0c0fddafa735738e04d

Download Submit
C:\Users\Admin\AppData\Local\TempDYTHO.txt

Filesize
163B

MD5
2721a0efed39fcc955ff581ad2cce016

SHA1
5272c5552030f4e2641026c00017cb524b575218

SHA256
e30fb3dee4f099fb555f908ac32d1385356cac42538c8c3d47c054b8a6d70c9d

SHA512
2427924a05e90408bc9b1ecc9516d0c7d491a283ab3a6280bf25e7382529478e259b6ff4b7d7fb66e0eb25714d1d18e998d02247cd5c6baada9b3202727c62e0

Download Submit
C:\Users\Admin\AppData\Local\TempEBKCH.txt

Filesize
163B

MD5
0154f9a73dfa24e4db110e7e0b5d488f

SHA1
118cbf5620cf4674200239bff7978b33da4ec757

SHA256
4da95a7f4d7fa256ca33100a1554c1613aa197785e96e7971243fb6671bbaaa2

SHA512
f55af93c1a1954abfac31fe253c03d2c089def788b9f61ff8fb35b377d325ea8203f4b3d34f2ae1cb2eeb3cc87ec3c0152d3da4335dc0e1c5141bfe8f9b76de6

Download Submit
C:\Users\Admin\AppData\Local\TempGNIMJ.txt

Filesize
163B

MD5
4aeb60342681dd1614db8ef8f6596632

SHA1
271baadc59326a3633b3bfffbeefb54a6cd98718

SHA256
a1319d76c758490d584eb149e669a96118ca318b7c690ab3f9643f9f6d21cae1

SHA512
de162c38cccdccfb788167c7269edbfc5f4f8a1fa0039ba868a6320284f4c6526b80a9a2b89eeefc70c1a121947cd428994163d13fb20143c600196ed5e214f7

Download Submit
C:\Users\Admin\AppData\Local\TempGWJRA.txt

Filesize
163B

MD5
c703063fd9699a79ca142d1e2d775c2c

SHA1
631323156a949dd4038cf1052c99181fe6a34cfd

SHA256
f6ba460a3d3c392b18b03a69573f185dd4e288df55d14a2b1fe25656f01a97ea

SHA512
9a44fbb82ce7a2bc59b5e0508a2e7244dd781a27cb05d9120d932be5f4ac6e699d24f5b499da87ddbcc097ad8f67381aa1bbacbc967fae52a71ba7fec7540127

Download Submit
C:\Users\Admin\AppData\Local\TempGYXUU.txt

Filesize
163B

MD5
fd5694efaf2c6554304de2e815bae5bd

SHA1
99666b647cd5d2d90b385ebf09f5309cebdf603d

SHA256
782adde119da1692e215623a4bceb0ee1eb9e107428069e68c4809da4d501feb

SHA512
cb647362e661f08b394bead3d269a6f4e117556104495692a2febdffb8c8e0c433d73ac17da0d2026f507f2c9690bada9d7827f725c8876f3b9f0d109cba55fe

Download Submit
C:\Users\Admin\AppData\Local\TempHADEO.txt

Filesize
163B

MD5
db5fb29b75a252060468cfdd4d7b5b0e

SHA1
57bcc43986652c7770fa1abe231211b87756f306

SHA256
b7eedc6f1b60537bc29268a85887d5956369b9fc00057d26ea3e2cbec143ffec

SHA512
07619586f22c1202466381d9ec4e0189764f6ba34543cdc1550c5a2fef72e243b836032152971f1e126b0b79e12a2334891f319bbd333561f223232d5360864e

Download Submit
C:\Users\Admin\AppData\Local\TempHPBIM.txt

Filesize
163B

MD5
0e20f5ebcdd336c68a8df289877a6c77

SHA1
8fbc19b51c051d46668b14500736fcf153e0d638

SHA256
e12b63e09936a547322a0753d689c180429f4f299c612cc876595c197b77220e

SHA512
b500945bd195eb60abaf72798b5d9f0580b86c2ed8d7db17420c5394f342f2e31a6d38d8d2e0f23c48a77952a54cb3bdaf28ef2991531cf42e9534029a04182c

Download Submit
C:\Users\Admin\AppData\Local\TempHPCXB.txt

Filesize
163B

MD5
b57a11e88629e531c5a4eef8c515393e

SHA1
2e3f916956ab54ab9ed4ff349f33dd8c8763e7be

SHA256
a044de7ae3f4ef52e038503ab02c6a3971c7883a35ccd6d95359c86009fb0ac0

SHA512
28a57b7cb1a96d2ec841b0e1fdc253de4700d8c022fee2b85f5100fcba36cae2a0ae40ac92d26815ec96c6d8a81b6f434605c5256d77ae69914e674560cdd1ab

Download Submit
C:\Users\Admin\AppData\Local\TempIVWWB.txt

Filesize
163B

MD5
b908e1090d474d1bc06c62cb0a36950f

SHA1
3e8cfda42c5494fdf507ff418ddab262fae021c3

SHA256
565015ce2f55bec05ee6939168b51b1211c6d992d78b29a3e8f3f8a6b6ced35b

SHA512
64cf079bea352a11cfd5bd11ebddc65f37bf74da2ccdcb4c8265c34b48c8291cb1c24baa2b75483b9229cc063b7149692b424a2b65c984778f2eb9352ccce5ac

Download Submit
C:\Users\Admin\AppData\Local\TempIYLSC.txt

Filesize
163B

MD5
62828818534e6d2960464c250edb4842

SHA1
874cda1521db1f47c4c28b5e6382f08ed08bd07f

SHA256
b75ffc3a8ec8f1c01c984af28e12da053ab66031ed57363a2e905444a757134e

SHA512
611ec89e655839776031288b07cfd6877d76f73353d9958d03d2fa33b48e0eb20de67a7922633706053c4b83b29f4012f53cfcc1ff8f88142890adc27ba4ab0f

Download Submit
C:\Users\Admin\AppData\Local\TempJGOAH.txt

Filesize
163B

MD5
c74edd6c4ce203f00a70a6b1de6310a9

SHA1
1fc7a4e39e6aa74af9a6b3c29c8798a305a4c11b

SHA256
dcfc7e09ab970a0e0852b5554848a8fb6303f2d996e4267d27c3f65f72ad5840

SHA512
4f1da00d63ee409221835c8262d9516d005267cd2ab85f2d8f894038287e537466ecb1b14b17ad5d7ea27ab90aaa759e8dd3c64c31727783ab76191c32d0d66a

Download Submit
C:\Users\Admin\AppData\Local\TempJKHQC.txt

Filesize
163B

MD5
b86099f3542512c7dbc00e9321f85070

SHA1
c0f2b7f78e948bc3b3dc985bf7578151969449ec

SHA256
2f0c377431e0f2a24518b65ea703471d3d350c57d3cd796922f2477eba885831

SHA512
04d42c85b7e35d3cb7345bbb222a862909ea9dbe4830f8872d0932a3d18ec559669ef6676b06000c119c77bef9c34e3dc0119737c49758beaa373a98a676e087

Download Submit
C:\Users\Admin\AppData\Local\TempKYGUT.txt

Filesize
163B

MD5
1c95cf0a551ea20f4178aae177d34802

SHA1
20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a

SHA256
8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48

SHA512
82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c

Download Submit
C:\Users\Admin\AppData\Local\TempLIRDJ.txt

Filesize
163B

MD5
99f13b36a689164b35d050f9a61f18ab

SHA1
125d94abb561e21e44fc89915c72d54b54ed8ec3

SHA256
4598ca2c379eabee04c8e41a255d6595bfd2c199f2aef1789a190eea72f1227a

SHA512
c9d02c4b642b970868faaef0d4a993216d5d48ce9ae47bc07b32550b2c21e527392004de1da500f6e2418ebda9731d996636d6add21dd2baa8adf1e920b0e75e

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.txt

Filesize
163B

MD5
6088a7b709602153faa14cc20b97cab1

SHA1
b02f8804235535fb01ea71d71d8ef5b9425d38ad

SHA256
3d26063b062ddec9f5a27f91ea49c3d393e68a53ae21b3fb37b5a31bc0ea9bee

SHA512
3e630811754642c32c5f0f9efb1dbe603f99b69e9747e1cbbf639de8f3ddcfe7bbf11a9dd38f179dd6026bbf4d6f8ae48f9f02b647595f0a7a72a7f856a9f8b8

Download Submit
C:\Users\Admin\AppData\Local\TempNIBEF.txt

Filesize
163B

MD5
fe1ecb9c57f0de93a512466e2be0aefe

SHA1
97f0e8cd5dc1ecd74293fd02921ff4f77eb7c76a

SHA256
044cbd5020747a02837f97615f28737ee79cbec0e69642b1c5b93b4d6ce67bb9

SHA512
8440d784d0b46b7d6fe376f0c58dd7d1622ddfb2f22ab433824aafed651eb3c524c553974df215dea59279418dd600bba5189c05b2752efe1617a28bc4d71766

Download Submit
C:\Users\Admin\AppData\Local\TempNLPDG.txt

Filesize
163B

MD5
9ebcd45fe2a547f982759546b5393a86

SHA1
827f31fb1700575bedc81ec84e3492885dd34f1f

SHA256
797b6280225c1ff222195156ea350eea6c880a6424139939fc70df0cd5bf3062

SHA512
ec5fc9fa602bf06899c17d090eeaa97cb087076cb0c32bb1057eb5302b5972265cb52bad48eb1fdc9534a34419ded23e2058a45a7dd1868fa49583ed8a1fe451

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.txt

Filesize
163B

MD5
8f1012487c4d0eae893688f24cfcd9dc

SHA1
dcca6cfc7d73cd8d8f39faebf6d8fa384712bcb4

SHA256
1ec882d67159aa1d02e0694c1f215171856651ae682b5042fa921b334cd82b93

SHA512
1cf3a988561e4ecf68964d551737c6a30155b5db769043fbef2da1c5e289af722ef3d4d365244249511667ac0ea3f980bf3f01f5884806d633eb6087fb3ed9c3

Download Submit
C:\Users\Admin\AppData\Local\TempOJXWI.txt

Filesize
163B

MD5
c2b1f1aee91002f968818f11d47fffa7

SHA1
d628ec8e54904d99a1514a3fc8b7c0213271b3fa

SHA256
5375db52ba6c6212b32b77b61cb686a0b9a302c83bc8990197cde586a9a03c4a

SHA512
4c4c1fbe3871736b0bfe9a39e6626a19a8889306d61a473f838118db986879f4d4e70bbe74a8023ea47129340fff4b3b41e2ba0ca4b8698ef2baff6dec1056d1

Download Submit
C:\Users\Admin\AppData\Local\TempOKXXJ.txt

Filesize
163B

MD5
bbcba080f74aa2b1f066df621ba2c56e

SHA1
7f4d7e934406ff949e209ef6df6e1c79ef62b360

SHA256
dd38ce5046cdc489852a85feae011b6b3c2c33a6ac39496248e7a6c377b63d2e

SHA512
40d2e31125ba8aa042ebbefa850c34fc3f78023a0772677acabadc82867c2aec1c32703f2d806b680dc4f09c04ffe8983af86b2dbcb4972a9f7eb89832a74cd1

Download Submit
C:\Users\Admin\AppData\Local\TempPBIMA.txt

Filesize
163B

MD5
513d90bbf2d7e36326b48ddae2cc139a

SHA1
e88cd3dbcd82fd87b0d1cf96b9367d7c3ec56d88

SHA256
be12d7598930517ac57036d7c763fe92532a7efb93d62de5a031f0c3371c6e6d

SHA512
8db08159607cc18284b8cbdea29cb7b41752a483abc8d1160b93640148f8633613ea425cede1c6977c7414918018e09a96e3d249a7469e0900601f7f55ac6bff

Download Submit
C:\Users\Admin\AppData\Local\TempPENAW.txt

Filesize
163B

MD5
b201c10078a62c2a99e7cfeca4e3f43e

SHA1
5078164bf6e44ca9abcda98f6229b15033421ec9

SHA256
a7ae47c5ce602ce6b505556844a987207afc82858775fcf53cbcec47149d53fa

SHA512
530e5a4a79ed67ca13bbb1c377d4e7b9e85b73ae96ee5253874a75177d85fe1886ad41b7e4790ca6de0ea2863f0718dbe7b3190888c770cb3aede724df99774d

Download Submit
C:\Users\Admin\AppData\Local\TempPXATT.txt

Filesize
163B

MD5
b5a806e22ed0abfc04f934f184018e84

SHA1
9ce5a58dfaf6cb300315c9bbd16d4f1cb2481885

SHA256
7d3771478b2492ac38e33b6a9dee340c3be8b7498a8dacff62a8188d6c4744f3

SHA512
b57b0c3469e954e3e56d5d811f67e826b4df471147b4fc8116724d07e0e5562c62ea3d88b3f3e221fe3c703c52133e4d63bddbe4e56a4f376069062a0c67822c

Download Submit
C:\Users\Admin\AppData\Local\TempRALSW.txt

Filesize
163B

MD5
9c40475388fd040907f742e7c15cf05a

SHA1
a0a21af34c561b5621e03ae23136d5e34f626770

SHA256
0c2d35d0fa959eb18c1d476fdd0abd79de1bfd83115e65f05effd18b8135237e

SHA512
e1e3898e83c760ef011c449b917bd1a2091ab0738b304c87a23f219a4efc4bed8523e66fc62a8c744c12bc23d09b8e617d9debe349d9118254b61b4ff2c5b243

Download Submit
C:\Users\Admin\AppData\Local\TempRDAFA.txt

Filesize
163B

MD5
7c798abd8934060badccd224ea734451

SHA1
3c1ad8b95afed0650acc7c1464b8654eeb1ce270

SHA256
d0e7ee62a6f62569f71d734f2faa542d27c7e384931c74612b830f5d04ce28da

SHA512
ac499aa7d3d2264408fd3657e808a9f9af6ef5231de8f5f18a316f83ff92d2e08d84d5565f1df6fb988ce26e638d165cb392f9f101cb7afdc1be7efd564cb1d5

Download Submit
C:\Users\Admin\AppData\Local\TempREBQY.txt

Filesize
163B

MD5
1ffb98006093436d5a649eec89c19425

SHA1
67f3bbcbed0f789a77f7245f13c175d4f517f3e8

SHA256
dfa282cb2fe666bbdb1c559702f491066b2d8a763a4775fbee71fde42321ccb5

SHA512
fe12f09eb5c9e13275cb7b17953dcd54fb0a74261cc08965c4ebf7439b0089b5bde99aad4f5c374a00d8ed08c60074926369a7e1515d713eccc07c0397a31c1e

Download Submit
C:\Users\Admin\AppData\Local\TempROXJP.txt

Filesize
163B

MD5
da43c49f7ca754d61a922977215e3d56

SHA1
f885398eb53a3ee99fdf8917d9ed56835a25cbfa

SHA256
60a3044cfb513de682816cbbfdf7b12f40b7992af29fc3265e979bf98af2866f

SHA512
e55dde81880138eb196c71ebfe65f14a0f7ef59deefc93f50aca5872209fc24323f46d0bfbb034662d4ea27e46815b333250400158b9b7c22fbabe289d6225f5

Download Submit
C:\Users\Admin\AppData\Local\TempSTQLR.txt

Filesize
163B

MD5
c958b5d06371adedd154fa410e2038b4

SHA1
4dce9202deb1cba5eb0739a5f4fef4303edf1acc

SHA256
6b7920750cc87e9d22cbb5f39739554eba0c10a05705a041e4d93b37bdbe7b28

SHA512
00eb39c11a011c0170c7d8a11f1624cac795b2464ff241cf92564f86b67487e9b13e819167c10834c3cac0858df806fb87fa60b7bb4426a12a782ddafffde654

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.txt

Filesize
163B

MD5
80fcdb7f0d083ecadec5420f5524c4df

SHA1
04f86b3afa07b6fbe7e2591bdb3799cc2e78750b

SHA256
743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa

SHA512
7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

Download Submit
C:\Users\Admin\AppData\Local\TempUGMRD.txt

Filesize
163B

MD5
aeda33b8e33f74ae220388442eea8f72

SHA1
f3ed95ecc7092b015c70ad52fa9d25e49f295fab

SHA256
f3ff7133ce2f5db2c19eefed19127af5c6e9bf8c1d7b850a02f1368e3393fb8b

SHA512
e70f4dcbceb2e2a79dc97d9d59dcb9f869dd381c41c123254775926088e600decb85a4eb15ccf071ae3e7b72af6b397868ddb4ea59815d5dbdc452ddcf090ef3

Download Submit
C:\Users\Admin\AppData\Local\TempVHFJX.txt

Filesize
163B

MD5
80e9dadead05662d6617aea90188dbe4

SHA1
899035a614c72bcb26b31011eb63aa89b5142914

SHA256
a144536a2fd5a2737935170ceea701b469b573f32d564d65d1fa1f3f144d93f0

SHA512
33f4dd56d6d3377c72374ada5fa4541536259f456c8e4235e25cbbc6cccce126582e413dd414575dff9e2b4392a3eb057e974667c8caca33fda2929cb6d70463

Download Submit
C:\Users\Admin\AppData\Local\TempWFFOK.txt

Filesize
163B

MD5
3fb6f383a6569a2644b9b521c3c29c63

SHA1
11473a58356b244d8a54c78626a17d72b634a474

SHA256
d3db2bf635e6d3a7e421257da4ec663bbdee3310bfcbde23237e73d8ad371335

SHA512
195c1c7a17fa85fc9953131516727c008a75f3ba97c625ae1ea7fae417a880159a6baf906f0a9fa2e3e69ef8707fddc54b472788a8e36948cbb94ca54ef1bde1

Download Submit
C:\Users\Admin\AppData\Local\TempWLXIH.txt

Filesize
163B

MD5
beb7827ed78d003005c06a6e75d39ca8

SHA1
b53687b4ebf0261ab24f931cbe49fdcd4462254f

SHA256
eadc4a0bd95f17102c5a1e0f5395919eaba58e5c21a9dc773f89d3621b1f8ff4

SHA512
02e1fb2f87d0c388c7f55e6de1a3b78c505e53cec5722753e0ebf950c9de247252e723adace937912bf4ae8954fabe9e31f070e311d7a2b38c01fcc962cbab72

Download Submit
C:\Users\Admin\AppData\Local\TempXEFCL.txt

Filesize
163B

MD5
20bcb72f1fa6e4c82242f065f4017009

SHA1
ba5a1b6d5142230a36a60c41ea58394309611f67

SHA256
e18c91c2222ec2978c3fa932705ef430ec15d186bb071104df27641d87d70d06

SHA512
e90b22f3a3734e45f6641c9a6107ddf1b74cec5d408c5cf5ea085abbd82f54cf5c43c5df4015741ab8a9da1d2e34c8f07c48ce9e7b44d4599e6d7bd4dab8a742

Download Submit
C:\Users\Admin\AppData\Local\TempXJQUG.txt

Filesize
163B

MD5
e3ebcc56b7907ca8b7fba58d5c507564

SHA1
ab5d14ba5f17e3b7516b3e3bd9003c087dd25d32

SHA256
4fa9a33d2bb2167877d27880ebf871ec024e0c0530e58ec9d71cf92fba9dfdc9

SHA512
95f288b00fb2efa45cb281e44726e09dc4995e6a0ee24e5e2628eb9a859ec290c07cc4ef2a1c76cdc7d8deae181ccd6648e79c1f1b6e2677066e789c477d4b4d

Download Submit
C:\Users\Admin\AppData\Local\TempYVBTX.txt

Filesize
163B

MD5
8d838174ee8ed3220ee3100477da63b9

SHA1
2cc94e920b38437218cc484daf44a3a0cb3a00db

SHA256
e66207d4093fd122c4413c37f7591fcb16b877ac283757947547a7f0a1a0a398

SHA512
e6374bec6072403fe490e4770fdd106182fd3941a2689e63c7d7e2cda67125303d7b133235b8990e458b63c55deb6726bacbea8948714592183321bfc8b0eb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKYUCXYMRWDDBJC\service.exe

Filesize
520KB

MD5
738107204a72c49ccdb597de9569fd30

SHA1
64457bad3c72ac6f6add083d708ff1f081b5e523

SHA256
261d70a808f902716ac0ca9cf549875d328eb10d368b4d6cdf9537a7acb96423

SHA512
f2f99e6b4cbdd91570c00a7b8e22dbb6f5f38744625cf5954ab52ae716d982e1d1437a8725c4302cdc72cbd3b834c82e04afc081a31c7a3d1cfa180eeeb702af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe

Filesize
520KB

MD5
cdcde536ec0365d9fb6da997ec1086c7

SHA1
a4a2f66455b166a591dd92563389ffce5a2fb968

SHA256
bceef303246face3c834c7a27b5c89a63d26f9b2c4615bee5b9e3537c2a135f5

SHA512
aebd3f815df842d6126dbf6d5c928db1138bbce0ac18f8c49ff7f45b1859d027fd3ec792c239e8322d6021477ac1b3a8e6b9aba7342001cffe5777e9df2fd8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe

Filesize
520KB

MD5
c10a9464dd11c14c79cd32fcf61c8feb

SHA1
76521edfa18020253e7ceb10cfb1a33bed50b6e4

SHA256
e08182b47f6d4b7b0a15a882cada320c7c3d34ab9863db348e0575122ea89fd9

SHA512
a908f94e8643d463caf8301eb2f821025cfa2f29eda6ac7ee45f2611823d393675124129af888ffa726988b0b8573dc6bf75ac266ea610407e143331ffe70e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHYUUC\service.exe

Filesize
520KB

MD5
c5ef1ae20bd3d52a80513b237586b1f5

SHA1
021826bd83ece34564d4c19490695ac4993aaca4

SHA256
2cf15ad46d269f8edaa44da24fbac9ab2acdbdd301e4b071c224d5331612edac

SHA512
ee806e389e0114c71fbafec3ff1c979b1d82014d751a93e481f834366896eac0086f2952188569850556ccece016604d1892afc12e108a4a00d1e07334301a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUHNS\service.exe

Filesize
520KB

MD5
2d396ce7795a2a0e6fb6159d0e47ae86

SHA1
fac74ed98bfd5fbde0083dac5f7ee5a7d36c6ede

SHA256
1b3195dd4b1836f2919b304520edfa078d677d94a9050eee736353a0b6d7aeb0

SHA512
0c7b8f55014b05308919149dde89e1c817a2d329ec9c95d91a883dcfb42c2ce7f5b7824fad55543b851c7db96e5bc02c30ae8aaec9b5dbdbdd5617b57e910bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe

Filesize
520KB

MD5
f2de50cb9ed930d494b9e5a60234515c

SHA1
7e01eb1f36466e3e85a6272512ca7b96ea324dc8

SHA256
35eaee6ccc0ea19608f18f7c4dfc8691fbe7ddd029d1a18071b04f28b05060cb

SHA512
005b1dc0ef142740c8d1ea7c00073e658b2d452b46b992a810b62f32876d8b40bf15168326ffd1b98eacdd52751f130cda2afb83e90480f4851bc0f582125c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIESXIJGPBHMAD\service.txt

Filesize
520KB

MD5
e9be840b7ebb3fdecda6e35bf2b6eb27

SHA1
ad3edb8a095e03ffc6d7e3d44c3ebf55c576f8c2

SHA256
c8ce38daf1b4260ccd7c1d9b174a66b639735d0387b1c79c0dd24998a31c5e15

SHA512
e7dfb16c01c7a8ff1951c9932519a113ce805d91bf4fda0a4bfef5023f2e0bfc7992f059af6f103117a26e04fc2087c98c555bb949e3df5c5384ba6fa35452cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRIFATXJKHQCINA\service.exe

Filesize
520KB

MD5
7a28728772d8366fd5aaf97e278ec9b5

SHA1
37177582bc6e2af13404f5572227faec24914ac3

SHA256
c98e88ff4e5bfcfc636a58d260826084a26a474b648efe6b5148c6c1f1dc1376

SHA512
2266bf18a368df97dcebd64009b3f59ea0596492b9bfdb552d36258ab360c77e9861bcb0ca04d3e7019552aba5764e8c544112c86697e4b0c96d5e5721ba23ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IBRAISOJDDSTQAL\service.exe

Filesize
520KB

MD5
b8601ae7246d168fdffd524574d1dfcf

SHA1
974ea7b0564596580a3253502a5827d089b5ceb1

SHA256
32e134979bf7cbfd4cf48267dee52cee12547c67d508b13e62d3122052bbee5d

SHA512
b95d1c7a8d925e8765ea3cb5765fa0151b29228f4dcfe251b9f48161457181430a6d014f1df85ba99ed04e203f58ddaa2ada126f6985376622d6c1d727495f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

Filesize
520KB

MD5
eebfa915440d8e4d6119e5d099a955d1

SHA1
c3a9419f8b2c366b21cb38b6702534975edfa32e

SHA256
772494431589b270861f9c92371bd4b5c9f0ada90a771f24ba1bd2ff570c3fcf

SHA512
2fd14486d8ff3b41eec7a79ecbaade52af286d1ee93ae7351866b2d4fc20b4400e4a6ce37985955089c75c38304e001c9fc91db02c586a25225f5bd7d317abf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFUEMAAVBRMAHBG\service.exe

Filesize
520KB

MD5
e00e833e283e427b5e4464e88f7e0ab5

SHA1
2f573408aab8d546414ef1964b769b569fd34886

SHA256
8a975db2c674c67c619cc8bd29d768e8e667b04bc1ab1c0457a1473ebd3a77bc

SHA512
83051bdc4d4ce8d64102d25cf3489272bb8e1da1cc9006687d0f96a089212bae00f76892c9b1f0c92fd11d8a7fbe4ce078ac00c4ee31bdd43be7cebda35bebe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGVFNBBCWCTNBID\service.exe

Filesize
520KB

MD5
9ab633592d2f33b82e97bffd1cdc4c01

SHA1
b74ccf586fbd07c967f6547d1dca65618d04abf8

SHA256
657f1dfd898d71c2187a34628eb980360ea8c4cadfa334081490705f3a9f9a13

SHA512
bb55daad76f11bee9637d47efbf880e23551487d491c4398acba9c544a747bddf4b843eacdde2fcaed108add1dd26e19f665a132c2f19daf58a0488e42d11d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

Filesize
520KB

MD5
80ed6bf178396d7f224ee9cc80fe69fc

SHA1
896715ef307993046dff77dd74247cf68283567c

SHA256
a2ce9060ea36b0d8659a1cbd47fb9e6b7d8f3ced3dec1eba75b693082866f975

SHA512
8928a415e3a9f67b96949a797ef3a2b37fb1242c78d4aa5c1f7129996538aaee4c4b1b7973d49880d6abfa8d480796529bff556a5b4634f86f0ffe164c066e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXCTOBJD\service.exe

Filesize
520KB

MD5
bad57e7069fca39ed41925b1d2c81a43

SHA1
d30cc65758bedba4c0aa7c557320cb9b08a4ec0f

SHA256
3f1c9c3262a9f7c194f90356cb479cc4ff9ae326366835f07ade6f740d31bfcf

SHA512
58f42fdb608bc441a623026c2aeb277d470a0e5e7219da365f82331534cdc1a7a1572d89e219cfa1fa886d92c7dae06b0af9f0d1c0f9cfdcc5914fb95aab472c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RTJDBISINFWNBMC\service.exe

Filesize
520KB

MD5
35f0917f7814aaf2f5b9417f84eb9fc7

SHA1
e7c72ab18038e8d06e76eb28091b31788e7c9f46

SHA256
f4b5fba3cd44b1971493cea4878b1cf85bf045f76808f1d0ba30f9c3697015e1

SHA512
209703ebc1158f777663bb9f031ca972cc0acfc8fa881464c722e45e98732508c6e2b8a7db10a3e051a908440f22a0a64beafd35504f5a279ad77d05561e9e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMWN\service.exe

Filesize
520KB

MD5
7fb9b6e1f4d32d58c84ba8c8acaf9938

SHA1
fb5caeaca5dee6ce9c9cf6b8bf3a88773d5401f6

SHA256
b8dbcb918412a414969fdf77721b05e0985b286f8af9f7af734a473295f4fd1a

SHA512
ba581ee4c41a94ecd4d39808c606b1a47cbc8dc758dc3a09bbf04ea49d9f5694adf5cafb1afb57c136cc941d82e1e4c8a41d774fbb3a945acccd101c3d3515cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe

Filesize
520KB

MD5
28c8467e4b29874416185bdf3f43d63f

SHA1
145894a91a71ed5bca1d78bd7b31a6f471d9c7af

SHA256
fe17f6b824beeed7219a97417602b1b4d64882c09f401b11affd345efce4fb4f

SHA512
c89961fe7b92ee02efc2f76b219dfaf0b22bb6e1a5198df785fe08e97c3d17c26d5cd70152df66b17aff1a6511e7923e80c112c6cbae243ac1d6c95aaa997d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe

Filesize
520KB

MD5
37b238846ea89488bd43bc1ccbaf50f1

SHA1
f2e9ba0e264cd7d57b7a502c5bf7c12d8ede55d1

SHA256
0bbaa22cf0c5cb818b15fb37b4c2b77ef2cbf2f7cc542df2545af8bb1746f8a2

SHA512
eda3cfb384610d8536b3b2eab6ad3e39a8f449cbbcb3b20b79dd058c6b3a164f226172671ebe267e9ce8eace68b905c0862c127bbf62b3987788980bb340d26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe

Filesize
520KB

MD5
18b8f9905bc4286d0eb8b46563a7a521

SHA1
b97c3f05f73ff51a8f50c8c21af370ed1700a27c

SHA256
a186413fcf8253b1c68bb74a41425aaec3df97c039e7c6b29ca2939d454067fc

SHA512
866f0b009b0b8f6fa919eb3d3f7165cacc184e4c8bb9ad1cb40403ec9ec0e10b77dde19dea73080129b88cdbe5f0374f6816cfe63d470a343ef5f8d3493328f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe

Filesize
520KB

MD5
f4b22fa519c0dbeecede6f2979694b7a

SHA1
a96e3fb9acdb2800cc0cecb2989993b50b1df29e

SHA256
edad83521295e7185505290c0106e8de6213f334b7e207863ef79c1651c0ba00

SHA512
74421a8442a45f0a95da8fd172332ac1a98fc4b40431a64b66002fe0b962a045942f3660f4b9817f0cc59fd9a3709d3285b935203e3fe93ced201b77b0c7cdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe

Filesize
520KB

MD5
9200c8d039b5023cd7307f108671d04a

SHA1
317c82e053179d2ab3e004f0fdd505f90c554570

SHA256
9705a1c6136adcbf63658f0aab788a42de1d7824986393cf013bc03552dc49d2

SHA512
fcfade3e77905069649901a6e3529ddb14d45dc5ed1104b080765174ff43e3d73bf5fb4ff0dcc493431f72b81459c05f23bda0ee24dccb97c3179bea4db1072f

Download Submit
memory/864-1002-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-1003-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-1008-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-1009-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-1011-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-1012-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-1013-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-1015-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/864-1016-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads