Analysis Overview
SHA256
161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81
Threat Level: Known bad
The file 161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Blackshades
Modifies firewall policy service
Blackshades family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-23 23:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-23 23:44
Reported
2025-01-23 23:46
Platform
win10v2004-20241007-en
Max time kernel
114s
Max time network
93s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKJPLBOVF\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLYCMSKBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KQDAPXOCDYUPCYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKHLHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQLFAFUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRTFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXAANTLTHR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAYTRAATJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBRSPXJQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDQSNG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAFMWMRJRFQG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PQLJMBPWFRWGSEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHQCINAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDGSTOMPESAJAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULICWMNKTFLQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQLKQMCPXG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XOKJWDMWTEAYLEY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNCBCXDTOBJD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDQMKPCPRMFIJTP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFYOPMVHNS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBFAPUNDDFAHVDR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDAJB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YPLKXENXUFBMFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMJRDKPACFQSNLO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOIAGNWMSKRGQG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKIKAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWIJGOAHLCN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVSTFLST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PQLJMBPWFRWGSEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HRIFTXJKHQCINAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYITQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSVUWIMRFCQQE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RNMGPXHDOHIYRVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQEHDBSXQGGIDAK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLBHPGFQN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKJPLBOVF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOKJWDMWUEALFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCCDXDUOCJE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VWESRDLCUMIDTMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJKGELGWKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GYQMHXQCRBQRPXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDBJB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUIIJECJFVIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHPHYQMHXRCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KGEUSIIKFCDMIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOAHLCN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4388 set thread context of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe | C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe
"C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRTFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSTYF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YOKJWDMWUEALFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe
"C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXFNEC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAYTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWNNLT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWESRDLCUMIDTMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDRYHT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMJRDKPACFQSNLO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PQLJMBPWFRWGSEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDGSTOMPESAJAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQSNG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCOWNH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDQMKPCPRMFIJTP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXXMU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVSTFLST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDESAO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLYCMSKBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
"C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQCKBF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBFAPUNDDFAHVDR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
"C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSUFG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YPLKXENXUFBMFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYYUU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PQLJMBPWFRWGSEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe
"C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQCRBQRPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe
"C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEJYWG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQDAPXOCDYUPCYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSFLQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVOST.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XOKJWDMWTEAYLEY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
"C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJGOA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOHIYRVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBRSPX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHPHYQMHXRCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPHBK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KGEUSIIKFCDMIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGTSF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQEHDBSXQGGIDAK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHLHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe
"C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe"
C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe
C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.99.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 192.168.1.16:3333 | tcp | |
| US | 8.8.8.8:53 | 158.161.55.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\TempSDXWL.txt
| MD5 | b07e48b1f638dd640c14a14a934b0455 |
| SHA1 | bcc8369e5164b9acb4407d489cba493302ca67c9 |
| SHA256 | df8c9179a60882e46374afce35a3f58b415167e62a87a4ccc7b68693dfb1fd32 |
| SHA512 | f958af503cef954be743f206ea8c80e623e9dfc89347208d593ab64a9e26e556a44bbd1d6690ac0a8c29fed29f0e9fd6b95bd3f6dd358dc749bedb2b6f48ac19 |
C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.txt
| MD5 | f45590b2e46d8f1535fc96737eda9d39 |
| SHA1 | 4b564e572cee0dfb6c653ec91fdeef317aee837c |
| SHA256 | 086e38ff32a1a6785bf8275f5aee6e4317481464eaf735f2c5be3e4e26815443 |
| SHA512 | 32b553ce0e040fe02ac755972635ee98c8390680f934b154786733317ee4f165450d44759402f6a9af403d04797aff294917679687d158621390223faaf55b4a |
C:\Users\Admin\AppData\Local\TempPSTYF.txt
| MD5 | e2f925ada659214e13ce42411a545e0c |
| SHA1 | 917854dc506bf1ab6c42c6ea37c6c4790f3e368e |
| SHA256 | 99199ecdf6676d6f3b0f6d556afd786b3141b13cb611fc69442e1ca86430087b |
| SHA512 | 16219b5531bf9f8b56d3091984fde42094682363d53bcb24eef88753a16cb55f5da954cf4c843109af2e3398fcb9cf1f3c9c9255a3f5c877c972a034f9369d68 |
C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe
| MD5 | b5e670d9c73bb76b28ce5a0919e26684 |
| SHA1 | b33eb1f5716b172b68e9122674e620781a79e136 |
| SHA256 | abcb6a5eb48ddb295b13bb0820bb3c97c7c46c9349123768834fcfa7c49a6120 |
| SHA512 | 970f855079306c10894d4104e730c79deaebb830522625cc7a40082e641178a00fc8addb32bd74cc951589fafce797fd700183851760680386fbd4742cc4ef2f |
C:\Users\Admin\AppData\Local\TempXFNEC.txt
| MD5 | e7c5253411098caa8e1794378a7ab8be |
| SHA1 | ce77dd128887e0b00181ee7b5bd0c198251768ad |
| SHA256 | 637f177c2cc9445c7529d71c7c48ebb25c9394ee6195c697aa0705a181b7858b |
| SHA512 | 352e2decfdacbf9f9bdef7735c2dd545ab52aae9d64e830b74f8980b2dfd0681dd2bbe6075b5838109ec7f88ed86da098cca6a374efbac42488aa30437478c2e |
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
| MD5 | dea1038d49d05f1065848f3fd7723a41 |
| SHA1 | c81ba0dfc82360aeafa760ddd7be59490cba8a07 |
| SHA256 | 919c498fe7044f0bd459f2c64e2905ea70af9e489680f539fc2469662b2346c7 |
| SHA512 | 84b64c39a38be6692a9bc12035077665c4cc186b185c367a642fadeea0f209268677c8ab51729b086c8a26298ed570641e4fed0a539470827651371ca45f77a9 |
C:\Users\Admin\AppData\Local\TempWNNLT.txt
| MD5 | 6462d3130785d962e493a51e3ed77a7e |
| SHA1 | f2f306a12bc3655f7851588dd6e906cba5b7d1c1 |
| SHA256 | d87f406f408aa2b1cd0a4017452a088569b98f481c97c436f501d775b2481c5e |
| SHA512 | 0629f2363b21f73c8c80b9680326af8a8121472de98dcbc7496602d96acc9a9e5d561c9cb1fa51d07222a0e0a0eaa85260a4edba8fd2e6cfe10bdaf414c6448b |
C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe
| MD5 | b7d0c86d12bdbf343c83ec43c1819565 |
| SHA1 | 00277ae141487dbefade88c9a2147ac93b4391e4 |
| SHA256 | 70c91f90c3a156bc8bc63539914ec2580566be07d2fb4586151fdf073faa763b |
| SHA512 | 4a69e8ff1b0bbab7ecfe6208a207d9d3b4c5120222851bc333246a7df038d810514281f7131e788aa903d7e132bc471d4d95157b61beb9a48689e09b173bb812 |
C:\Users\Admin\AppData\Local\TempDRYHT.txt
| MD5 | 3030ca0a75ac38426d0040b651469bee |
| SHA1 | 9578755322203fbb2af34cf2eb3ee24245fa3ccf |
| SHA256 | 85f14d817d3a7244ee76c0d3a6ec4362d46ca81f23f8131e62e973ede74511fd |
| SHA512 | 38715beb4842676ac131ddbb0f4c44361aa332509ca90e830c652257e7221e3321284902b8e93087071c0fae4f7c9a5b3b45b9bbf78cb756f909304d36ccf0ff |
C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe
| MD5 | e811dcb440f4a10745075f89814fcfc0 |
| SHA1 | 1fa919b7741fb4a202718c036864cb4f27d8938a |
| SHA256 | 263ff22180a5d59866760fc967330a337d546adf6cba7a142274fb5208f00e34 |
| SHA512 | 70bf1d05279c12a51fd1d2fcad82adf411fbb69b33f97b64305a2b62805291d1164ea80baa9cd8fdbc2365640781780f46c01e77fc81b9e821820d0bfa6b90de |
C:\Users\Admin\AppData\Local\TempGYXUU.txt
| MD5 | 39335c28016757e9b274bc6cd390e60d |
| SHA1 | d6a79f8b68d344279d7b96e3a2be7fe1113cfc79 |
| SHA256 | 902d33bb1f4a6290580a0961016fcc1f784198c69f9999df29f40223f6ccc95c |
| SHA512 | 6889cf11d39ffa38421309a7e7c05765c6921c61e63ed98561af9d747ec7ec394b7f59dacb7298874026ea970ae2be65645764a182bbeeee1d98c7b5213e5643 |
C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe
| MD5 | 8af3e58a7ac9ec8ac10c150d07667b9c |
| SHA1 | 6f8fceab61fc6be58b084999c9112f532d5bdf32 |
| SHA256 | bde8554b38e10c630dd064a99f87e73d6cf55793e186ca7a044fa1d5f4de5539 |
| SHA512 | 6b078a0d410554f50f2f95ac1cf815138512ac190ad99d625b1a5808567117c9e45928f7271bde9e4d139f82a0db8a01089f23c9a7061ca327095ad2b49fa25a |
C:\Users\Admin\AppData\Local\TempVHFJX.txt
| MD5 | ea269f25ae5997e7ee7bd2b64a5a6712 |
| SHA1 | 6d5dbcd8eda3422d6ad82a24e9a1b4702d6a4162 |
| SHA256 | 5b630afcc89478dd3c57b171f3d7fde37aa35f6ab3e3f91e4e12c08d726e5f29 |
| SHA512 | 11cf2ae16054f1660854f89553823c250ac10dc6625ac6ddb938ae004f2a875802bd522d2f65ea531d2f6f71b21f36acd267cf1ffe12f6b8f827c5cd04bd5357 |
C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
| MD5 | 7b7eef7140264a0a42ec0f1ff2634333 |
| SHA1 | 13a43a19019ee700563ec5e4e9884bb904023686 |
| SHA256 | 2029c92b5d9e80a1ad53212fb906d4f7404eea9fba746e2bf3d9de85a74e6444 |
| SHA512 | deac2e39270b0b705f9c00c8751ef98da2555e858d78b33f9eb9be49159658dd0ff595bf0e2e02ad5cf7e28bbbe06d44116f97aec6a8cd44fd3354c4e2401c12 |
C:\Users\Admin\AppData\Local\TempKLUQD.txt
| MD5 | 8d8c8d488d51a8fcc66f861dda99b129 |
| SHA1 | db806fc32eed50c10919b3461deea6e652ba0bf3 |
| SHA256 | 6ddbce74ad91c50eda389fe8cb8e9b6c1a85b8f4391a3d0aa5bf89363a24d9ad |
| SHA512 | acade8cfb15ff28fa9b16f42a7703abe45de63c671e9d756ad42b360e4fd8c27a5a2464312585ddffaad0f42f9fc7937ef48830c6fc35d6d3fa992df0455fea5 |
C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe
| MD5 | ffac0aa6ff5fa70740e2f8d80dc64b24 |
| SHA1 | 0bc77d9b2a292509f763850f91802b9d34553df6 |
| SHA256 | b912b513b584ed0259b7c37be019c3b4f925ebf42451cd89b1777a5ecdcbb6c8 |
| SHA512 | 920188951d4b6f61303bc5b18dd83916b635ad0a86d358d07a394590f4bfe7440278eb7daa6df5ec7bc032ff5780cd186e3212d1aaaa6d90533eadecc47b1e48 |
C:\Users\Admin\AppData\Local\TempCOWNH.txt
| MD5 | 702e34290e9fa279ef73dd13d3275b21 |
| SHA1 | b15f09b4e57ddf5ae972586212847d796bffde13 |
| SHA256 | 52695a2b537aa3ca6d635d716cc50e9231c3f6ee02874636cfb610f3b90a8716 |
| SHA512 | 6ab1dcc57d4d109fd836e1eb1d116d398d8e100a1b35d0bcc26525ac6b8885205da24f1667d729e270f2e9ec6e4ceca4bf2b6d24dc9ac053ace0193473aa80f8 |
C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe
| MD5 | 0df1c9e6ed8b78499c57e9a5cc430035 |
| SHA1 | e36e84befa1eb74bb66b5caec3284f4ed6c411e0 |
| SHA256 | 55f3e4c27351b6c8903e3207bfe1a096be7a630143ea147c45e9eeb12dd13861 |
| SHA512 | 39337f8432b660a5679d11f82d3ab86095238aa352edcaef34b5630c62eec79d64e0d94a1eefd9e9e48d25c2da7da4a126b074fc3b12dc3df74bead0ffd958f6 |
C:\Users\Admin\AppData\Local\TempEXXMU.txt
| MD5 | e5de1b650a040f7ed8e3978daabc5c28 |
| SHA1 | db4850e5559f3819fac04fdf8f26e3e49236d3ec |
| SHA256 | 2b2495ce7a09174320c02e2c2de22fbd6b9a994ee0db0a431f91710d99e1ee1b |
| SHA512 | d6086ff2a215c267d9b1d4107ac792d39dba76cd172f4a4160a90100b70986a8267ef229b8e82deec6e19e62260297de9a2bb8305fbe8e387b493716f5d7ac6f |
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
| MD5 | 88729a6b7060fd050d49f75d23d8fc9c |
| SHA1 | f9a00b115dfd644b49afa1b56a125783c32d7cc9 |
| SHA256 | 08ea89f6613b0501758481c9ecc46a2ef0e48892ebe3bf9df4b418255055997a |
| SHA512 | 8e0a3db62942f28bcd4f836c641d1cef40cff361308786dfba87d6f9cb17e59eeeadb3d1b5c36b47a8066e22b4b5e115db0e493d1ccdd13e67874fd890b9533f |
C:\Users\Admin\AppData\Local\TempXUASW.txt
| MD5 | bf1648cbc7b072f01b385e4f36b746d3 |
| SHA1 | f8ae6fb2f449fefde2aebe6053ebe7d300e4873a |
| SHA256 | 06f98a403093fab8c8eb5582b0bb2d6edb62eddebcc61f9e5f8e7e2ce3c5d33a |
| SHA512 | 2bd04cf45ac1fc42f8808780e88f9fe28aa9e1c93cd73fb7a2e8a6ba5f06cdc8fcad449753a14152005ec627072b31f196c69cd87452033b847ad2f74b770add |
C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe
| MD5 | d0203261a86ec64ac8200a7b543c9410 |
| SHA1 | 2acec899766daa1f1c154656fc76ae14c4c5c0dc |
| SHA256 | 6d1353d087b35601aa74e74e8c0a5f71300ae0cf47cf6d5507f777f11b87bfac |
| SHA512 | 1261917b6a6ab70d790fb12b013b072f1a791f325378f5db20608fd149501e20455a0344dbbeefac2d98bbc9067eae942de3d39222b3cf8ce7cae8febf5de0d4 |
C:\Users\Admin\AppData\Local\TempDESAO.txt
| MD5 | 5b8a64d8a40c0ee634f051917d11e111 |
| SHA1 | e803fb652a18a07cea05c4174de8361269e8193e |
| SHA256 | 0f7ddfe9ea42dc3c0b9769896b24b77eb92e5aa47ea797462d56e89242db8c22 |
| SHA512 | 183d901404e67e2b839a50daa7de077716297d5c818407897c297dba7133d2c9ad15f74b75592140233a7e4ea2dd44fe6a69727ac02680ce585feb55503c3eae |
C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
| MD5 | d5e59b6cffecc22684be06c79f95b6fe |
| SHA1 | 5b1761e22162046b7ea7a682b959026220dcdca5 |
| SHA256 | d976f6c5ed4c6e9e2b6c494e4f0e771031bca283d177c6a65924160165ffb5c7 |
| SHA512 | 28672e2ea52b54fc9ef02db5a9b610f38bbdb059ea9f59188ca5c21d1f11c027d3fd986658df6500691306de4f23928bfa017956f41401f1ba2a35230865aa0c |
C:\Users\Admin\AppData\Local\TempGBIWE.txt
| MD5 | 9d8a73676ceac800fa001ece1f4e52f3 |
| SHA1 | 789fff73252bda26653a511337e96d9121f836b7 |
| SHA256 | aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51 |
| SHA512 | b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df |
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
| MD5 | 8ed51e66c459184e54d29ecf3cd56772 |
| SHA1 | 2b1da0bdddea723b6c50857ea697e0ac84b146c1 |
| SHA256 | cb31ee8df4baf82b59969be56620b72caf148e34ed9ee6e6f79c7bc562ba0acb |
| SHA512 | 3639a4ad20acaa3eeb7ce29936089e27b81fd18cdc7a05fceaecac35ef80b9145eaf646b93131968dd1285650f005035fc031100d1767738938ad26cc2fa0228 |
C:\Users\Admin\AppData\Local\TempQCKBF.txt
| MD5 | 727c280853323aa338ac5c1658850aec |
| SHA1 | 8ff305b6c59782594dc3b07e87824cfec7e0b15a |
| SHA256 | ba7a00e68bef5a7f49a60caf5e4f12cfee2c71fb7f0375711fadee5cf5e56bd1 |
| SHA512 | 8f902927105ab166d21e1ceb98302bb66f972ca30cb7e25a9df57dff4ce360a486f831eee7893977463e0716237376574a4855c3a006f0dba84daf207b05805f |
C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe
| MD5 | b6ec8d2f930f69f291a9c0d49f22d8f9 |
| SHA1 | 7d02e8db77e599265946f9b247cf1e37db9e0573 |
| SHA256 | e982c6d4e877146ffa44cbcfe5f269a77ad4fd6730f294dd19572380ba21fdf8 |
| SHA512 | a2b86c58c8ea1d399f74918c15cefb402a3e075acfc045853132d82cd485cdb354223130fb1ffc6320783d765ebc859fdd0a0a6e34f5d5cdf56041969db947a4 |
C:\Users\Admin\AppData\Local\TempKYGUT.txt
| MD5 | 1c95cf0a551ea20f4178aae177d34802 |
| SHA1 | 20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a |
| SHA256 | 8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48 |
| SHA512 | 82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c |
C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
| MD5 | d8c0b6d79c4eb1deb2f8b5c1f26bb400 |
| SHA1 | 1bd3f4b204a3842f28c6fe595c146236a7a94da2 |
| SHA256 | 57622047e61102f86585cacb1bcd8cbe97e2499ad0f006cefa2860dc2cc5e246 |
| SHA512 | a796f5d974fcef91a147a4b2ee53add073b92f3a5ac04041f4d1a2a294ac9c6a33e7b3f35fcfb62fbcf473645fedccb2006f4d4ebfdf67b73bcc244108967e8e |
C:\Users\Admin\AppData\Local\TempPSUFG.txt
| MD5 | a13ad58714ae41a20ee66abaf5095dba |
| SHA1 | 3223664be857e3f9e5eab0f6349b457061d46598 |
| SHA256 | bbaed2cdf98917bcf60c42bdb9269a8ae4a12cb3006f94a2ef662ea00a66bb1a |
| SHA512 | 62c4e0e750dea9ea1c83405de1da38eeeb18cd89a9910af5c4cc3eee6cd1668f78a93fb9b8ce66713c2c83fa4dc9a269ba00c7e9de5d1e77d861f8427a52af76 |
C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
| MD5 | 88cf92e3cf1230b6a73fdc74c3d26e3c |
| SHA1 | 5aa94da31ba4b631e892e5b3381e4f58d6117f29 |
| SHA256 | aaafee4f81a55148a38678024320d9dda902bb15b12c65c6b3f20338b6da1394 |
| SHA512 | 3fa291cacaacb092826d97f4883dfb1a3a4eea4b8c5f199358a6e6de8890b60ddc2c94bcf12443003d5899153a2bfb62535b7503f76c2fea475d45997645baf3 |
C:\Users\Admin\AppData\Local\TempGYYUU.txt
| MD5 | 64ef0a5f2dae6bc9694d2c6ee143b0e2 |
| SHA1 | 8fe595557178b3cbffd98ebbe2e5760599089bb2 |
| SHA256 | c9185571f05b3cbaef9de18c484cd98c22f093cc5ef0c4e85cf9356657a1e3a8 |
| SHA512 | cbedf8cfc71c119c6c4ed1eb0d5e11fc4aee365e594a3fb823f8bd970efd4e4fcf3e15c9142aedfcf3b8412b82cdfd9f4fab95ff755257f168ff055836d64806 |
C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe
| MD5 | 858b28f509f521a14866ecb288b1228d |
| SHA1 | 54d92a8a744a18c431e33a9ce7ae5134ff3a1ce7 |
| SHA256 | 56aacc47d019d3f9f26a1436b867f0e72f3a6ea594d7597734c2639451e794c2 |
| SHA512 | cb2813b6b53883523bbc20bc5b929708385c46bd811f143c824eaf248c494bd524ef0698bad660d45f1fd3f8312998ad33528cb03280124319e892bfc354c290 |
C:\Users\Admin\AppData\Local\TempWSRGP.txt
| MD5 | b87c95e66bfa0468b23182d8e7da564c |
| SHA1 | 46a1289d495aa22a197a059eef1fd730ce95ff01 |
| SHA256 | 42bed674dfa1861d0e52fd01cbef9c9091eeb8242642e0febf5c01012b48c261 |
| SHA512 | 07e3deaee31c0f0c4e2639c105adeb1f7362a80bdae026f00f687f8fce71229a502075e87479d787aa70ba23167915ed18f3f878668c64f30afe6c6d5cb19b32 |
C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
| MD5 | 16662a2e8ce7ab63ffa2d1ef7789835c |
| SHA1 | 17f45ab0135175b3d268010026c7d92a1f9955a0 |
| SHA256 | 956b50bb44f3f774296b32c140d1d305a5d8488a40dabe3cfbf7f67e6da4cd7e |
| SHA512 | ebbc6358c0ca77f500a2cc8512de0b3a3d936a7d2e65c4e69fafe4c9d9895d63b03ca566adc022aa3452a351604317d1d4fbc1047484c454a8e12602e5643d03 |
C:\Users\Admin\AppData\Local\TempRCVVK.txt
| MD5 | ff63d8e96cd28976f42345b2809c73e1 |
| SHA1 | e5b172e153c6373f1c4c65550f6b037c2a07577c |
| SHA256 | 9fe75f61c2ae4c8c2590dc4a9a6d4e6136427bae61eb2dc9f669768a64981768 |
| SHA512 | 9132e2fa180702b9b64b1163aeb324d5c73d9f530e62369f23756421adc7fcd7128b6b702993117a697f370e9a494fbaf9f0ea1ae0473dd9f47fe7dbd7c7f306 |
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
| MD5 | aec09322cfe169fd5336079ef8e0eb90 |
| SHA1 | 2895d399d46682e26b95a42793d705e23522d713 |
| SHA256 | b26f2d653d836d9195d20d5e34315a6e5a092b849af0bde3e6d974ff682ea732 |
| SHA512 | 359d8e3a633be994c4385b27c7fdd6c7b69aff3921b87b140d0840b25ab7b4754fb9467f7aa641be5fd69592f70835f5d28a0ec229bc32cb28803d2760971afa |
C:\Users\Admin\AppData\Local\TempGAOXK.txt
| MD5 | 3de21354830ad144224053367fa701b7 |
| SHA1 | bf585b0986cf375d209b247f4144e387e1c33866 |
| SHA256 | 3a53f36414dbf3c6f90ada6e7fe7cb8d04b4c37603a6d53c16a0e26590f70cd5 |
| SHA512 | 03b49213c8ac793ec2fc7949a178fe1640cec478e9e4d57b7e9b522611e17fcc2e62251a20444e4c0f44955fa75a313493c4aeae7f7aa7b75a81aee168fe9b2f |
C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe
| MD5 | cf05a8c49b83cef8318e367ecbaf799e |
| SHA1 | 732cc20008a743fca26b6681a931783689b054b4 |
| SHA256 | b18e0fc9c14d875c146ee55d2719a6521bb937eea3760b8ebe5d2949fa71693a |
| SHA512 | 33bca586193d84e82fa7f4748e2de384e53bb966b0a4c43ba73857176ef1c5bdf1ef672979bfd342d5a675479acff73beaea8911ec2ba5f7396cd4e659be1178 |
C:\Users\Admin\AppData\Local\TempPUGEI.txt
| MD5 | 5d5ceb7316daba9b2fd663bc7eee7e8e |
| SHA1 | 71e6ff54f62c8ea6d0175986d439a8755e342858 |
| SHA256 | e5cf4d0f638e4a27d0e10bcc2ff21ee331adc6d5424cca15bbec8573fc642256 |
| SHA512 | 6798493031ffa663aa63447c2f7afdb9cac7c18626b9c5d7919d7aac55325f620857279bc178476b254f6adf429989f69ea71580fbfae2672455646cd7ebe3c4 |
C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
| MD5 | 5a4d9252c75641aabaf2bd0d34c02c35 |
| SHA1 | 831004a42152904a54abba9e26cb385901c60c15 |
| SHA256 | bd4b6bc85b37d4c0645e3d4367a08b0582c01be531bc03af150bfe6a8e8039a0 |
| SHA512 | ae0d6848928b10e56e8813427c1f3dd03ba91b035c88599071adc21837ce5669a0de52d9efc729e62b9e08c770cc021761ce54c376e27c847661c0cf76c489b9 |
C:\Users\Admin\AppData\Local\TempXSSHQ.txt
| MD5 | b382150ebe8e7b0b867dc451c7c5e37e |
| SHA1 | b27fbb26efd43727407da42f06787680ffd14347 |
| SHA256 | d70551357f835d50b85b7d3f116c9e07a2e366085fe8b5c4184c2c1270e7fa41 |
| SHA512 | a9015933e601008182986a68dfd0cae0ab83720bf81254f42da47d4916a406dcf9c59fcde429b3cd41faa9d7d3b5d5c5e773eec4146aea4945e1d440757c552b |
C:\Users\Admin\AppData\Local\TempNUJJK.txt
| MD5 | af4e258c4cc598bcfe6c26ac8d0ed9f2 |
| SHA1 | 19bfb329f528ae3d9cc8954bf995ac5ac0feeda7 |
| SHA256 | a89e9bb8f759daf9c65b56ec457e819d25547e8f958ba0cfbc6495a2ee25be3e |
| SHA512 | 90fe2690220a63f7bffb5f5ccf4d979faa7746a26ef6e0b67d5434d6f8b4ff2dd31b35e9240ebad105573fa08dc86cc4b99b2703902561d3ca01d8c805e9e564 |
C:\Users\Admin\AppData\Local\TempEJYWG.txt
| MD5 | ada7f03d0b97fc42de56b4339d148836 |
| SHA1 | 6de435827ff4a5cf284dcbe48441909c700b7bb7 |
| SHA256 | 17a24b806e1617d7a525c702dff56680a97691c9a4a75e4cf3eaf8023d0f5143 |
| SHA512 | f1c52920c7b4b89c95d192cf088f7df468e1ce53dc332aaa56ace7f232741c96b132e37f41565f1521aac8a3bb0901be7ad521e514c693a95f897903ea7164b5 |
C:\Users\Admin\AppData\Local\TempKSFLQ.txt
| MD5 | b26c8cc3ca5f915507cdbd939df6cd98 |
| SHA1 | 41df0368c5141d0135229e8b792c94bc18980b4f |
| SHA256 | f524ba0a509958fd34d65982d56b0c0da42676ed927bc88e19ac90a611b839a3 |
| SHA512 | 57278b1b8023f38c0da26b937adf984b850efc224b9a1f73731a80a69e3235bebff9ed8c5d1b6a725ff89aa887f2b13bf5af20a3dd6eec7efff4b3ca9afee655 |
C:\Users\Admin\AppData\Local\TempFVOST.txt
| MD5 | 8a0cbc4102ab78c68eca0c14405073ec |
| SHA1 | 6bfa878b56631995369f213095beabe6311f7421 |
| SHA256 | a7cd8b58c2e9dd1b623a6d715d755e5c608780dd9b402ba7fa508f553fbed4c6 |
| SHA512 | 309089ecdcb3ccbded487091d7fa660f332231bb298691ea3435ca99c8a8b8803789119a5c2c5cf2f2daa8d18b316fbe9c0689f624a2796d2b6b4bcf890dbd05 |
C:\Users\Admin\AppData\Local\TempIJGOA.txt
| MD5 | c9c726646468f9efe76603e7264fb914 |
| SHA1 | 07b8f6e7df613f19ad1fea10ddf8342d094a6fa9 |
| SHA256 | d54c17baaca196a6dff46734719910189c49a3159ab5211f4e6dfb9591400a0c |
| SHA512 | 89011453a0fc3f8ca9afb2362f829003ccaadb9187e4fdfebea263efa7e2d26a35701aa30f15637a4c7cdbfb9c03f26da13bdd6cf393104b903483c46cdfc936 |
C:\Users\Admin\AppData\Local\TempBRSPX.txt
| MD5 | d3213841806caceea777ff87e0167695 |
| SHA1 | 31bd92efa6ab0d27ad6cb690b425db8e167528b5 |
| SHA256 | e1ff61f68aaf669aedce7ec0f607bf6755ff98f3f7f0369a5dfe40b415281a2f |
| SHA512 | f49b894249b54b486d1a90402e5415621eb0a7c8eeff2c4d3bdc43166cbc2ddad0bbd969ebd6d67ddd9a33f38bff7d2ea997ecaa907e3e4e31a98571071127bf |
C:\Users\Admin\AppData\Local\TempLPQVB.txt
| MD5 | 5f03c17191959612e6bf0978090d281f |
| SHA1 | d1a3a1c55f0205a157b7e2937ed34ff4190d8fbe |
| SHA256 | cb703a76099495b5a7492268f5fcbaede3f7c5889aea7891e60fdc4249ca2831 |
| SHA512 | f33fe7482a8f2bb96d3afd58169a8f47caaab7c62be5776c2cd1d9c8df6c36d4b007d5ff11bdecf83b1e742c4d15a0cf10359aa08c257cf3fa94c2fe0a0f2662 |
C:\Users\Admin\AppData\Local\TempHPHBK.txt
| MD5 | c3d5c80056e15329022822b1a2e9c07a |
| SHA1 | 7d0a6630471ea4df07d24b79dce309002e8b345f |
| SHA256 | 1f29bf6438a7ccf0a509c0638f61115f820aeccf1ae6f1e62a493f8763c34afd |
| SHA512 | 2f80f557479f6d4986616fb33c3259ce7296a3115105396e9bc8ad2a1ce48119473eddd5f891ab3d487d8c134a90cad1a6becf5bf28685d33f04c15cb1905517 |
C:\Users\Admin\AppData\Local\TempYGTSF.txt
| MD5 | f72a7f69bd6657883ffe810979af1dd3 |
| SHA1 | 5dcbb20a195ec056456c94470898ba95cf3c544b |
| SHA256 | 675a3c2c8c9ca63d1d6a838458c63e5cf6a5cccba9f6cc98dfc14e374e9b99e9 |
| SHA512 | 959c6d785d1beeeaecffe641c2f00d12ddd8f5896a541e7e256245ad359f674943640c1f4b883be1bae301553b46950ee7891ad41da79be7dd0de4f7187aff01 |
C:\Users\Admin\AppData\Local\TempXMIRI.txt
| MD5 | 05959d05a0fa736535e57fe2f9ebb730 |
| SHA1 | c99f7dd647f0a3ba00b32c76f8c2c84183d4c77d |
| SHA256 | de688d5c5c7f5837303192535bcc42014289f8d7d76c58da6095106f80c4ac51 |
| SHA512 | 93c0139f7ba22d868a6a8b1adeb6d5c04977d85df6fe0620e77d29e29ed82c52e20ce33ef819f18045565cbcbb79cffccc1a38763e194e6e046b45bb875cfdfd |
C:\Users\Admin\AppData\Local\TempXWSTT.txt
| MD5 | 5edada1ff7b2ce3d1ba6887a7c0c3a48 |
| SHA1 | ed961a9ec7ad40824677714eb51e32ab68f91eeb |
| SHA256 | b61eff900cfd9e5d15ffdbfae92331a8d2285e108ce8ecb11d292788908b24a8 |
| SHA512 | 69308b8e1e121670b35a1e5538e451aa86ade7a1a5eeb5062b27dfc55a97726acb51437f46d71244100c554e4f6bf83e8343ef343adc849dbdd97cd2f1e50d9b |
C:\Users\Admin\AppData\Local\TempUFYYN.txt
| MD5 | b6eac8372d1f99d11f4ee17470920a3c |
| SHA1 | 5e5550580872ab274638e4f754ef29ddb72a77fa |
| SHA256 | d12770eee6818f8a2d60a1f18c5c13fda3bfa8396b3f2233724934f8ec5c7763 |
| SHA512 | 9f432fc06979df2437634c32f225bacd61ff0f926b49caa9410ff06dc6a3b9da6e8d1992d36c899d9c8817038b2250218261e13b652cbebba53c484af4c04503 |
memory/1536-882-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1536-883-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1536-888-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1536-891-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1536-892-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1536-893-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-23 23:44
Reported
2025-01-23 23:46
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNOLTFMQ\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXSBVXLPVBCIAF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOERITYIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMJSEKP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNPFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNOLTFMQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUJTJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SFNEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXQGQJIKXAYFT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCULICSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYVVD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWAOESNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYHTQNS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSVUWIMRFCQQE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHOJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSBVXLPVBCIAF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABVSNAWHXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLXOYRQSEINBMV\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDXUPCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPDAOWO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XXKLHFHXLSBMRCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAYOTYEFDLDI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKXGHSYPNRMUIJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAEAVQDL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBKBTKHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHXUUC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEPRMKMCQXGSWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKKIQCJN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\KQDAPXOCDYUPCYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACWSNBXIYDHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ESSGHCADYTGNINK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVTCWMCHQHFQO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HYQMHXRCRBRSPXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMKNDIWVHP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MAVRMAVHWBGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXNYRPSDINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVPAQPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLXBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCFRSNLODRYITYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBTKHBVLMJSEKP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIHNJMTDO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPKJLBOWFQVFSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESWIJGPBHMAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe
"C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOLPKS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDXUPCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFNEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
"C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XXKLHFHXLSBMRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQWMKO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBXIYDHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCULICSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJJSNW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGHSYPNRMUIJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVHHFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWSSHP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTKHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
"C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCRBRSPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPKJLBOWFQVFSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGSWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
"C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKUQDA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVSQUP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ESSGHCADYTGNINK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe
"C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MAVRMAVHWBGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEJYWG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQDAPXOCDYUPCYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVPAQPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe
"C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYHTQNS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe
"C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe
"C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDPVMJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABVSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe
"C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHOJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUGEJW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe"
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempOLPKS.bat
| MD5 | 4bf9ebf7456231a305cb90bb1dfec04b |
| SHA1 | cf29746638f8a435a640514ae9fe04cfc3d643fd |
| SHA256 | 19cb655bd25868a95249b402e9f4c80d05e89664f3733db2f4f3698e145af463 |
| SHA512 | 0e1c3d34b9faa99d672f1706bdace4e922605160c3de146a65acb56bd34c128202e6ab62ca366b0b5e446e287a193af740c23293a9cb538f8606228d52a4b58e |
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
| MD5 | ad9fd9eb993ee9d7bed406251c0a984e |
| SHA1 | 0e04fbccd53af56a5e63c66e64a98e07300d90b8 |
| SHA256 | 4f277874512d6fc429cd94a2afc9ad25c8ef17ba223d1d5614ad0200a7b44f61 |
| SHA512 | 1cebc45a5cfcbf686e6a694a3e001818e285c66d67f224ad3c840164f40148ba24d6d6d75a63946a84519d21f3414ba3d72bc5f1ded04ad57743d5cd36efba8f |
C:\Users\Admin\AppData\Local\TempVHNSE.bat
| MD5 | ff557665b57d32a1d0d57febe9e3ae15 |
| SHA1 | fc9a0b568f1f1fffa70b59b2c03247faab516782 |
| SHA256 | fd67bb00ddb9e7208443ed698310f77eee63ff2fa1f5f6f434fdeb498993e86b |
| SHA512 | 597d26df5000871b3e1b339baa304b0c5026e7f378f0e02b83c78497bff7e3f3835904bb57438df903fac516e85a8d5eeaacb58a0965943621e43b25195b9838 |
\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
| MD5 | 3676bc6839df9c1bf92d1263a8b200f3 |
| SHA1 | 0b8e63c37bd904a299f0a9f1ae2adb418b575912 |
| SHA256 | 815cfb6bf56a04199c44612816cb0a1f708dbede71fdc0fc38565d2b29edae6f |
| SHA512 | 149a50df3e2f771bd38ed37e08852856be7a61e6e7408bf938c423dafc1724360408eb697e4f79c9445b0dfcbbd8c41de452f0c203e5d81f1ec07bfb151c0d28 |
C:\Users\Admin\AppData\Local\TempWCUYT.bat
| MD5 | f14f65a51922cceb01f79b7baf0fc4f0 |
| SHA1 | 0c58371e5b61d929c770c82dc432f27daec53956 |
| SHA256 | 4f9c96fea692435be2bfc5faf4bf4f4d4d1f541ab8987bb73f5c9a09f4633dc4 |
| SHA512 | db41a1bdc10804a936dcf21748268a6e406c5ea1ff4ef57a83dae942f1f51a07eb5da53c678b6895b2c4932c574473c0c4951e70ab94a48d5be284321ee97622 |
\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe
| MD5 | bfe9248b030e141c13685852201ec4fc |
| SHA1 | 645a64bd3fddd87a0a6f7a63a6c13cd350744325 |
| SHA256 | 82a2a333c89767720771b68136a27dd22a926bcdce09d6ae427a16513a4bd27a |
| SHA512 | b6f21b03a6dd82a489fe670aab0a780233ea886f93101873251b404ec3e29d5d6728176c0a741ee34453310719cf6a6d5b9b62f1e45eee6a664cd23bb72b093f |
C:\Users\Admin\AppData\Local\TempQWMKO.bat
| MD5 | 0dc97faab010bf174db702381c9ba478 |
| SHA1 | a515e6ccf579eda7e6aaae83ab4117c18cb73290 |
| SHA256 | 0a4fcae90e3b4dc146f1f7a0a9fb11ae9c7ed566fd6029eca327b296929071fb |
| SHA512 | c1ce922250bfd779f2eb09d8745c712af490d93e2ef6376b8a7ed624be9758208b4437990fa4a0cb53e426e971e4696ba358556e23cc7811bea22818ae4af716 |
\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
| MD5 | 8eed8d03ad85803aed4771912d611482 |
| SHA1 | db81b3b615e7a1fc015fd8d00f41953af22fa0ec |
| SHA256 | 69b03e83834cb1fa8294fea57c7cd2d790e61ab7b59b3a273f6dfa674fccb1cb |
| SHA512 | 1762f4e77903f387c389116180a4466c7da95baa8d915534e7cc372bf16bb0cdf4df77a4f8b3ff999850c17c36f2d47d535fbb4f986a91d18e367045e10c5973 |
C:\Users\Admin\AppData\Local\TempKTFLQ.bat
| MD5 | d55e6f40d7cd30b45c4d53f24c07ffa0 |
| SHA1 | 858e175f6baa0cd28d08af0fa4a81323378c5444 |
| SHA256 | e1f38603ef277b3320508246e951856963b81f2e98862f9ce6bbce6d2d631763 |
| SHA512 | 90b2938eefed287196c17a415d01882c0b8ab07ea54e226762f76cd86fd395ca912c880c88048a06fb0fb89d09b63c1aad8732910a5d7d395d978bcb5f00a584 |
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
| MD5 | d5f4360aaf2cc327769a75d857b0d386 |
| SHA1 | f545fe874f94595645bf725df2b39e94044bc456 |
| SHA256 | 35b074085cfccc31a050ef13d28d98f1d596becf53ba5ff0d7054d8abee7a838 |
| SHA512 | cfc168c6a16e0119a769170e2541948b93ab791840c53c8f625574d77ac63244bbccb6c2abc98a0d7676ae9e1685c1b3779c7439763cbdfeaf356224c3965d3a |
C:\Users\Admin\AppData\Local\TempJJSNW.bat
| MD5 | 90f9d90f63324bf9badfa9a326fcebbf |
| SHA1 | af2e43a04ae0ec176817b1e36dd9ca32ebe6ad07 |
| SHA256 | c01205e63f576371dfacf06fa331b24a01ef0f2cea9c36338c8cb9eafcbf27d5 |
| SHA512 | 6fa356dcc471bcd3bd149ccbcb5c03b26044088d60cc2874a3710d579131b980176e2fd1d6b53c7c40f97278c244f7f4f23b16009fa1851336557bc0cf73fb34 |
\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe
| MD5 | 5c610ada6a4a0c7267400cbea202205f |
| SHA1 | 89052e5fcb2fa1d4ca545ddd84e06328790df5a4 |
| SHA256 | e0df19c9eb8bae068b6fc602ee8ca8b2bfbd3b7b11a5d018224ac862becd91c5 |
| SHA512 | ea4433dea3eea00ae7447a698c4bae2b7876a7de46e656fee72a7d110d0b1ecccdff98089921fae7c2a10bc7ec0c99934061f0c31336b063f53f208fc79f6402 |
C:\Users\Admin\AppData\Local\TempVHHFN.bat
| MD5 | f3d85b1490cc1409c6bfce0a010ae5f3 |
| SHA1 | b376eb0754003174f008dedfe3630f349fcc08af |
| SHA256 | e5e0628933cbf4d42dd18f33809c3ed733a310c3b9f78215b2e90b3cd581cd2a |
| SHA512 | c4746df7a565fca73690936004acb276c8354f3935525a50e2b690dce42224531a9b1133f25ca65eb1fb798cb9cb2d4e0edddc31489e4425ab06a8d6b22dbbf6 |
\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
| MD5 | 8322743a47f8ee339b4b9c76f47e0ee3 |
| SHA1 | 0c19e631275e1852ad24cb88a76e492a3de1f67c |
| SHA256 | 07fa79c2844314a16c26b685e338d78da1543ec48517ae5bd9ed5e13f808a98b |
| SHA512 | 9bf8594e7fa59213c7afd91a89bafea42ba24c08b56f71be0c01780e72a195617ca964793274d3b7ef41ee9a26504b4ffeabdcb9ecdf89bf1883f9cb04ac1320 |
C:\Users\Admin\AppData\Local\TempUFEIV.bat
| MD5 | 80fcdb7f0d083ecadec5420f5524c4df |
| SHA1 | 04f86b3afa07b6fbe7e2591bdb3799cc2e78750b |
| SHA256 | 743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa |
| SHA512 | 7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04 |
\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
| MD5 | 4cd83155cecce673213f902ca5b9e17a |
| SHA1 | a6e4e450c5ab58957f67428b298aaf27392e4f83 |
| SHA256 | 2b563c97556b9fb2e30c3d814f8652e4d0546f20630f204ec45cb7aceef44d1e |
| SHA512 | 765cfade47e19f886f7a00da3d686045cf791670e215b004923cc277e2a63fea23d50f62305ebd0b401fc71949b06214c07f1ef5000302b7884d8a0440b25e0b |
C:\Users\Admin\AppData\Local\TempYGOFD.bat
| MD5 | 1c8a1be9bc3ebb31b2592214152bb854 |
| SHA1 | ad9dc2375b15466336615991e8f93396679cd5c7 |
| SHA256 | 8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb |
| SHA512 | 0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81 |
\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
| MD5 | 022b169d1e086151326d71a2b92de51a |
| SHA1 | d7db8891855c200ed56a0f3c9863de0d3678b844 |
| SHA256 | c19ee64b62d0f53f81d551311068d0c3fc63d3ce487699406718d3c23c6c2339 |
| SHA512 | 57bc173569a30fa87eb2ea4989aecca8325b11b97134d979cfbc9c9bf6f07fc5570361ba4383ebc2d92fc7453481d277c4c3ce00fec19c812843aa5c39487a8f |
C:\Users\Admin\AppData\Local\TempWSSHP.bat
| MD5 | 40fd2eb397fe6438934c7f2717fa4b27 |
| SHA1 | dd83f066f368c414a1f4379271d1de36847c1aa5 |
| SHA256 | 935322d22cb8d3a8cb22dc881d77bb0af719fc0a3bd7abc154c45274d5c8ffea |
| SHA512 | aa59d8b6e5313279b59b9c4ff9d5392ead400f43cc450b0f74d42997c7a6c6841b5cf6296d9863ec94b97da627b6fefb35208633886421d3701bb924ec26987b |
\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
| MD5 | 5c042da6033abc6074cd9d2f2981f17c |
| SHA1 | d204bd415b19a4d9c00ad6d316f0fded8f441705 |
| SHA256 | d63fa41f0e5db4e677758f1f31e5e8d56f2433e6366af6c224cd4478e7037d0d |
| SHA512 | 4aaa3588de6c1961fb2665f8a1e48f521ff0675ddfc65c569028e1cee8a25d1a56c90055a29ba7e49115f4f4768130dee8ffb857ba0a327f82366af3031c7c65 |
C:\Users\Admin\AppData\Local\TempMJSEK.bat
| MD5 | 3f2a24c78a1e0062c3333fa133c76e55 |
| SHA1 | caafb642051e937a2658adee1f4553a4109af72a |
| SHA256 | 9694f3dfc741c18a643f8518244c2820f3e20aaf7cb099c49eba1013d922126c |
| SHA512 | fa33c87b432c960f4d379cb104b9cb3b802629dbe852d94f1080b1ee017e54839c07f020f19b7c57703d025be5388a2128cbc09de9f81d591c7a170015d41e5f |
\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
| MD5 | a3cf53030f08bc4263bdc06fccd83ac4 |
| SHA1 | e43817d102e92e928f0f35159874d32fd23778e6 |
| SHA256 | ddad055af5291634668d0a107d29ae7d9a6e072fe266a43aaa84401df7c4310b |
| SHA512 | 95693d9359054cb50ed59c70d12992e7c9e17413f6eef7de0d767695aca2139b637cf42588b515ebb8ce35131d28d2bbfeaeaf97f8df27b7f048b59410416a4e |
C:\Users\Admin\AppData\Local\TempNOXTA.bat
| MD5 | 2f639433a90ffd80f88b06472aaee1ca |
| SHA1 | dd95f3059098502e98cb1f11ac51b756c509fb67 |
| SHA256 | 1adf52f8a0dd36c614052aa308038793d2c314af5e50719c6d987888c77f4866 |
| SHA512 | 24bf0e75536c0e50be3e88c7e95ef7fcf6f9fb17e54620d35e05bbaf251556a81a552f0d5cae5d1c1d8d79d62d87e3ee591e3126de0c0fedacd2c684820db5d4 |
\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
| MD5 | 741ec9fcaa526c688db6f17ae25b4c4f |
| SHA1 | 4aac1365b27edb0869281b68e9036285443299aa |
| SHA256 | b416e86bc3d5133e86d6e63ebdc76e2ffa4433e10f1316038b3f1a63f3155b39 |
| SHA512 | 9721a9d541c26103dc151c23a9785fdba691f9e0afe3c49648d27760bebd9a6eaabb2214a7b94c67611aeb87d03dd318b21a7445f1d4195da124434747fd8b28 |
C:\Users\Admin\AppData\Local\TempQVGEI.bat
| MD5 | ff9abd1864688e58231b836533082825 |
| SHA1 | 4e9d65dfa8db6c9f9d03821b9155f362e16596f3 |
| SHA256 | f560c1de0c8a6c41ee379d9b0c473782792f198e767ec0cbe8b4468ef090a342 |
| SHA512 | 88bca29511ddb1b282d9ec78c3ee07a8f8763e1c5df58a6cc8c37a12cffa75117f3ec916399d21fbf72ac1f7cd7a860b55d4770d9f9b698906d7b9eeaba8c7fe |
\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe
| MD5 | c72d801462f1a79b04260288c27c80d5 |
| SHA1 | b5d6769237be8d097101c4480915be15208c436a |
| SHA256 | 389d730ef161ff5a11fa4cd6a4a18b4b8c2fa15fe70bbd86fd2e6e89b3a1a484 |
| SHA512 | 684508043baffd5da06fa358620c68b6ea438cc34204d7306e628bcffbda3f1b000d9e431a38c0ff6182e4fa4e497ea9401128f654db044ba04e6fdf3bb69595 |
C:\Users\Admin\AppData\Local\TempRVQYM.bat
| MD5 | 4dd0704bf70b7b2cd6dba3eba341befe |
| SHA1 | 860564bfcb7fe35b15edf5cf68ea9d234451c946 |
| SHA256 | 1d257f770fd370cdfb4a94abc88a1f46f6779b26afc818fcb46fb7d30db5b1b7 |
| SHA512 | 3d7a3306837482e3d979a2c6cddd0279d713739a7acb27d602d124ef253056cd3ae8ae5a911ff57d21e7d7d150a83aeb1305e07f8273c054820d22665915be34 |
C:\Users\Admin\AppData\Local\TempGYXTU.bat
| MD5 | 6e31c43788d7301741672ff4f3bf894d |
| SHA1 | 6eafac35c57f27c3a82a823234c33cf252297ad8 |
| SHA256 | f491f70f2aede6268defd75e90807d8b78950ca0b8e06f36e24132e6332372c5 |
| SHA512 | e00289ea72da234d58e338a41a2b8fe3a120bc27afa68b8379e0c4f21362188a876d7ed5cb026987f923464f831b313013469b603418df56a74e726f5388f07b |
C:\Users\Admin\AppData\Local\TempEDHYU.bat
| MD5 | 6ace3a1d3c3e050077ebaa5e3386d2e8 |
| SHA1 | dad913340c8192b784aa438fd4653ba816902d06 |
| SHA256 | 65554738588a1fb152c213282328a472df15c728258091973231b602799c9e04 |
| SHA512 | d89db4790834504db4c6889d79e778e7c631ac51e30b47b45258b0fa6c2ffc3e9d87a973400b64a68f1e6a3a3c37be85a09be59d9b0de39d6f03da8920d663c1 |
C:\Users\Admin\AppData\Local\TempKUQDA.bat
| MD5 | 0887f8a053b6634da227e398c394d81b |
| SHA1 | 7e302400941306dbb1fb3a489a23add27b1209d8 |
| SHA256 | 2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c |
| SHA512 | e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8 |
C:\Users\Admin\AppData\Local\TempVSQUP.bat
| MD5 | 1faffc24a0f82a32b5098ebaba7e5779 |
| SHA1 | e565672cf80edcca0869335def7879961b3f133a |
| SHA256 | 976506a63c340ebca8a3df8e58eaed7c86d43dbab986067b68cf71eb3a682dfa |
| SHA512 | c2828fea9899cfb2f33b6c737d7fb158b942645abd256800da9a2944a937fb2e58fec82a978c95fd22869c7cce2a5cc81b61ac59c3c7ffe04fb5a8a889738cd6 |
C:\Users\Admin\AppData\Local\TempJACDR.bat
| MD5 | d1f2e014c99667f1790fb29c6759c62c |
| SHA1 | ba5add390cbf847484cfe9ef87ee50ff6705c531 |
| SHA256 | f7f2f97bbdb25c9b940ccc189306d8cf2db72688d4a8e779f70088f3f2357f97 |
| SHA512 | 39ca1ed5043e399af93fa00f90636360e5a8162e270b8ca1617ab7af51c78051d4c989f1f6f32b9d78bc6b6d4557ee0fa891488c127ec7d9aff17aeeddde072a |
C:\Users\Admin\AppData\Local\TempWCUYT.bat
| MD5 | 797a05802a5f3d6699024252559afe38 |
| SHA1 | ab85f1b33d35de1a5d5f55187c816bb4237eeca1 |
| SHA256 | 16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074 |
| SHA512 | 73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d |
C:\Users\Admin\AppData\Local\TempOVLJN.bat
| MD5 | e95acfeb457237af6afe96527da371f7 |
| SHA1 | 8bc3b050182199c2801b82e3d0667c83d723aa37 |
| SHA256 | d5749216b228c5451b89f8d627155996545936afa22e06571f5bbaf77b30815a |
| SHA512 | 972d3bca56c1517464dbdb84afa9a9df48201010313582bffe921f5d586f703d4979019a6582fde443477895bdee0db983d9d3aae13c1bea987a45d2178fb0e2 |
C:\Users\Admin\AppData\Local\TempEJYWG.bat
| MD5 | 6b5c47a03120f6484baa505809363ac7 |
| SHA1 | f47dc43b7a3c5ee3935b2603c323ab80deed9cfe |
| SHA256 | 69652aac0f2bed2d1139661efcf3c583f885bd643acb9421c1ab2215dc6b76a2 |
| SHA512 | 8dfd82f42deb4c52b78db1d6bc7304fad8ba5f2661484c45d90cee320a15f82a62f8b5ba326dae62520c0ab82c7665fbcfce2824fbc7f5704c845cbacd192520 |
C:\Users\Admin\AppData\Local\TempGUCQP.bat
| MD5 | 9d8c823aa9d6fc3f009d667a0b5c2aeb |
| SHA1 | 9cc26bc83d1c543b737c4880b73e40a6ed254bce |
| SHA256 | 980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4 |
| SHA512 | 66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42 |
C:\Users\Admin\AppData\Local\TempWIOTE.bat
| MD5 | 21343373fa3df55d7326902ef73a77d2 |
| SHA1 | 18c1af04af5f2a7699781f70ba94599e0866d9be |
| SHA256 | 4c4fc3782a2dabc1adf075d4b2d1898d81994c4077e8dfb8dcee670243d41911 |
| SHA512 | 6a856d9fe66d101a76ae0119d1a18b36dd9802624c6759b53948fc0ee6c8b225369b3d4e6203a3d17988a0a252f8082d033b9cb4e86ec25dc73e38468dfacd4d |
C:\Users\Admin\AppData\Local\TempGPBHM.bat
| MD5 | 9e578c30d5abd782192c456c0842e749 |
| SHA1 | b6d0203ff08a568627ea690ad5762f1a4c333113 |
| SHA256 | c05d870d95723502bb6fa7614405ccf842932240675b4c4f539a3b66740d5f2a |
| SHA512 | 23301b106ca4f3c463daf119ea2949c9a2d8bbca9a3430f55e2056a76d289a1c06b1a221527229c9b4fcfc2ba55045c2da972d7f2b01bd9317afc35193c440cb |
C:\Users\Admin\AppData\Local\TempNUJJK.bat
| MD5 | 408103db4ad9374528e4599b6139e839 |
| SHA1 | d978ef5d7ca78c78ba70647e9e4948d7b62a82cd |
| SHA256 | d8a8526ae5fb68c815226e1671330a8f579af0970b766652981ef7e8c144af68 |
| SHA512 | 5b79f24248eed96faf5237dbceb8341c8b52f9a53eb9de978f7782dcca5322b23103de153890712c33f651dbf80ad54c11ce8c55b3432fe7c7494ec6d6b663cb |
C:\Users\Admin\AppData\Local\TempSDWWL.bat
| MD5 | f12eabc05ad07e28998bba3d0c4b7517 |
| SHA1 | 21aa28ea0e9786833d2cea38e7f8176560945456 |
| SHA256 | d6ed466f36738b8d14060e25c85244877190aeda44d43d0bd7b71203a44163eb |
| SHA512 | e25d3d9b2ace750368e8a212701ef5415922669b72231abd716faec01db65ba14ae93cc3e5d8d9c4fd65e9edc69e0c6650268b6ef2cd9d1d0445a58b23f1561f |
C:\Users\Admin\AppData\Local\TempDPVMJ.bat
| MD5 | ed9689e07fdf60cab6c2bca4ade0a238 |
| SHA1 | 68b7b1813ea1e258adadfa1703feb2535fb94988 |
| SHA256 | 908bbf857152b33eeffb703091070e2fdc14df83a892787e1a618962face28b3 |
| SHA512 | 55eaf7d70572cd9d28ea9debf315a6bdae049672db74a7a5f6baf0a80aecb4e03b430131279e440cdd32b15f1c2fc7c05d0a265e8f94269a72f10ea18d6dd581 |
C:\Users\Admin\AppData\Local\TempRVQYM.bat
| MD5 | 4d890f959a4d385e04d772ea987acbae |
| SHA1 | 41689789e4ff64776249ca571f2cf25d73569352 |
| SHA256 | 6d52454135cf46234a716e74e7b284df88f76661ab37c31c21f56b62f9864ba1 |
| SHA512 | 20f75f9081b01bc1354a411d3d8e3f7862f05fdd8b9dd5578e53e372d0456d4aa3850a4c71357a4a22a3fa6e695ce210e17487de535b6484d4f9183710038b22 |
C:\Users\Admin\AppData\Local\TempNOXTA.bat
| MD5 | a15e4aed73dcc45f662f2fbd31d1de31 |
| SHA1 | c40ea805fcd1fbb8a644045a5cbef752f84fa2b6 |
| SHA256 | f4e5edc4ac3d5fc73fcc6c5aad72fceb96c9581b0a9bb1043c7e78316bf07f51 |
| SHA512 | 7a5fb4cd4715b33b075551ab4dd52f798878c69b6be91645a2d957a363cc4bec7a2950840ad220334eef3137a10d2c9ed8c7796bdf1c613f401cda1429a9727d |
C:\Users\Admin\AppData\Local\TempUASWR.bat
| MD5 | 455c8a6689513eaa82789d6053a1c49f |
| SHA1 | 316ee3812705351df713e6c2e2fd8137d35a7d6d |
| SHA256 | a8d343b3418d974a4a3c11511a5f827664bc00e103b3d2a8dfbaba0701df82e5 |
| SHA512 | 6f03a8bbb981589a1df53ffdd53ed07d77aee6a1f1b2b63bd0c2bc516ebc6698a7c5d39d712ba4fefdec248af97c2d02ef2c683bee8d8180c31e809f6b5aa5c5 |
C:\Users\Admin\AppData\Local\TempUGEJW.bat
| MD5 | c6ad413703313815cb7b72e3d5e4d387 |
| SHA1 | 702afd950c3d5cfbf13ea5e27932a792ef9c2e5c |
| SHA256 | 28d8d55a537d91dfd6c059ba0ecd06b85cb84da39e4a2ba1a9a3794dc8d61f84 |
| SHA512 | f1b5250a66c6b97546ed4caaca5cd56924a9471c91063e08758ac349350b28b5843b4b1831b425d3e9054609ae421923bc0354687fe7678f66702fa93cb79bb5 |
C:\Users\Admin\AppData\Local\TempGFJWA.bat
| MD5 | 6f2cf50a62a16cb7fa6b57880d901e18 |
| SHA1 | c31130c5581bb2c672d184800d61c3e7a3217bd8 |
| SHA256 | d77beddb0fe4ccd067e5ff2ae22ff746338db624a86bebc6067210885984a916 |
| SHA512 | b8c15169106c31ccfad7436e321d1dbbbeeac0c2ca9a2c666e92501da6612b9c004b99616e8c837d92d67097a86d2c15428f9c62b3a50b7fe60ef91e9365e63c |
C:\Users\Admin\AppData\Local\TempKWHGK.bat
| MD5 | 5afdc54e0196cc5ab4ea6bccfc4f6092 |
| SHA1 | 8377d18b05d5424aa9ab36ab527fb133d9e6b581 |
| SHA256 | 5d43c8fbdd4e5f11bcca6a5ed4fc910b9bbbb671294783503e98928423b9cc19 |
| SHA512 | fcb0d4ba0ebfdbe270a8950cd347afc1c05eca3cc11ee4bbff2b97298ad00e2e5d01bc3296c5009fd01c78d8a6cf0ac388327d258ef7a9a1d169baca70bdc17a |
memory/608-882-0x0000000000400000-0x0000000000471000-memory.dmp
memory/608-887-0x0000000000400000-0x0000000000471000-memory.dmp
memory/608-888-0x0000000000400000-0x0000000000471000-memory.dmp
memory/608-890-0x0000000000400000-0x0000000000471000-memory.dmp
memory/608-891-0x0000000000400000-0x0000000000471000-memory.dmp
memory/608-892-0x0000000000400000-0x0000000000471000-memory.dmp
memory/608-894-0x0000000000400000-0x0000000000471000-memory.dmp