Analysis Overview
SHA256
30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d
Threat Level: Known bad
The file 30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Modifies firewall policy service
Blackshades
Blackshades family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-24 01:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-24 01:54
Reported
2025-01-24 01:56
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNKJNBEAOUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GLYHHTQNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEEFAFBWQEL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\DIXYVEFQWNLPKSG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKIKAOVEPUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWIIGOAHLCN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGATWARK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVMUJTJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIHKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQVBCIAFUTHIECE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEPRMKMCQXGRWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKKIQCJN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBYNMNJHOJMUDO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HFJXYALQXYJBDRM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe
"C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDWWLU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHYAHH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXYVEFQWNLPKSG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
"C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUHPJO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQVBCIAFUTHIECE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
"C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNBEAOUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKSOXO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYHHTQNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
"C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGATWARK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMGBWP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HFJXYALQXYJBDRM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKNOYT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIHKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempDWWLU.bat
| MD5 | 21d51ecedc46e539f6209a6366720a52 |
| SHA1 | a2b59a2415b66162f8f3953e9227853ee1ab3186 |
| SHA256 | 29d97e122e271f038c88da17c66955d2e8df8775b6dda841f1d1bd324e16e7cd |
| SHA512 | 29711e705ad80ca54f15b5e4a572a89067f332b163e706f05b47723236b6bf314df7d60e8060828a00224ca342b5e9a6a7b9c8cd27fdc17ad29f3036fd31197d |
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
| MD5 | ce047197e105d577647d4a1de7211f16 |
| SHA1 | 3ababd2ff909c29cef5b309c23856c5c06f1aed8 |
| SHA256 | ed4c348dca267adcd02d20f01c0b4572351ed8d019f700bb484949faa21118a6 |
| SHA512 | 3c15440871ae87da1b6cbf37cb8fc56a1b2c355c9ccc8202df447f043ccbcc14ed307967cfe8ef24970bb658b2d7d339bc7ab729f067346472ef34e52f2e6a4d |
C:\Users\Admin\AppData\Local\TempHYAHH.bat
| MD5 | d3b77b280a7cb43a7da70fbf515d72be |
| SHA1 | fe28f5a1bf33d4f85896df6a2b134f96c85f11b6 |
| SHA256 | 52eb451fa10d4ea85ad4adcfdbc23f05b07ef9e04f701fcf5255dc827afbb83f |
| SHA512 | 6b533800bb7fcd2b1c667d270c9d4f42240c0a6173b33811d8173bdaa344377520332d5ef344671a4e99ca18f800c076a88fc77c66cd523b2d82a9ab9852a825 |
\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
| MD5 | 556d8626a37aa8b412f2ee6b8fb47be1 |
| SHA1 | 83b3bdba3e60b1cbe3da8f26934a98adddfee5cb |
| SHA256 | a9459a314e0d6d8b5fb4887ba181ae9a5b7f8feed72c72615c44a422d1a00c91 |
| SHA512 | 317d5baa4a4ae54c971435a66704f10af92e502d5d950a4a1a4fedfd0636c09452f6a716c544574d7e7ed9a7a772a4118e31b5c5d20011ca4e23d0b07243798f |
C:\Users\Admin\AppData\Local\TempUHPJO.bat
| MD5 | ebb995f81295c2868c6edafeb7a65b84 |
| SHA1 | 100b44a8a8684bacee2ed36e165ff3d6f457b3ef |
| SHA256 | 4332530bbb9b6c9a54f11683c8d706fcc0a5c3d7b52a1353f5a34336db82493b |
| SHA512 | 3ba539e1c2b37c7a4a80bb4c7323a40f16c52b7e5db2a2930b2e090999d7033909ce68c3604f3643ca6bab68281dc16f3930f98d8a81e80499cb90e7fd9019ab |
\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
| MD5 | 8247ef8ef91bbcc663783ada5bf0a4cb |
| SHA1 | be7e2a80be3dd755b6d21c3bfa63f43831128eae |
| SHA256 | 91ac882d3db5473cfe6e3ad86a1c74e563dd65e745c0baddf800f6b86bec3da4 |
| SHA512 | cf40e44bc106f68289d8d063d22f9fbb3ce7b4cea71f5272d2f29fa9fbfb3eae067c6b7bb237f7fc55977a4cebecbf25a381793604e26c56e0eae063c5fb9e56 |
C:\Users\Admin\AppData\Local\TempEDHYU.bat
| MD5 | b0e3f78dd578c1827bffd537f7263b0f |
| SHA1 | 866ca32b655e01effdd00b4526f5756a5a6df846 |
| SHA256 | da7a574d162e97a70dbce195f1ab7df74022ad3ef406bf41325a0ab8c5554018 |
| SHA512 | 73a574929bca426493fbebdea7a601429811a25462d827b9c0011529ec14a7831b005af48b66cfde904ad8c37c055f48c06c0a077a0e7b5a67c960bf62b86897 |
\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
| MD5 | 02408cee13c5a674b57f517ec523c3ce |
| SHA1 | a61311b16a5a33e9319563f4fe406b1ca77e2683 |
| SHA256 | 4cbcff077a07f7a1707165e0b5e42f24a4a577847fd9765718eb2ceb0b55dd30 |
| SHA512 | 4fe3674e5073731300230c58721c44b2e37d43149fd776ba6b3fa527f750ba4a24f7132822cc424906bda1dc5a3e1fd582dab1ecf71a51671e3738f41702fe1b |
C:\Users\Admin\AppData\Local\TempKLUQD.bat
| MD5 | d47175ceaacf560d2223f3a3d44fba27 |
| SHA1 | 0d93ef4ec8d42c668c62ab148e2059347178421d |
| SHA256 | 7162b8b04111eda39d91132300930e3fba148a261394f77f6d2ed50a5a47bb57 |
| SHA512 | ce4a1856b81ee1bf877a47b2c76c7c675656bd5a4b140f894cab4389acf54d0be0dfed8dc890735412464d503e732dcfe1a99026839173998040c5b19157a7bc |
\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
| MD5 | 7fc3f7113a94178bb247eacb45eec902 |
| SHA1 | 6e63d6d7b8e50621d3725b9658f3c3e8c4c3fcf5 |
| SHA256 | caba49ebacc6998a3f76e4a5a2112d57ac55fc93e8035fe63d76092c3118a099 |
| SHA512 | 87b0d56744786f46f761046e3ecc253620171e5a2238a169a073f526e60189b75de53f783d12518a9c3e0d7ab4273e9a355bbfc109bfb76de21c9341ec9e8ef9 |
C:\Users\Admin\AppData\Local\TempAHUCQ.bat
| MD5 | 4b0d872f3f416957a182ff7e52c309eb |
| SHA1 | 0f1b526a0543465b9e3dbeda4d433788776401c9 |
| SHA256 | 6432bfed5b2ad0c9a8af3893a8ba1adc4366ebfb2bc5c0d373404ddac44baa88 |
| SHA512 | 4655e8922a7735416c318b9fcbc22580b512c35518ca7ccc8085fba08adb232deb54b6266167f54a7911ae83310c9dc563da8189d836a2ee6d393e074749beb2 |
\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
| MD5 | 09d6167fd94df9f3b1a3f8e6ed9016da |
| SHA1 | e5e5fa98ce8b42c5be7260dc7b7b2ff01140eca8 |
| SHA256 | ed3541daf5e2a6487f9635a37f5508e40a312b57e9ceb73b2c3f80e7fce337c4 |
| SHA512 | 864ff401811a2457c648f17b30c0e30578a23b319aaf6a8f79f1fe816e14a37c57e9a99b74823603d23e70ec03e8374ecc78ff2b21397969ed8b9aa7c87b1992 |
C:\Users\Admin\AppData\Local\TempKSOXO.bat
| MD5 | 090a59c0660d2a9aa20174a68b2c87aa |
| SHA1 | c8b63fa0d9a493948d1fb8ebd6aedac3f5b16c26 |
| SHA256 | 39b5ab49578bfa0b316ce8a98462b1359d803e6709054e4c6b9c900810365dc4 |
| SHA512 | e6a0b9e38ad4b47da4a78755015abed80f1194aa244c78570998a8118708fa8f0cea4f702eee743beea51e86ead1f24b9ab221001ce1656fc81e9746b8cc3551 |
\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe
| MD5 | 157bbefaf94997383d034e0ad65927c0 |
| SHA1 | d03406ad8b31b478d7b18b0df3d7ad591a76574e |
| SHA256 | c0076c42386ad73a1c30c3ab1797ac2b3b2148ea7663d176a46c7caf20310c52 |
| SHA512 | ed4f20024f7eeaf12a01387623013526d1406f2d3c7f723cf1fb4aca77ecfbafb2a393179af87e6dc0ff1859256149c1b36408ed48f4751dfcbccf6e214996c4 |
C:\Users\Admin\AppData\Local\TempSDXWL.bat
| MD5 | 1a3da698ee8fa36e10bff6662c71beca |
| SHA1 | 6ef93721e781a68c788b0f3adf5c402e66b49f00 |
| SHA256 | 02effddc870eab367d08f4d09ebc710e98bc02f3ec9fcca5a98db8e9b0637e3a |
| SHA512 | 61ed3b5665204732e3a6d2398e769a5fe6414afa3560a2451e38a5ce5bc4c63a30ebdca8fc84a137fd7f9c0d29682d1b3806630a9c17db2d5d610357500b0200 |
\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
| MD5 | bd9e1dd80e2075258b0183d68e4d333b |
| SHA1 | c07a687cdc3d3820d0a6ece3218ca9e56232c9c1 |
| SHA256 | a27d55505e67bc770447a20b6f7b579b604b343b65d3b5014c81976f51be65b1 |
| SHA512 | 4cff15d4c9bbf3d23c13ff5dd0bab48bff1fb2356860b926c029d31c6b9717454c8f1746a32b78a7516978d1838a80e01631f25c55ff9029b8e4a471ce439c8b |
C:\Users\Admin\AppData\Local\TempLHVUG.bat
| MD5 | de69c25118df8838f32524d5b65053ba |
| SHA1 | d79b8934dab391b2f85b02ec96a6cf696e23d29b |
| SHA256 | 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921 |
| SHA512 | 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe |
\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
| MD5 | 7c978bd9fe9466bdf3ad8a1a92fb721f |
| SHA1 | 689bf572239e8994ad575a7ace7cb3fd02a15b31 |
| SHA256 | d1900cdfd52dd0dbf05e0a12d924fe108a0581257e6437d9696aee90a276faa7 |
| SHA512 | d9a141e4973710794b936ee6e142f95e3469ce88ec126f31af6c5eef505865ca28594be07bb06e35c6bc3a969678230e55e5cb9a0ac4d02d1002e8fc6361d521 |
C:\Users\Admin\AppData\Local\TempXWSTT.bat
| MD5 | b0365534dd53081ab289eaa1f406d160 |
| SHA1 | 2520a131bac7e82546a7c2f699d87e7e9d79987f |
| SHA256 | b34a0d1c87116939b294e31492dd97f4f15695a8f11aef5c01ca626794fc9d14 |
| SHA512 | fedfa78fb3552323408d533ade49c7808907fd74f95fe2a9de01b2b75dfa2cd0e70d3ea77c38477e0e68277ea6f6d6c436b51c5d187961add5cad3f8954366e7 |
\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe
| MD5 | 50531e7ac29b1ba6d7d53d18a03e471f |
| SHA1 | d2b0b58f27d5fdeeb676a3e1ec652c44b1914044 |
| SHA256 | fb25eba1a050bda4b641497d3d3534816dd5a8645131085cf9838367d5822e0a |
| SHA512 | b1090e256be32eb1f56a489585b9ef7a8a35c61efe449b6f936c2323c31273a7f02c101e2bd407e3fcb946474a0eb47f10b5389939217e704123f92666896de4 |
C:\Users\Admin\AppData\Local\TempNOXTA.bat
| MD5 | 118316f9ac71d39001143c26a9796aa1 |
| SHA1 | 47625f74d7f4be3a906e1954be2d451457fcd8a1 |
| SHA256 | 123f455976de4f294a2fed91f4550a52696a3e4c13e3e525ed2077aafe9ded8e |
| SHA512 | dac6691ac29cae9d8771513a0017ee180dfb8cf7fdc9d76c703cda99b72793c9f4dd2795fab7d35ecfc0d863e8d85e7d698a328daf01df1f7ff58cb52ea8222a |
\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
| MD5 | 7f5b66a9057143b2a5f2b885ad61d2a0 |
| SHA1 | 8402bb85e76818057716f8d2471f876d659b821a |
| SHA256 | c5d1aee7ac4ddcd4312ab5f1ffe938791f3aa193d06626f5fe853a466b4b116a |
| SHA512 | 670be86b4816ad01321b1b8bcd136c6af2e857ef1606d110000e852412550c14feb9cc08d02583cf0aaad3928bec7ac9b0072775d836c7e104551f94237a8c7a |
C:\Users\Admin\AppData\Local\TempMGBWP.bat
| MD5 | 81ecb0ab40151e671376d193c693fe6c |
| SHA1 | cafdd1788bb3f98758a0e9d1dcad376e83dad883 |
| SHA256 | d1ddfaaf26aff03f199177601135bcb60d336079f7cd066861b78288ad8c164c |
| SHA512 | fe68e7c30baff506b8d7d15954c9499908f73afe6d311e3138001d441f17fc3facaee25afde536490e2d007a7694e92e21c3a5cc324465460b8fea60860b962e |
\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
| MD5 | dbc872b7f7e5bf9ca0f89d0b6ade74d2 |
| SHA1 | a89c873335f6d3874c5bf9c11924412131db85b0 |
| SHA256 | e219fdc65ee9d99551d8762e312eb6a713df034f0dc95372244f9ed534fe9bb0 |
| SHA512 | ea8b6402f4d8cdaa832235f167db35bb702c6664b5e99c18effff01b3ca0407737ae55e38364443215b0d9c0762bc19bbee07aca074147c77d9dcd86a4d43b5e |
C:\Users\Admin\AppData\Local\TempWCUYT.bat
| MD5 | 797a05802a5f3d6699024252559afe38 |
| SHA1 | ab85f1b33d35de1a5d5f55187c816bb4237eeca1 |
| SHA256 | 16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074 |
| SHA512 | 73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d |
\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
| MD5 | 6ca3ef898dcf7e53d5617385c1755e0a |
| SHA1 | 001f933c01599b2ec010132dca6459279a1fed81 |
| SHA256 | 896162e80ebe40d78051c1138f5284aead669a0870573c0c29969fd8a574842d |
| SHA512 | da3e6bf63a0af6e86d66349daa58e472f31f72b6ab7bed6114f2805406508fb954db650bf3280b9173e7e2b9bdf9f6d40274d6df4577ed4c0eae8204432d7e49 |
C:\Users\Admin\AppData\Local\TempFXWST.bat
| MD5 | f5dddc8c8195b915447e8eca984daf4a |
| SHA1 | 92ac8e13c3544047b426c6a188f1e272801f7f73 |
| SHA256 | b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4 |
| SHA512 | f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77 |
C:\Users\Admin\AppData\Local\TempKNOYT.bat
| MD5 | f485eb466d124afe4f05082cc3b835ff |
| SHA1 | 00bd1a4c37f772616c2e3f6e3fd4c53341e1d523 |
| SHA256 | 6246d34daef7970b9cab9952ec458e097ce05455408db8ddb3589dab848a9f9f |
| SHA512 | dc0bb4ddbfef6bd302503539ea82d43aa0bd338da0a46a4e63a2701a77e87bb41c6f447ac5504908c900a7f511d6c9e516395b56235c00f56ee2eb5ca12325af |
C:\Users\Admin\AppData\Local\TempLPQVB.bat
| MD5 | 0b5902a513078dce612bdb0904f70d14 |
| SHA1 | 96280bd49e5a5305afd1e9564f063b95218562e6 |
| SHA256 | e1a1bdbf6313d19210601de717b5f513cae9cf90ccfb50ba9e06b6627b20bae4 |
| SHA512 | 76067c4641dd3e186b1cbf0f8c969fd58a38b5b72f444ba6c1be91e0b1d9d2dacaab831691e972d1fda45e9546469f6400ed3d2814d2435fb91b838e6ac6095f |
C:\Users\Admin\AppData\Local\TempLHVUG.bat
| MD5 | c3c3462e2857382d6b4982d0f2670492 |
| SHA1 | 2d448b4ed6165ee31b3b48392ae09ae4337bcb54 |
| SHA256 | e7335fd821058e1b7b0dced6304042c8bd86ced20b87f715eaad2f7eecc66ba5 |
| SHA512 | 9799fb74c578cad99ae28fcf8e1670b1418a589a44c365f8890cd445a642c46828e4c96ff7489f85015b67e059cddff96d86d528ceb23a0763f602391eac843b |
memory/1604-474-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-479-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-480-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-482-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-483-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-484-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-486-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-487-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-488-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1604-490-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-24 01:54
Reported
2025-01-24 01:56
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
117s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYBGPG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTSWJNJHXVMLOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JTPKTEUETURBMSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSITMKNDIWVHP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLMIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMFJYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CGVVIKFDGVJQLPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TBPOAIARJFAQJKU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYUSCXJDXEUNQRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JNKKWSQUPXLNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQRMLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVNJEXNOLUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGSDCGYXUVINU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHWCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRSPYKQVHEIELAX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDLDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MREIDBSXQGGIDBK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKWAXF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWSQAVHBVXCSLOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYXNXRPRDHMAM\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BTXSOQCIPPYAUTI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTYRHRLJMYCHVU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLLXURWRYNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XENXVFBMGHXQTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOPLK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKHLHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFAEUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQLTHIBIIRNVMBK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KTPKTFUEUVSBMTX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVLWPNQBGLYKS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONHRYIFPJKTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVSSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJJVSPUPWLMELMU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYCFVRSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBDGRTOMOESAIUY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYPPNVHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FNBYCVTCCVLHPGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJVRPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHDXSGN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CJVWRPSHVDMDXBM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENWUFBMFGWPSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYWKPUBCHAE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DPQLJMBPWGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRIFATXJKHQCINA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UTHIECEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YMNIGJMTDOTDQBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXFCQUGHENFKYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRQEFABWRELGLYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKILAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOAHLCN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJDWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BFVWTCCNUKIMHPD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AHMCNPKILAOVEQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQHUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDSTRALR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVJKFEGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUDXNRXDEBKCH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXDVUQSEKRRCWVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVXSQSIWEM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCUYTQRDJQRCVVJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWJP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KJNAEAOUMDDFAGU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTAQYMXNJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFQVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXJJHPBIMAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XDVUQREKRRCVVKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLCULIDWMNKTFLQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WESRDLCUMIDTMNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEUMAK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPNSERTOHLMVREB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWOB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDOLKOCFBQVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNKJNAEAOUMDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4036 set thread context of 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe
"C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXYKLI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TBPOAIARJFAQJKU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJVRPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKINAD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CJVWRPSHVDMDXBM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJNJHXVMLOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
"C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JTPKTEUETURBMSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDEBKC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYUSCXJDXEUNQRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVJKFEGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe
"C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSSHQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLLXURWRYNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTGFTA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXDVUQSEKRRCWVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNKKWSQUPXLNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGFSWW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XDVUQREKRRCVVKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQSIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHEMFK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMGHXQTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe
"C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLMIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSFESV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCUYTQRDJQRCVVJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTQOSN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRQEFABWRELGLYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMYUAS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CGVVIKFDGVJQLPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHLHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWTSWJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQLTHIBIIRNVMBK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
"C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe
"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKTFUEUVSBMTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRMLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGAOX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSDCGYXUVINU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe
"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQPBJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJNAEAOUMDDFAGU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXVEE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BFVWTCCNUKIMHPD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
"C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHQCIN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHRYIFPJKTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFRCBF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AHMCNPKILAOVEQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYUBCH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWSQAVHBVXCSLOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe
"C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENWUFBMFGWPSU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe
"C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMNLTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WESRDLCUMIDTMNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCHYUU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLJMBPWGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe
"C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREDRU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BTXSOQCIPPYAUTI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe
"C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYQKD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPNSERTOHLMVREB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBIWER.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOCFBQVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQFOB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJJVSPUPWLMELMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJVGFJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBDGRTOMOESAIUY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQNMQD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FNBYCVTCCVLHPGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIECEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe
"C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVRR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJMTDOTDQBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQHUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBYTRA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRSPYKQVHEIELAX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNAEAOUMDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFQVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MREIDBSXQGGIDBK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.115.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempXYKLI.txt
| MD5 | 6a7cf9a2c25f03497fabec742b8ecc97 |
| SHA1 | ca9b6c34628b5e4b93312600eb8b5ef4ea8a79e7 |
| SHA256 | 5c519200f1cfa920c468a173e827ee04dfe6e1eccfe3315ef4c4644263ffb002 |
| SHA512 | ca065762d6c428e7497909f01a4cb97835229b23cb94271a6f6a12bd35dbeba5c9b66da22c3cf608b06dcc9ae458709f3dfafb7aa4c2e998e684db697dbd4bbb |
C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.txt
| MD5 | 6303b2c3820d8ac21ae64417b49d2070 |
| SHA1 | e221d6849c7ff6c5ca7d1fe7db3a4a54d4785396 |
| SHA256 | 244ca40d4dea30c28b523270c809f68647112927afc648b79a1637efa1f87abe |
| SHA512 | 2b6f3570015718887a9433a071f10d2c06f7a47dcdf99966440b2ec8ca48715c8b8d80d31b110ce942360be6ff540c0df0e55b004bcf1b60cfe8b564438299e2 |
C:\Users\Admin\AppData\Local\TempUQYPE.txt
| MD5 | 474a8bdd998702329cbbfa871ad3275e |
| SHA1 | 49ea6726c74b64e11dc8a51df2016325bb13e021 |
| SHA256 | b91062336967dce92dba34e0dfc4a6f6a491b162b43473e1c80123cc2afba95a |
| SHA512 | d6e92f1ea542187de6d2e5d5eeee2d898972be84497eef7017d755c547e00bc64dbb71491a3dd2824c0309cbef237d241c9b7abd05ae29ab9e789a6aea661b15 |
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe
| MD5 | f0f9c435a8359ecaf1432d366f83f762 |
| SHA1 | 62dbe8b35d0d9d6c081e78f13e4b78ff6dff7587 |
| SHA256 | d43ca043b3621be54160f5bd394b03ab557125165e6d746cc5d552a013e9db62 |
| SHA512 | e9b098555c0c45a4ca3a8658f70412b1131a99a13f0d534c7287fe365cb882d9201e67e8db4f7c299bd73084928f74288d6db36bb8c57277a172cc799c1021f0 |
C:\Users\Admin\AppData\Local\TempWIGKF.txt
| MD5 | a39454a73687ba6724aac5a2dd46e82b |
| SHA1 | 5aefa4688cd7a115c87d470b61e35250366307c0 |
| SHA256 | a9ac5445ff333c0c317e924010a3b1df0807d3688171fa19ded3462607f36323 |
| SHA512 | 008cbf3e97d0000d6e3934a0cd35c164cc4684768b032cf0235f5821d0d4aace012d2f04a5ae223b9dede91070f8cca508e6523a74d68c040e393139c0c46571 |
C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
| MD5 | 2dfd2953a4523486f9a445a0d7f04a19 |
| SHA1 | 49dfd01d930ce1cd07e872c2ec392004afb6902c |
| SHA256 | a5c7036dc8c254a30f4e1475bffaab6b28310252f7d3d8dbd6e2464bd6c87b24 |
| SHA512 | 712e39ef1ee54d8ae3c43bf501ea1fc412fc37293e9044801e35fe59299bc376e961da725628888a5d266615ee39bef9acc9fe3fea568ce04e2d5135e4d64ffe |
C:\Users\Admin\AppData\Local\TempKINAD.txt
| MD5 | 0a4949b01b555b96a67d5da734350f27 |
| SHA1 | 56c8be53876cf2a4cb4a122a95500b662b637db9 |
| SHA256 | 5561ab85d862f9fb54cae67a1647a69cf03b491656ac6ae32b7f1ffc6c45c07b |
| SHA512 | bf98dd02cf8bda2f74c92a7fc5ac1af823ba3842260bb1a748e4e854e751fa228533a4b69880b7c0a2b3aa994bf65ba6b08253c18a4f712d9afbbaba364a7bb3 |
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
| MD5 | b9cb4660c43cf05541d5b2c147290488 |
| SHA1 | 4a0a3372a8f6e31b2830ac1e0a9b97a475d8d4a2 |
| SHA256 | 97e9f32cdeb8325677dc8fffa30eeb80d051db5a967cde941a9d905121c1f5af |
| SHA512 | 7f5a406f7339c255ca3c40a7d70673b05b965ecd364d2ea1eb256f892731f2389a2d3defba40d18ca9c8bdc909a6cdfd2d631825776707aa6e7bebb83cc35e32 |
C:\Users\Admin\AppData\Local\TempCAJXF.txt
| MD5 | dd9b85c1af6e757ed070222ec926d5fa |
| SHA1 | 3a3315571ea00bc351bcb25f1771fb38de381a6c |
| SHA256 | cc1528e64456e553119a25e753b1f1bf04ff3006b4c32805d0607193f2a840ec |
| SHA512 | c7f1f4c75a3211f0a023c7a8a5040415545a676b7b183a4814de9f7b305809285fcdf789f27f3f9a0b7b139ccd488eb17bf3a7183e32e084f1310488dd8038a3 |
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
| MD5 | 5d7e0992bf8783e7873b38b61fcb6fb3 |
| SHA1 | 6546020499051ff3af2b9e3e099152b6a0b77c5c |
| SHA256 | f72f4ac4ac3bc8f9c1913ec4da05d6eadffcbdd79a502950854d6f1bb1686620 |
| SHA512 | 9e94127210dfcb248f4df15a9588af105c61b0dc433b9e4be1a59694a81561ab84b14d9d39d5a2a23207af7c8d8fbd4de51547ccd410cbfdca5d8a3d161271fb |
C:\Users\Admin\AppData\Local\TempFGPLY.txt
| MD5 | 673f3201100fe8a257c12e36f4049a29 |
| SHA1 | f97afb1d3b91a839c87d2001b497351d2bf2f5ef |
| SHA256 | 4b736c214c6432ed6ec4c1b7c8ec97658fbd66a276b4b469e89b92fbf3721e26 |
| SHA512 | 8ed78e8fc185d91af59d99ce418bbaf3e9079dcdccd1c38c0fe9574a4abfa6d0bb310084d07e2438261f6ba4d60d80b8286d94d763b3fe4c7ed902d9abd259b3 |
C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
| MD5 | c265f95a1d0f7af1fdf466675b9495fd |
| SHA1 | 72db52d11b059f1e8dce72fa12de3574005be3ea |
| SHA256 | 9590ea0e52c581e737c5ea550c87b00cf3b6da5ac800f400e23a2adc5270615d |
| SHA512 | d1a8842f1c482c77d041571608278b470c96df30497c14f9556f15d40a63d3ab952bfd4e39d4afbb48617e8a3dff25b0a85fe1feedf103a27326d00037ae08e2 |
C:\Users\Admin\AppData\Local\TempJHLGO.txt
| MD5 | a0c381d2968be48fb7079e9cafe78bf8 |
| SHA1 | 0388345405dbf9cc6fa67ce3bd5c4829aa531c14 |
| SHA256 | e4f5c732140d0db0cb5f559867a4c66658387c88fc80233b72b93e573377608d |
| SHA512 | 3c2e7416eaeae3717d757b003ecdcea985df051d715064a095e81d4e5e19f96f6953786e6e7c931ae1ddd84a933b8c2e3d3718e77c1313c64dd9056111de1493 |
C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
| MD5 | b1b4ecd26788229dfe876c7dbf9904e8 |
| SHA1 | 74326f58fae9d01bc5363ea2cc8dedd9260cb9f2 |
| SHA256 | 9ee61932caf25bfe7fe90e13f0a2f493c6a2b71f810da2ff8208e99725626084 |
| SHA512 | bc020d048be7ba84443a428f4a6add394c83c3789455285d3d617954d81f6a96204e1e81593830ceb3033e595d94ed88c96653750fe6d93db793b000372f8635 |
C:\Users\Admin\AppData\Local\TempDEBKC.txt
| MD5 | 707d04d8eadcf6c40e6620322e2f60ea |
| SHA1 | 45416b3283d41efde19d3ce6ae7769a89c3cc572 |
| SHA256 | b9cffa05a68797106287b7cef274c3078135649915429b468839807bfc206908 |
| SHA512 | 05b6b331679438c4aab6dd2db1b6c7f6b9aa3f394a9a6508b057b89805e3af5ee2ae7747635c69c98e13f4e654ca6b0a3976775d42405dd402b1a961b496f798 |
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
| MD5 | 4cc16737ee3c19d4cb0683fa348bad99 |
| SHA1 | 76c0d51222e7392042374ed9ab807b86e6890fa4 |
| SHA256 | daf5f0d2b2d5aef15d5679dcc28dd7420f5dd00b9fe825fa038604cb0dbec86a |
| SHA512 | 83d2f9eb7bf764695127a723d80b2d14f7403866b401b9b0f6f3ebd7939ecce3244f9eb7b76ae19955934183daf2e2133b90d1050c5b2f69d81d28f8d3af4ba2 |
C:\Users\Admin\AppData\Local\TempYVBTX.txt
| MD5 | c2772bee63397964fc1f25ee8bbbbca3 |
| SHA1 | 48e44c0cce80ee73c63a25a3a8009b3fd528b67a |
| SHA256 | 32a4d5b5dd10dcf83cd9cf00cb85f0c7cb7da4967d6d50ce0b706bd9f2ee31af |
| SHA512 | 708b5d55de48c769733ff60926ddbfe69db79880452adb0716b6d2f86306ee1b24c9f31c677bd8d5b780e2cb1a71baa9443a28783417a2e0a9de08a40bdf6d33 |
C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe
| MD5 | 35ddbce7095ddbc50626db5f7e7befaa |
| SHA1 | 32085504ab18d38758d8fe5ccc92c44339710ac9 |
| SHA256 | 463db2a20afb084e5ec3a6620ea95d54b588ec4caaba7e0341fb3648aade4cff |
| SHA512 | 64151797e4d97d4e2a84cbd5d5867b862e23f33a3ceb651c190dc184fca8bd2050feee2f80da83220ed23a41dee959f8f73d65ccf505f593185498b9505f0fac |
C:\Users\Admin\AppData\Local\TempWSSHQ.txt
| MD5 | e889e2b2c41c2d89c09d40bee5a9965f |
| SHA1 | dd4fe27268d34a17fb9a8aeb3cc364fa9856619c |
| SHA256 | eab66596afbf5158280d6e54619d09f40f154cabb151d5f6d3f8e1fc7ae5dc7d |
| SHA512 | b85ded74a7f5ea8059fe93e46425cce45aa4958eeae4a1ec8bca376ca365c3cc4c44ac079dfd82b0d0e79599e41dcc185eb25983112e63735b5ed40a0563da21 |
C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
| MD5 | ef5c29995033ffedcb0da1165b755513 |
| SHA1 | 572a935c031567f617234b976a2cb5d37024fa3e |
| SHA256 | 57729ca4207de7e1f77708aa9d92f9abece4c0df29e7c3d11540ad7799784684 |
| SHA512 | 36b268dce93da4d8a1d5949cf0c31633032b5d62e5ddbbc9914f8f0082511268475985ea5e4552c8dbfdd097f7c5e31ac71da21c8baf31d46aac887c6932f318 |
C:\Users\Admin\AppData\Local\TempTGFTA.txt
| MD5 | c1467c6fa1d4ac04889d3e595dd3f1d4 |
| SHA1 | 312bf2d74dcaf1cd3ba780d752c02e472af2f816 |
| SHA256 | ad3c5dabc4cf3202c878dbc084dd6719632e6e611a3395aae0ba6e85542a96fc |
| SHA512 | c55db1d35d75f2369b1f2149839b35a07c176113ed0d46936a937fc0fe94a75d8d688bec04d0cfb7cf12a75dc9466eb3a126e38bb6586f6b7719924ccf7a1247 |
C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
| MD5 | a9556eea3012b436dc0bcd3dcc1dbf13 |
| SHA1 | d41ac58629d8e21dcfcb1ed54a1fb4ddf79530e0 |
| SHA256 | a179f25dbf2f045a04c8f005838c87359416c7f023e30a6e369e42a113119099 |
| SHA512 | e47b21c571af6b136c9ec8f536cb1475a0b8907f253858ed33b31792d54066a1e52c94a3034f0005675b0e3a1f845975d807f831800ac6a4844cad0fd4951938 |
C:\Users\Admin\AppData\Local\TempVRQFO.txt
| MD5 | b4884fa88aecad738e4f70a6df7c5442 |
| SHA1 | 896ee53454e23fe6250ff107db15675c733c2458 |
| SHA256 | 30b1803e2d106a97c62d74f5f1290e0637bdafb5743515bdb7a5787523691cc4 |
| SHA512 | d95c13394aa5aee5f3ea07e07b7a525b6b6e7be83170fcca6a4aaff8c3e45bfe7f2b899bd6bc102b8d9444c7b0cd3ccd491f408bd9ab4bc8097e14e379d85572 |
C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
| MD5 | d1786870294549fa280c30930670f474 |
| SHA1 | 8c85a583a7eac0e0ad3e540224f1ca1b8b715075 |
| SHA256 | f3ae262d5dcacb7ec31115efa0545cff62eb794cc2ab943d19b33f50dcd1fc3e |
| SHA512 | b4f4b7d7c1474a9d80b083703fc6bdf47524a060fd902a9737832ceb241b4dd1d48c3dc82451899ea49599d731f0dead36019ad59035a517cde6e7d239128188 |
C:\Users\Admin\AppData\Local\TempDYBNK.txt
| MD5 | 4b6d47751dfd37738277cde9ea821f56 |
| SHA1 | 89d9dd9b82f6c6f682b22c0b21e1b9479884640b |
| SHA256 | 772c800aa5c76ab47196bbecc34bfbee419d02e90f6de096aafbbb6a77a0dec3 |
| SHA512 | 21dfe78a52933747ebb17d8a8b3d0b4dd67282e8e572a02f91fb300d50b4a98a7467882737a183db455215d7c446fb41c64469346699dba1c12cf15026f474d8 |
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
| MD5 | 5a5732461c5c53edb7e03d6d1f09bb89 |
| SHA1 | f5078e0f939bfd0842d0150236efbe4e9bf5a0de |
| SHA256 | 57ff260c51d980cfd231f82ec58cb1474645f72b42b72e70a83453260323a8df |
| SHA512 | d68e029127dc3c2447ba2d15fcdd159790215eda7de85fc97b5975e0dbd2c8cac50e5c52328980b1d3892fdd92d61a719b0fd0aa12e03c5b987f1d3a0b5838aa |
C:\Users\Admin\AppData\Local\TempHEMFK.txt
| MD5 | c25dd0f6017a27e1c0d70b5c1d5f248f |
| SHA1 | 0d367edfd96e45c8a8a2aa68cfd91f8c64415e9f |
| SHA256 | d885731cf0fd31ef0fb85461360ae0166c60843ed53bd6e5e2e5e9ce7f9754ff |
| SHA512 | 00597dc4f125ce98f44d02b704ea1de8dcdcdc4e88aebd4a627e2eee67e81edb34c0cd34d7b962cdefd466e6e572a5059147424b54e69dd58319fdc26720e46c |
C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe
| MD5 | df31252eeb149edf9865d26680b62e4e |
| SHA1 | 4f112a581a13f550a0523b0b8329ae318f902f1e |
| SHA256 | 0afb5672736d2d2b1c17324ce3ccaac50889f9fd490253fb00462ee1a2802752 |
| SHA512 | e813185b8df9b1917cbe50c51add1a1022f2e4065047c7e4f5c6f169a1e1da6e9e47295eb811adae52e3b116a99df9f9a34d7538e5b6ad50b7b3544a2d4e4c2f |
C:\Users\Admin\AppData\Local\TempXDVUQ.txt
| MD5 | 4004805be9425a828f1421bab4a3a78b |
| SHA1 | b8a6fc4e959fdff961ce6aab8090fd1809c19590 |
| SHA256 | 967b88ff41ccebf1a53fa4b1085ae1805561464d535440c5598d4e9072721aa7 |
| SHA512 | 37625ff599536cedc336402ed823bbaf31b7d12c05a87e674cfb4f0fbfa7b2a6386f66eecd0373c43d9ab9637c2127c66fc31de07235be3baac2aaf0b1f193b0 |
C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe
| MD5 | a908ce620cb50424094fa1b652bf15f4 |
| SHA1 | 53e10406621db65f987ef1efb151e49d501954dd |
| SHA256 | 987a9a570a6171984a159e6ee752433948cc756ef13ae9ed989f495fec04a24b |
| SHA512 | 8522165d77ba1f37fdea76c9f26be2daa3c04a8152709947de807783252894e1b6603b742a2d39b86d3bdb5a2d97bd06e4c3e6d928924c3e8f6cf63bfa0952e1 |
C:\Users\Admin\AppData\Local\TempSFESV.txt
| MD5 | 6e0058352b4cfa865c641f38e4ec9528 |
| SHA1 | 5333d313b12f5ec9112dc290d7c8ab26275270ea |
| SHA256 | 61bfd6e3fa523751a4195557da3cf1417c5db08e6b4f3bbd55e3eacdfd279988 |
| SHA512 | 7c9d0cad77dd9494e10ae086f73af3ff87a24f3326f996a9f3d5d5aeed123b885d0d945528b951e7371d7f8466368f977b80e5fbdc412b090de53ffbcb20ec57 |
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
| MD5 | bb9c8dd5418189dadb7ccbd4705bbfde |
| SHA1 | 363370a6b43753d2ca49e05110fa4519416cd32a |
| SHA256 | 7af88d0c8c168d211f4749402520434a571876b66d1a9533dfaccdfdaf2a8c35 |
| SHA512 | ce024e212f0b5e1014effc32f227cf6b59f41721ce902b6887a7f2dd19f76deab0d4270f8a2e53cfe506b70194305c1c55bd8dcd710f5d6cdcb03c9ac8d5f625 |
C:\Users\Admin\AppData\Local\TempTQOSN.txt
| MD5 | b1f3919dd1aff2b33d48792acea98956 |
| SHA1 | 6ffbc4267dab56d021602cdf82b34b09c7ce68af |
| SHA256 | 1b5360c0685d72464a008f6b3cc2abf844c308d0fff252e585965283667e6d4f |
| SHA512 | 54b8d5cf03738efbbfdc1475f9950f73c134099db5beea390698d66dff11737a84615f93bcb02da68e0bc1c7629bf2ed32213c5ef2fe989f8c5b9755aaffaf4d |
C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe
| MD5 | 679319d1465aad32d3c7bc882e51134b |
| SHA1 | 12523da9a2b640a577446ab549febd80519f8dc1 |
| SHA256 | 297603ab96cbd7ee24ebc552d9fc9225eb2ac095691c2d5dd3656e8b60228779 |
| SHA512 | 69d3839fbdd8e17772afdcc11d85a2916b9afed8a7264ddb6f4374809285fd5c4b395fe0a087210ff95bf08c74699629ed99b6c7b8cdabf2e37bca2cadeca55e |
C:\Users\Admin\AppData\Local\TempMYUAS.txt
| MD5 | 5de012dba808a76cac73bf7f9364e253 |
| SHA1 | 1a9b1bd168ee27c68a1ece87de004a4f427855d9 |
| SHA256 | 7d865e2ef3ac909137da14b315f4702a09140c56a9fa6769b872eb11d507d273 |
| SHA512 | e758aa5d3830b2e6cb6d8006567c85396fef39cab20aea6cb769a55213839a18256f3d201f1b77be0c3aa6790d7db39ff2b90edf5ff06e400090b881c47f1a29 |
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
| MD5 | 9f605a51590016d9ca9077ad0b730d4b |
| SHA1 | 1b1a77f956cbd9c0523b52a95c82c4989aa214b9 |
| SHA256 | f828249b39ec79a523a10d197bd1a1072b9965b09018b9cbd2851bd2a65989e0 |
| SHA512 | 9566c46147778b7390c6fba1785f329682953e82a2c98473d5ea4cd4d8c4b8baa2ecc897553986d65b266f8b4f0a73dbe33f0bfd223db644678144568381a84d |
C:\Users\Admin\AppData\Local\TempXMIRI.txt
| MD5 | 748c2680f1565f476bebf0293522b917 |
| SHA1 | d204341d0ec0d3c6c2ad721d573efbacdccb208f |
| SHA256 | 2bf06dccf0e5f3d6f5bc7d01b31e00ed07c0cd6221004d825f5fee203323261a |
| SHA512 | 99005b5f6afaa0cffab56f590062d19c0d27604cab9c2c77a9620d9bc6765a4d0c7b92a8ed0dfa23e80087135bacb3039a96419752760ca576cda9146808fe8b |
C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
| MD5 | 9f78963217def3910ac936d804a96628 |
| SHA1 | 28bb32dcc1dd6767c1e14895d383af1e45f35ebb |
| SHA256 | 024646e7f72e1af141c3a8d5b47709268d0d3faadd92ee4be4a362c669a088bf |
| SHA512 | 46eface2f0ec561ebeecdc618599f70e5cb7bc0ea0b3fd5469f546df45f127478b6ce053b965613c70481e8e2e3f4bc726ce6645627eb9aa54415d45b9e7a3b4 |
C:\Users\Admin\AppData\Local\TempWTSWJ.txt
| MD5 | aebf6eb0347e03e8f4357d9b3a9193a8 |
| SHA1 | 293d3f059e4d346f8d10552512f48477eb12f3b2 |
| SHA256 | 32f13e7683bd48d53ac6216812b0f670e22f663326d93062f0c7360f6d5e688b |
| SHA512 | a8d963c079524327f277c1e5eb3a107b64b57d8accd6da0f9758d3cf73c99a2147e00a7609f18e072e5bc7630d6eb45aa6f25fde5a6d9b2fcb8e85b4d99a613b |
C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
| MD5 | dc83a0127bff374b00f9126e68a2635f |
| SHA1 | 95358366265cd43177da44da0118efee81b4daca |
| SHA256 | 9a26c8616f73111be82c813e8ab96889d9f4fd137057d94193730b6c3a07d6c0 |
| SHA512 | a04a941c11f5a79a3179140b5a5bc3edc49662e558931d87c05ddf1468f073449e55666c1356be079b07fa612dcc4c2a83bf7c819112716e5e81923bca6f0705 |
C:\Users\Admin\AppData\Local\TempXWSTT.txt
| MD5 | 601e13abe3a7c6c4ba9ec5974385f941 |
| SHA1 | 11d3359c26ba1b2a30ac5fd86771641fd3480c35 |
| SHA256 | e6914e4e8ff8bbdbb6bcd169d24885e364f75ffcfbe5e0bebd345d55a50e0f38 |
| SHA512 | 9b2f07abe4efa44cb181f5b6c6f80a2e52c0cc536d38d4ba77ce0b98fb6b4d78adf2c5247fdbff966aef67bdfb67805cb9862e5eb36cde513d4e666ab4eb9572 |
C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe
| MD5 | 1471e0ca41e500dd609c5967f5a68fdb |
| SHA1 | 9ea5d530db9eb5e8326b8c237e24c6a86695aa9b |
| SHA256 | 82d335e1c944e64745a04c3b52aa174a6da78c3de1908c7e1fa7d3207bfb54dc |
| SHA512 | 1c17a53824fae12a2c79ab2a4bc7b7a2fa3e274e5abb4f78c2d354fef6ae18c71d466af84426754e3e2814cf0a186768c0492cb53cc26a23b9573348369763dc |
C:\Users\Admin\AppData\Local\TempDGHQM.txt
| MD5 | 7cedb3d42768f20679a594db5102907a |
| SHA1 | aa67317acf7a8bb0918555dfe9b53ff203cc2879 |
| SHA256 | 01893a2be0e431b455d0ff12a54061710bf853577b9951c3db90f2b69840b018 |
| SHA512 | f5e0f0b08258ac2645048fafbc71c4ada3374b93990c62833e443d1de313b541d026778d27c4c5d9504d21296a01281227785c8751fdc93c57ec250a2a53bbb1 |
C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe
| MD5 | 02a41c99c4036a88f43d1bf420dd811e |
| SHA1 | c9341ee7cb554b305eefb31634fa76d072129c91 |
| SHA256 | af33245d83083e364a6e96b69906d569dc0f7185208b36ff21d8a6a98747385e |
| SHA512 | f720eed3793fd63fc047b0c19f25d0825376d114d307975c32f4353fd88d3a5165a59b197fa9915aa48111f7a520b080c8585bf3d8a2e6ceb2385b2a9706dd94 |
C:\Users\Admin\AppData\Local\TempJHLGO.txt
| MD5 | 8509bf9401bc0a70df2801d1a6c97866 |
| SHA1 | 8c3c97ea6e580ef8abfb31cd54a8d3c933b08f14 |
| SHA256 | 79f858d8438fba230ba0df8e090549c443ac3a95fef05ff7f7495876af4ddb54 |
| SHA512 | 35192bd18f309f2dc562f5eca04c9444844f032e7d81f578c2c737470a11d200d9d3d1ea0b9450f57e2cad3b83a8ff0a97fe039852d76d644df84ac0d479408a |
C:\Users\Admin\AppData\Local\TempQRWDE.txt
| MD5 | 6e3815379c8f480ba4bf4314d9c8ae36 |
| SHA1 | d38d3f6a9c42f75504efdfd7e29b6854707c35e5 |
| SHA256 | 050f9da0d56aa7132b7b3085d091415b9e80bc02528b3bcf2312220b928b2869 |
| SHA512 | 3cee7e22d0d114305306070bd9af41383904d1d8a8bf2d290d86cf191a6bf08277ac930f47d59187a78c6545ff26c0e251501508fba62e76b89b9097d08b624a |
C:\Users\Admin\AppData\Local\TempUASWR.txt
| MD5 | 61101519a3da1228d0e0498cf23f87f5 |
| SHA1 | 23984750bbaf6fceb0c0fbeb529e99639b05e8be |
| SHA256 | 9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac |
| SHA512 | 26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71 |
C:\Users\Admin\AppData\Local\TempUFEIV.txt
| MD5 | 2d79e5a174e0c2d7b5f847285e2b0c5c |
| SHA1 | 2c2ee0c9d35c15f144590e1ce1be936bdd7b9bcd |
| SHA256 | fae75501fa5030fd4ecb0df3ea07cf1f0e2f8b867d3dd8fb60ba65c933011811 |
| SHA512 | c7fb07e0003ae95a9e47346dd7a7e099c4f224dfd170d01ea276af3e458ae26ec85922b2661f8c8e16d10ab26fea41c5e1010903f37942446d4a26dda404f330 |
C:\Users\Admin\AppData\Local\TempVGAOX.txt
| MD5 | 8f1ebadc12ce7eb03827462ace5798bb |
| SHA1 | ffef26150d6aea7f5230f54f396fdd962a867d05 |
| SHA256 | 4debe61d057f2dc9c80bfc3ef55cb92aecba7cf3a48282cfbf1736a9d15670ea |
| SHA512 | d45fda1816ba8341423369f9e95eea987cc139586e390cf0a627f6cbddc7ef8ff178aac4a1516070107a4de08c414a60dd9049c1d0949563dbc0aee8d46c570b |
C:\Users\Admin\AppData\Local\TempCQPBJ.txt
| MD5 | 09061505e34645afdf2dd58a50775a35 |
| SHA1 | a8e4f91b1d4c76f68f405784fd17fb0e57ae9701 |
| SHA256 | e7c3b3a9b765d9b773f8ed8c2330b02ead44f94946b945ee223ad71ff857b22b |
| SHA512 | 8182305be6cc91e65d13bd12ee3cc54a890547f79190f88886eacad355e6f33cc947acbbf59955024c3889be76ba74099a1e1562527c5b08ddff8868a610614c |
C:\Users\Admin\AppData\Local\TempOVLJN.txt
| MD5 | f3931ccf4bdf284ee5fb347c6e43bbf9 |
| SHA1 | f538a7c05c86b67b4989635505496f06645b6758 |
| SHA256 | aae5447814b780af09a0f1a0e4bb253dc6dec2fb60f5bdb4e9bc7b27c21f77b4 |
| SHA512 | 64cc45490c27133d4599cf71ecb148c129b33e83229572c6da074334a7016f51c1fba50ecf66b401fc2933c08b8a0a07a7292bd86bab251655555b34f8471514 |
C:\Users\Admin\AppData\Local\TempFXVEE.txt
| MD5 | 58011a41e484beb480a74d17c7cdd1ec |
| SHA1 | 68c2fa7c080d2eba3f7c2092047991e2cb64ceaf |
| SHA256 | 714c6d484b04573dc88ca6fa11639bbe1faa5684fe1a9454af69c96970de6329 |
| SHA512 | 20b39fd418a870fe0724b90e8109219734f45ede42e812f9085e6fa46ca856a1e9dc5579393c7fff6849cef4b6386b7ff8837e3864113b4b77fd7c95b881eac3 |
C:\Users\Admin\AppData\Local\TempHQCIN.txt
| MD5 | 4f8e2eb175512bbf2f4fcac496593d63 |
| SHA1 | 462a3cfe0bba8a1c439dd568b5e8014ad39dd58a |
| SHA256 | af46c409447714c8112f5d2dcbab67e29f528e068fa3c4bbc0a0e9ef79041b75 |
| SHA512 | 0e5cfad7ac2fbef753f9b88590c4a84dea8cb9277392ec9dab9905055884c07f32ac4e73e57bad871b6139d84f9bdbcdd0a3b2b4e8794efeb700501a087f73bb |
C:\Users\Admin\AppData\Local\TempFRCBF.txt
| MD5 | 6fc4da483c651185221b5e788e6086a6 |
| SHA1 | dd19d5c383e1a364bf27f67006787766ea8f031d |
| SHA256 | 28d15f9e6bddb3e835b62aa3f4722566930371a04c24bee06d0d89007e3ef024 |
| SHA512 | b93e65ae41cd591d7090cd7a103db57c0ddf06ebdf92eba6eedec563e52016d0d97aa70abfc97ee9aeec332b04304607d2db9b1aa9436adc0786c50d106ebbdf |
C:\Users\Admin\AppData\Local\TempYUBCH.txt
| MD5 | be924e320b1e92cbccf2e9de781be821 |
| SHA1 | 09cf142e3df6a20ba6a1a1ac4f3728fe886c2945 |
| SHA256 | a98b0fcaf22d109ab3cd7586424a986d02467e143625b9df23958a2d4e176b81 |
| SHA512 | 88edd1c598bb34763ecc3ac3cf192f05d6a8f5940de6ac29107af234239140c5b085c588d5a5eb48828e6dbde8072c2ffda8b03a6ef1d783c3dfad1347ee9b0e |
C:\Users\Admin\AppData\Local\TempFGDME.txt
| MD5 | 394c8beb81d73c641d531bb0b6be1fa6 |
| SHA1 | a63ba048872e14b00514bcc9e2251b1f5ae94cef |
| SHA256 | c2d64f8c9e90503407dfa5ad777e116ff0c53328c356c917b647383e79abcbbf |
| SHA512 | 32b232b6fecf626653b8eb77b0d4f1a124690fe994e3051e5891fdac720b15c460583793524cf8ac16e8b25665fb303d4d0859fb88fb5462c2b19ed6e036fa75 |
C:\Users\Admin\AppData\Local\TempMNLTF.txt
| MD5 | ea80b813a13113ba6ad8554f71b3dc23 |
| SHA1 | 49d03b6e7cea3aa994ac32fbc38c0a41d1ce22f5 |
| SHA256 | 9bfd6a52cfe047211e8f76dda5b183af2817e8a77700498150069d0594295c48 |
| SHA512 | 0e07f6a43094a0a838c449fc564cfcca6d874daad56fd52463654a6f160be2d851e6d72423ba9692af36f058431894248269d03f5a1f0526bb9618a33d6decab |
C:\Users\Admin\AppData\Local\TempCHYUU.txt
| MD5 | fe86a1bcc9e6ab20e4c242d1b4b8a4a5 |
| SHA1 | 8acdd52e21c9479143e8f19462ef8ae7d1f25e23 |
| SHA256 | 4aade04c584e35c19dc188ec5bbce171d35b47a8d97244022dfd4df2ede1daee |
| SHA512 | 063953813d9d26ae3e7deddb68a44145fdbce3677dec57f9d31a6b946ff7bc42d540cf5f0bb5b570c80208fc2034cc0992dfdfcbe9a0abba32014ebe0922d65e |
C:\Users\Admin\AppData\Local\TempREDRU.txt
| MD5 | ac43f82f5a12232a199157db6a4c9076 |
| SHA1 | f03506b3c36d1561786aadb357c82869c55c2ea8 |
| SHA256 | a809ee44f1e0595dbca60ad3c70a9b58ec62e4aa5886d51e73496a53a805efff |
| SHA512 | 4ed7400e68486ba731f820349e76dfb56730aee9f3c9a132ea92cabd64d1a0a40fed6e4860dc5443f76580e57fdb2beb1b043959b6718acf335232fd8514eaa1 |
C:\Users\Admin\AppData\Local\TempQYQKD.txt
| MD5 | 3845a288688af0ea7ad1b3351fbf7892 |
| SHA1 | bd748562ecc8a31ddc6abd83794975fd1385c1b5 |
| SHA256 | 6cbea6af99a5c35e01753503a065cd827b5e9e28119a7a5f29af8b496c3b1ac8 |
| SHA512 | c3415763356726bc68e4f2b422c143350a804694b918b971afe1f767e0288c4eb07a4ed8041c8b4adb37e5e8aa5879c45db06879117b926bb7b6962b8ecebed0 |
C:\Users\Admin\AppData\Local\TempBIWER.txt
| MD5 | c78a9c4a35ade4129cca9d1e9fd17d34 |
| SHA1 | bec85bc03f9797ec011767d39a60fd8a6912f417 |
| SHA256 | 8cd75fc67979d0c3c56d6730ecc15e6c45ef6dab654666368196e5e97d1491ea |
| SHA512 | d49cfec62ab739821ffe1b2bb947e5d29fa76810203c0e03784e267832c23a7449c192da90bc048474f15a34663b610733f4195462ade9298584a0538864e118 |
C:\Users\Admin\AppData\Local\TempQQFOB.txt
| MD5 | 4ac8f5745193a6f9a1b825c67798dabb |
| SHA1 | 8708e3707c77d35373de6967ae9942c197db15d8 |
| SHA256 | e6eae62b4bb8272204db9082a08bbe94996a0d82665c7b81bbbe6c81d2d0cd05 |
| SHA512 | c381d4b5c082fab4784567b9c495b6146128a3151db93cb4b61952d32ad8dfafbff3f1334d0a65ec7317d39b5806cf6deb575a52f768630489801ecdd950cb62 |
C:\Users\Admin\AppData\Local\TempJVGFJ.txt
| MD5 | 1bac81f9c646fe2b674d58a179cdfa39 |
| SHA1 | f0dd89413f25043dec31a23f4d301be40fd32902 |
| SHA256 | afca7bb674d728b84da41109cc101c857527fe9e2aba63c85804a757d8556561 |
| SHA512 | 802abfaf7b573bd715d455ad394cdd5aedbb188031cd7be7ed5b0910656951b6a9dd5e28347d85ef34f5865548b8231ff89025d4c22a9127aadbf5af7c60b6f0 |
C:\Users\Admin\AppData\Local\TempQNMQD.txt
| MD5 | 6625d8d591d9531af5a93b0939b70765 |
| SHA1 | a761747fa880c4677e73ed657ff6d7cd6effca5c |
| SHA256 | a6a3532725f8244e3be90022376fc07249dfd2cefd1ebcd10c5e7d1fae8ce51a |
| SHA512 | 85a830b20bd99db26926a0bc229f83313b27c7f9a9d76036478ea2bc6280fda8021709de87347368c455b3b5a41153a1d44b130d82bdf47d3f4123f8a84fa4cb |
C:\Users\Admin\AppData\Local\TempRVQYM.txt
| MD5 | e6853eb8d8bcd95d445473b6a01ee7b2 |
| SHA1 | 9734a00608a3ff2bca48bbce91dcb7e601a93b82 |
| SHA256 | 01738fc0e6199dfa9e0bc7189ed9156e3a99ed4a50eb581c66dd0738286c4d07 |
| SHA512 | e11f7f49927db5e339380eafc0951e22f95e61f83fb45b98913d4bdde42f1a90697d0b3fe40d9022041c4755e3f00cfd9c50ba9ba0f67da41c225b617100a872 |
C:\Users\Admin\AppData\Local\TempEWVRR.txt
| MD5 | b3c991bd10680d992a6aeddc3022ffd8 |
| SHA1 | aa16ac0333280b9346e07cb3700f9a6d89a2546c |
| SHA256 | 09b4fcc6c3713f89d1468e89291c2e2850b7173d3b5f4233b047ec22ece7b72b |
| SHA512 | d21378daa1eb3a0c15325b5f340c3252fa603d7b51e5fc1d82405899f163a929821e3070d3bdf65e0c1be87193eb140b269be0afc80820dee513a0a358df92c7 |
C:\Users\Admin\AppData\Local\TempMNWSA.txt
| MD5 | a4d004ad29d3b8175a96f922359cc315 |
| SHA1 | 0fa15cba7e806e78247ff7a5a5aef1172dbeed47 |
| SHA256 | 3e67df9708b257edbe5dc59a43ca15b93a69924b932332eb540da0ef422b729c |
| SHA512 | 81259fbf60b4f0153dbcd04484d0ad28ab3fecce6d4945a3a72b8535d6d120b20ceea5d1be9bbf32c5f35c1e7ca97cff84ecde6f288ebd29019b98f1783af423 |
C:\Users\Admin\AppData\Local\TempBYTRA.txt
| MD5 | 44c21cc5be8ae2a576be1d54e1ef6e9d |
| SHA1 | a2faa69c90172db8c93bed2f67eeae187634669a |
| SHA256 | be1aea600fa59172350b8929dba873d99045a73a3495f8489606c7f92e830049 |
| SHA512 | ef2ef1a977fc9854545cac015e4a4b6698b424746cac92b7fa682e8d3d7e38c580ebebb5be14fc76ae941bcde26d7cd78da478ad947941c83dcffc43459e8fb9 |
C:\Users\Admin\AppData\Local\TempAHUCQ.txt
| MD5 | e9ea081c5a41b847f5f8222a51e7da8a |
| SHA1 | 3b129936a5a39f7565d3313c5cf901807bac8cc9 |
| SHA256 | 83515ba7a54b2fb22dd4585258b0f0bbcf368c4db790c760e686993ac7d0171d |
| SHA512 | ed3791219f776ce47c40ba9dc6d27a7fb7c3b4340bfb49e806aedaa42d35e65dff753f8d35e7124efb0fca5cb3a8de44978f2d34cfc1bf581acbd373202398d0 |
C:\Users\Admin\AppData\Local\TempGYXTU.txt
| MD5 | 1aa231193817ca982375b9b41286039f |
| SHA1 | 897b67065055c905c5b5376bb63732a2eea5951d |
| SHA256 | 9862d5b00f91a544792740a3f17a706469f2329d86825bbf5db186edef3ae43f |
| SHA512 | de7067a4572eeddc10ba885822a94a5162c376973f438f5b6619b5ad3eb7dc9c82f7edd2b33564894ea12dc11d2f0111c55a55efdf014839698441dbd58f285a |
C:\Users\Admin\AppData\Local\TempYGUTF.txt
| MD5 | 69786475f46eff7a611d5d485b9a9507 |
| SHA1 | 306206beab8da223f7a0f2dc5c488c4da9fea3ee |
| SHA256 | 4612f74b03bbdc0afef06ca91661f4e639f58571e065e9beed2ef884b8750a42 |
| SHA512 | 3c28606386ee67a2eb70d64abf07f4ab002be80073372d8bde65f37d59e3dd1309c9b018e8a4ad8a6cccc4cafae21b99a6ac8a8fb0f568149f4c02c88ed480bb |
memory/1448-1243-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1448-1244-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1448-1249-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1448-1250-0x0000000000400000-0x0000000000471000-memory.dmp