Analysis Overview
SHA256
00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975
Threat Level: Known bad
The file 00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Blackshades
Blackshades payload
Blackshades family
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-24 07:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-24 07:26
Reported
2025-01-24 07:28
Platform
win7-20240729-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALEYFWPS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYDUPCKE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NRFIECSYRHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIQHGRO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKDXEVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLLXURVQYNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFUIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKUOMPAFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTSWJANJHXVMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHNEVMALB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JFERHVQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPYBBPUMUIS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYMKJNAEAOUMDCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWRQWSIVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QBAYEWVRSFLSSDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPSDHNAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKOUABHETSGHCBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJVWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQERCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJIOKANUEP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJYXGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWUYMCPLJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPHXODND\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMJOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABVBSNAHC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCOAXCVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QCKCTLHCSLMVMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBQRPXJQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe
"C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWLUHG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QBAYEWVRSFLSSDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTYFGD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALEYFWPS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSELPB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QCKCTLHCSLMVMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWSSHQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLLXURVQYNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCFGPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJANJHXVMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe
"C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEHISO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUYMCPLJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe
"C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJYXGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYWFGO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMJOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe
"C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe
"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMOXTA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JFERHVQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYTGNI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKOUABHETSGHCBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
"C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTGMRC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLYGUT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRFIECSYRHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe
"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKDXEVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQERCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYMKJNAEAOUMDCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCOAXCVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempWLUHG.bat
| MD5 | 0bda01f0928a49f8dc5fd847b404b682 |
| SHA1 | 811669ec5e74243508f64a47fc4d6d119bedb007 |
| SHA256 | dd67a5e53cf901481104be63a03bae5fc2b29f2729bcb1fdd171b0ca384d447e |
| SHA512 | b0b0924d76a9cf654bc57dcb90f9152e62da761e000c06e837734c59b45d4b5a580ce4b8bdec2a96650b429bb7561c8f7f3e3a4de1e04a049407098876b8c468 |
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
| MD5 | 04bfdafa1adee376be912592ff343025 |
| SHA1 | 09fc6a3c24346bde52f5179e72551ca48e6283fa |
| SHA256 | 326c81b93c3e8cd05c37a75dc06370893bd462d0963b3b01ed3b6a356d38aac0 |
| SHA512 | e0418691c3add2b3a5e344a6ff6fbc3b3db108f6c0d7641234e7ba624ad822e01cffa4731e724a660a43f2a5f06b5c98b5b11250907af4922899f3d69b872646 |
C:\Users\Admin\AppData\Local\TempUASWR.bat
| MD5 | 61101519a3da1228d0e0498cf23f87f5 |
| SHA1 | 23984750bbaf6fceb0c0fbeb529e99639b05e8be |
| SHA256 | 9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac |
| SHA512 | 26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71 |
\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
| MD5 | db13eff8abb912859ec76b6d7c460072 |
| SHA1 | a477fedef6c7ef9bdfcd8378aabfa3728bd7c768 |
| SHA256 | 16a8e518d0e63f7092967b1a7a6acb2465280ecb6e23ed70352345e77e8b89f6 |
| SHA512 | 0933fdf6f920bea7b61bee1d5c3843a13cefab23defddc511c426fa50d8dd3bbdadd15860b2e9ff3a9665857af2ea71d53459175f0c3f57b3837c1eadb69bec6 |
C:\Users\Admin\AppData\Local\TempTYFGD.bat
| MD5 | 78be5efd6f00a17dd035880f8b17f7b5 |
| SHA1 | 557d916dfc0a62bcc340f3f54f15edeb8ce2a14a |
| SHA256 | 68d647e33e63f912b96928a9146aa07146c51e812e573e0015797f67040aef5b |
| SHA512 | 09eb040eab976a5bd9f1226cb583c31b5270107ef35db5ab50cff97659a79206646f015828eaee73119dfdb1a323cb3df256683b0f7c076e66616a16498880be |
\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
| MD5 | d5d24977131881a0bf5ce017385db91e |
| SHA1 | ef089aa8fa823832d8cba77747d344ba8077229c |
| SHA256 | a762ad194765c119f793c07faeab90e732357a446a18e3b9e33bb42598e1c330 |
| SHA512 | d6d04ab97305f1e781f330b63a9d295fff477a66df22f23530146d062914174640a9992eff74ab6bb0a7234bcc07b31268fad6d5d0826434aebb0399802d51ad |
C:\Users\Admin\AppData\Local\TempSELPB.bat
| MD5 | 13a9f43dc30fd15c9d16b8d252d35708 |
| SHA1 | 8f10643216973bf945324576eac13d6a84c46c47 |
| SHA256 | cfbd162963b1aa9c1658748dfee196a6335cd4a1841f18f1a50e5adf7bbeafc6 |
| SHA512 | f3358bb1b1cd9b69c865ad6528113eec8af0c48aca4bab1a43a2bb1361deb49d243e8e0b2cb4eee8f838e243827b79b4d98b378115cfe6c9ac7480b57d4eff0d |
\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe
| MD5 | 843411fc20a23e3dee34e363b99cee0b |
| SHA1 | a622892c0f53c61d05c5ba265a92465359375565 |
| SHA256 | 38c36b8e1a2d1d1ea3189f17212953afcc9d08c2753dbd630904ace6c1df4d2f |
| SHA512 | f4d979edc0c73c2ebbfabdf7e2351f8f5d3b6d26dad0a8941af22556d517335253fa730b6a16643eb0005fe9bf32fe1fd7458697cce5feb2b9d3c78b615de67b |
C:\Users\Admin\AppData\Local\TempWSSHQ.bat
| MD5 | 16b35d89fe8f5c1208819291ccc78756 |
| SHA1 | 0e318d04aa4794f8953448e1ecc43a67008d18d3 |
| SHA256 | 22da392c36abd4899d4fdb4a894ff0fb95f710307b35158ebda417b586cd4159 |
| SHA512 | 478d8d54a30bd6d48526f74ceab051140e0754005fc58aa332f07da723d132f1e064e725f9537c0e5cd6305cf4d18bc67a187d0734c4f460eaff29efa689d464 |
C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe
| MD5 | 00138daf4785123a28cb2e5dd960319a |
| SHA1 | 5a1cf201de24fed91e597c0230f1a3e727c17b1c |
| SHA256 | 5b54a2228893e5b3e09dbfd7f461d5c0f1d8f079bd97aa364e9ed110c99b7742 |
| SHA512 | d9f181c5b0deed8d723c81df375a2c7e77ed6249bf3389da1ba4d796fffd4c07875ec2b14f73bd005bc16c0fc88ef9e8b47b08bb193f867e021d3e741727b4ff |
C:\Users\Admin\AppData\Local\TempGUCQP.bat
| MD5 | 4ff1d66e34088078840e9bfb6eedb146 |
| SHA1 | 8d38af5d68d2bf926e09b6078a60bd1a85eb4b43 |
| SHA256 | 9365ebd186294f5c3a7613c2f779d3eeed6037afa5c5dd1362c1bfbd14c9628d |
| SHA512 | b9f8854a0e4573fca547d497f0e9d49d171f1a1cc65acac21781b0bc91a45c332c313b011666b9046acc954499694dc099c392a5601717a0984d1b6664f51e2d |
C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe
| MD5 | a60df103f7d57d6a2f74d06456426da0 |
| SHA1 | a7ab5edb80e3ed354aab246f3a27f484ef8691ca |
| SHA256 | b81a4d63497c46979ac2221447f7cadd5cebbfbbf5a5847dd9b16d16d720808c |
| SHA512 | 0ec76184cb7d593f1f18db0de94e0c498b01dcd2051b1ded9971829dfeed7c3b6a97ae83e6ab0fd9b51dd0e202ef3aa8851ade4415de569a44f3ebb5edccf752 |
C:\Users\Admin\AppData\Local\TempWIGKF.bat
| MD5 | cee52e867eea3e6cb11cacb1454673bb |
| SHA1 | d5caf048426777e248db7e47e96f69528e4356b3 |
| SHA256 | fb395866dd130573a86c20bcb009d21c8d66abd8480a12802ed16be4a29a1582 |
| SHA512 | 9fb572a40499b863fce21c793d720878e8db6c7198fb9383b22709a84cd08bede1dbfef8aa1241010e0226e6597d28bc8dfacc36b93ba1b6561d15e6893da827 |
\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe
| MD5 | a4897d7ec39d97c55d130af626a70615 |
| SHA1 | 7b31bb782530607c8ead1279432570d6080e23ca |
| SHA256 | e238c8672f61127d0e15de0e44fa4b4552cc7a03b1145516ada082a964ef8b44 |
| SHA512 | 789227149705ce1811645cdd550cacd5bfcbbbdd86e68f3bb35a1fc6d67a25b44f8696b14558a4fea10752ab00d935d11583fb78c996dc6eb5132886cd07290b |
C:\Users\Admin\AppData\Local\TempCFGPL.bat
| MD5 | 6960746ab8f72bc91336e651aa68cf69 |
| SHA1 | 33f742c4d12a695f0d00fb9e068862ea2fed7564 |
| SHA256 | f7c924382a15ac2b62a40aa8b03e3376ed39ff282f44e3bf664770874b864be9 |
| SHA512 | de13deba09aeb2446ee13159d012250ec79b29ef34f402fec1c0bf3963a99c78fde806652717cb62724c6e0b6da85fb7f3a846ecbe2de78eb1d4480ad7ae9533 |
C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe
| MD5 | bc655da3acffcc5a68b275e6015da24b |
| SHA1 | 37c16c83a5e52e6616b71aec3d2c59131afa1042 |
| SHA256 | b6fad253878afd26831d38ff8f04d85c79c6478a888966a2a1dee9dc5b933933 |
| SHA512 | ef9ae04a98c8e57cd28e5d21c5deed595524c20eee445a0c76f46573ec6d4b1b4eab0f5ef42f1a75d144daf611a6bff5d2a7b71ceff0ab5e8791b11fc463a23e |
C:\Users\Admin\AppData\Local\TempEHISO.bat
| MD5 | 817581e4cfe28bab2be4f4b73f7ab372 |
| SHA1 | ae99ec7f67ac23fae736086d22defc4434e1b7af |
| SHA256 | e516494166781a16fa09d61ab2d51fc1b2205c7ad04f4c0b58cdb160915a8b59 |
| SHA512 | f74af482a46e730970d30bb87096b69d1e0c9409a51ac6ba0cdebc973e088aa43c67992460e076bfd0c12374b267e2515eb2f62435727e0ab1c5d82da02db39d |
\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe
| MD5 | fde312e74d552a67166581f0b9e2cf78 |
| SHA1 | 7de065379e65dc9ae67276deba930de43d122e1f |
| SHA256 | 9130859b15b1185acbe6096708ce86ce19128c6a7d7357ebe3c0af1120dcf0d6 |
| SHA512 | 63b9ad783ff36e411b37cfc0aa1e28ed61c9ab6d0003aa9dcec1c5d405dcb595f0b558a0daa493d568624edd2f73f3360af2bcc787243e78c13fe2b14ccd9d8c |
C:\Users\Admin\AppData\Local\TempOMQLT.bat
| MD5 | abdf815d63e8555d14fd45c44fa4870d |
| SHA1 | db5b684a741883e1d999a126f5bed967747a9967 |
| SHA256 | 98f58fafe79882a38007fcbb49a074f86446263301e079a3b7616d359d985407 |
| SHA512 | d38894eb0fc1aec80a34decc87b07659e4f142b07a253b01f2296f66b791e12c34053b2badab1ca29f6d9af5355a297d72c01e49c5d0b1187cde59c4eae7aab2 |
C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
| MD5 | 976cfe870203a3b81ae38fbb830f53a2 |
| SHA1 | 8912af325401d0d1e7f6bc0d280ed4719c8785fc |
| SHA256 | 1582ee19d0a6d9f30e929df5dd459d9fddb28561b34cfb973b08d8177b7c96a6 |
| SHA512 | 4427d98f360ca7488f4683b496f6ad968325156b99071b33dcc5bdbd82101bf5f17b66878cded31b79ade3a81232eb2401bb3dbd273639cd5f8c5d3d2be07d60 |
C:\Users\Admin\AppData\Local\TempULJNI.bat
| MD5 | 8ca42b41c8e2de27d308a6cc0759a024 |
| SHA1 | 0ca13c792b5c2e0f0b28c31ba19f56810f8e0dad |
| SHA256 | d6e22066c8860f60d38f58320258e5073e2695dfeaea7bc1a1111e2fb11ccb02 |
| SHA512 | bb288998fdd86c53ea2f2e45fcda1a01727eb7698a6f1dae71310c8c2fd695b0a1bb7cb5d74aa9eac3ec61711278a9728c7bd677c736a103e0ed90b4dfb8bc0a |
\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe
| MD5 | 4700b737a06d04c1cbba6eb566975eb6 |
| SHA1 | 10b9a81cba4de9bfdbe05f48e9c556ce0ed36549 |
| SHA256 | 9b80df73fed0cafbee5148015e267a4f47f4fdb38145ea80a42f1fefc734870f |
| SHA512 | 4dc80c5a9e000b581d81847d641795459938e64d49e92d4d652ced9fb54bd8b16fea6858f2bf775ab2c7e17bcd12f4a1e4e7b971e92696104ab4ba9e98ea1ffe |
C:\Users\Admin\AppData\Local\TempYWFGO.bat
| MD5 | c23fe5c11339fdbd57cc4b727d05c243 |
| SHA1 | e9f72dd02de9d30b00f26630c2de5d28583979f1 |
| SHA256 | 22248513dcf148704f25a1acf67d85efdf24eddf22fab2c5b4a434ae9398ff55 |
| SHA512 | d778a94901732bbc21407228083a1f7ceb068657c1f51cd06760227b636eedd50b14eaea2aef82fa75a5f921b73d5a0452c8f4738576b09a26d0bb9184555432 |
\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe
| MD5 | e7af9bb05c671786d80c1cdc95eaa98d |
| SHA1 | 9066f23149936ac56c60ca1a40757ede6000b00d |
| SHA256 | bcac6be5243c9450b4660f34843c341047c9305eddf46cfbed8d1b47f617f4d2 |
| SHA512 | ed3a943aa5c61d1cb0e5ace4132ecfd0ca518055bd9de536b6ff755c00cafe5a3b20c2929f437ed146d267a849789972fade5c646fb60a198201291d357abe02 |
C:\Users\Admin\AppData\Local\TempIIRMV.bat
| MD5 | d3cf423a2b6bb6aa36c4e8f8ffaa4266 |
| SHA1 | 6daa5d9c61ea67af3e5a8f6cab65b70fb5b12607 |
| SHA256 | 787c796ba2311e1177cb9f1b49b606825b97af4b0dc24a64804df88155d9be3b |
| SHA512 | 9f3190810933d04e9d1ebded293fde42fe18924b0c0bd130b966b7f726d0b9dc1f5858db7b1a09221262cc86d3ad16458156f1760ee1f5e7bf3c25f1850b78e1 |
\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe
| MD5 | 1f473452633d08f8aadf85dbd41d88b3 |
| SHA1 | 36290f7e222c205af59b5f28b15ee1c39d0bca7f |
| SHA256 | 4742167cf50ba3b47467c45c06f6231df0c46769b23f9b06897acd0903408563 |
| SHA512 | 6f64146668af685ce9f8cd717e1dd5fd7e4415449242d327c7dbd712be0df43f02dd46bc7b02acb7acb9fc73da99101f6b3f016a80ae9ecd58c1ade7cea2eee4 |
C:\Users\Admin\AppData\Local\TempMOXTA.bat
| MD5 | 89a11c0e81b3a6d98279b765147b25dc |
| SHA1 | 0ac625a5eedd3becb549a6afc792834e6af37846 |
| SHA256 | 98e0faac6907cc135486e322a9ad2f3f906a86a97b7c9706ecab4a9c4963398b |
| SHA512 | d61d7a38646ae335ca4753e05e1e467ef81db1eea6299b3ef69a68a6117db0d20a457381866b75fd7e4fc352f644bd8a05965389b1fcf46840a4288488c73504 |
C:\Users\Admin\AppData\Local\TempJACDR.bat
| MD5 | d1f2e014c99667f1790fb29c6759c62c |
| SHA1 | ba5add390cbf847484cfe9ef87ee50ff6705c531 |
| SHA256 | f7f2f97bbdb25c9b940ccc189306d8cf2db72688d4a8e779f70088f3f2357f97 |
| SHA512 | 39ca1ed5043e399af93fa00f90636360e5a8162e270b8ca1617ab7af51c78051d4c989f1f6f32b9d78bc6b6d4557ee0fa891488c127ec7d9aff17aeeddde072a |
C:\Users\Admin\AppData\Local\TempYTGNI.bat
| MD5 | 4781224838a35e5e9d41fbe6362d446a |
| SHA1 | f3d11cc263b9402d8b5f0059400e4b0cb5e8fb5d |
| SHA256 | c194bdafed993955fc25112fae5a2bab38d48702103195ed079b9a33523104d3 |
| SHA512 | 26ae30e2855de142114298c610b38654f772ccce021e39d657a1feeec66724e702cc3283f7476c35ab86792601e0b09f03e5fe2975765b0abe91b950f6313864 |
C:\Users\Admin\AppData\Local\TempTGMRC.bat
| MD5 | 2787afdbe11d921ac85738a66cbfe809 |
| SHA1 | 32bc245503d9e670703531b8391702795cbb8f5f |
| SHA256 | e9626c32c43d56c08542e17855b078f23b1af0ad81a1be24ae20d81e95a673e2 |
| SHA512 | c0f6ce57cc0360548ae0610256b96a9f9a7aee2308dcdb36daaf0aee19c696aefcc1cbe29977c62bbbc181d0b0f73f71b1a709517e71d2077d98361272d0e869 |
C:\Users\Admin\AppData\Local\TempLYGUT.bat
| MD5 | 7f1673b1048549aa98809f3006551b9b |
| SHA1 | eb830f08514f8d5977b20d50d1796eae55b68044 |
| SHA256 | 88185dac7a594251fece5e5f5850654f8422732eaed33a5a424b2c7500fcdcbe |
| SHA512 | cecfc1417aab714f9bf8abdc90687a39aa7071319aa01aaa9b7b952b68a1fa4effe7f85599c91513b63072b2ad468e5a6d8e911c1ea2e5cb16b4fc8c8ea92286 |
C:\Users\Admin\AppData\Local\TempLHVUG.bat
| MD5 | de69c25118df8838f32524d5b65053ba |
| SHA1 | d79b8934dab391b2f85b02ec96a6cf696e23d29b |
| SHA256 | 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921 |
| SHA512 | 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe |
C:\Users\Admin\AppData\Local\TempCIWES.bat
| MD5 | ba429fd56ff7582c4de4880c49452a09 |
| SHA1 | f39ab13e597a4092461eb550a4a343404828677d |
| SHA256 | 15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf |
| SHA512 | 83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a |
C:\Users\Admin\AppData\Local\TempRSXEF.bat
| MD5 | 50bbbf5524dacfec25beee4cda0c1c29 |
| SHA1 | 3fd6c1b8bb90c1d0861ff798675c5fb2101c58f5 |
| SHA256 | fd428a7373e0e2051e9fcf95cfb26406832ce301cb8c8d2fe4d9185ada88c583 |
| SHA512 | 2129a0f899999954ad9b157ec67b75f98fceebcf3fa07ee210ea1bd40607abbda29cca1590053ad2791e45e3233e37beac2eb9eee77b9fe0c277a08ca1bd7b7d |
C:\Users\Admin\AppData\Local\TempEXXMV.bat
| MD5 | c25a274d902d66113edc208144c5a402 |
| SHA1 | d76687b680cb02b698c2750f623e446e9bdb3402 |
| SHA256 | 1f0aefc0bd8eb6adba2e5e5965340b1beb87321194d02d773ec7cbc58ead68a7 |
| SHA512 | fd110d3876f35d735602966e772f5dabd05671da46d8a3e75e189528e506e57ab1bfe40bfd6b7cb9fd7c1f0c6ca72843a0e8e3263d4ba7eb7c7ea3fc595c7d97 |
C:\Users\Admin\AppData\Local\TempGUCQP.bat
| MD5 | 003c89fa3c4c23bcaa945e0122a2ad78 |
| SHA1 | c3daf91e40f93e9c174594e57044887f42ed6ad5 |
| SHA256 | 3eeeaa97262bd94b5d3dfd22d9b0676573c72e8d2b3f54486a5b65cb1cb01333 |
| SHA512 | e2abb39cfae34d9cd35fa5db9ca71745ae16250f3141682901b9af9ecedfe0b7d8a412ad76f9d39f3658a25bedb40a49139f4da829e2336a6cf00c5ad1713e22 |
C:\Users\Admin\AppData\Local\TempRCVVK.bat
| MD5 | 53bfce173bee6cb46bf72cff1923b2ca |
| SHA1 | ec898f8bc5e8dbffd4378b590d222a2628d3848f |
| SHA256 | d8e5e08175f4b556c54390ec568b84be889cf08086594967bdc7b2072264286e |
| SHA512 | 89c5f8bc1de97c7bd6c1dea6830a11b7c7ce6d1a62ec991282ecfa2a57745b268d8df63b7256c94bd4065c0b25fc45e4d592760d6a82c235049466a164855739 |
memory/1484-642-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1484-647-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1484-648-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1484-650-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1484-651-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1484-652-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1484-654-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1484-655-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-24 07:26
Reported
2025-01-24 07:28
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
100s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUIVGEJWXAKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HCYRWPFPJHKWAXF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OMQLTHIBIIRMVMB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVNJEXNOLUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNDNHFIYUVD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABHES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IXYVEFQWNLPKSGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNBBCXCTOBID\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGTECHYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KGEUTJJLGCDNIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLYOYSQTEIOBNV\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHWXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUXBSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FVWTCCNUYKIMHPD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SUKECJSJOGXOCMD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQBNY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDBGYXTUHMU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKIPLAOVF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DCGYXUVHNUVGAOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLBMFDGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JYWFFRXOLPLSHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCCDXDUPCJE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PNMQDHDBRXPGFID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLYBGPGF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RPUHLHEVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYXFPFKCTKIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBOWCUYTPQDJQQB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVARMHBGV\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVIMIGWULLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULAK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WXUDDPVLJNIQFGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBSMAHCG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SFGCACXSGNHMJUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DVTCCWLHPGEQNMQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWIJGOAHLCN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMANYVBTXSOPCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMXN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NPKILAOVEQUFRCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDAPXP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHQHQNIXRCSCRSP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQJPWHIBVACSPPL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DVUQREJQRCVVKTG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGPWHDOHIYRUWHI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNCMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIHKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XTRVQYMOAGNNWSR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSEERXPXLVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHCKWAXSQATIWEN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DNWEBPTYFGDMEJX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EFABWRELGLYHTQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRFCQYQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENXVFBMGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSOPL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGRYOMQLTHIBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CLVTDYKEXEVORSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGBQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PNLPDHCARWPFFHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSLBLFYDFWSTA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTHKGEUTJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKBSJIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKHQCIN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKKUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFDGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCWTOBXIYDIXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMYPSRTFJOCNWN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXJRJSOJTEUDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDUOCJE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDRHUQOTGTVAQJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4972 set thread context of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe | C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe
"C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFGCACXSGNHMJUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEFCKD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CLVTDYKEXEVORSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
"C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFOAGL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MGPWHDOHIYRUWHI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKVTSW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OMQLTHIBIIRMVMB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQWNKP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCWTOBXIYDIXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe
"C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGBQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJIWDT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DCGYXUVHNUVGAOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDHHBG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DVTCCWLHPGEQNMQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYATT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMANYVBTXSOPCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNLPDHCARWPFFHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHIQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFFRXOLPLSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe
"C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHQHBL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KGEUTJJLGCDNIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe
"C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSOJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe
"C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEPWMK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHWXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
"C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNIWVH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTHKGEUTJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHRM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWTT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NPKILAOVEQUFRCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
"C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TGOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe
"C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNMQDHDBRXPGFID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLHEVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNXTAG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDRHUQOTGTVAQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIHKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXVEE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FVWTCCNUYKIMHPD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe
"C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAHHQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe
"C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUUJSF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBOWCUYTPQDJQQB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe
"C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQBNY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
"C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEYCNL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DHCKWAXSQATIWEN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe
"C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDBGYXTUHMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe
"C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUJJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EFABWRELGLYHTQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHEMF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXVFBMGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe
"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFOK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVIMIGWULLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWFGOK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQFGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe
"C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe
"C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKKUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGRYOMQLTHIBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
"C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPCYX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTRVQYMOAGNNWSR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACQML.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUIVGEJWXAKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe
"C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKQVH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHQHQNIXRCSCRSP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFSWWP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DVUQREJQRCVVKTG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 192.168.1.16:3333 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\TempPTOWK.txt
| MD5 | 2037347797bac083ebc215041f536594 |
| SHA1 | 5099d1a2477a0f7f5b96b5b0256f5051bc8724b8 |
| SHA256 | 4f6eefaaf197299e8a853243a3efec3fa499f5d8661c3590432ab2cdac202b16 |
| SHA512 | d5b6a1f0d254cfdf46e07b19e48d4d7988016178e348e7060b6c6617d53e322eb5bc5b8ebd8a4d7f1fb7264c7e391495e56a023e2e5e361c3e93d7263d4764ab |
C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.txt
| MD5 | 5132bbf168c0a7e5e62325a7643f31d8 |
| SHA1 | 051d03ffffd645ee81fa669a485f7f86d5dfea3f |
| SHA256 | 9e7f2c9f417ed8adce550d1ee726df539cfc202dd22c0b836306c4080e932968 |
| SHA512 | 7e6f643d18bbfa5222941bd958a075e899b0b597b9e95464ebba5dfb7baa66e97f8d57456486f42bfcde0af58f5d253cf36fca42fc80996383a1e6263007dff6 |
C:\Users\Admin\AppData\Local\TempEFCKD.txt
| MD5 | 2fc221260bc64dbe75749778291fbbde |
| SHA1 | 9ce10d502d3c91095a63bec896646556bef19a95 |
| SHA256 | 3cc4ceb1a902ab8b0ce684b8f901a165ba7d6a6bb1012138fe61d0d37fcfab75 |
| SHA512 | 96795ee572a97695fd6d96435746cc3c4da137ff090bc790babb408422b0d030fe451b6260290bc3693c4019165ae2a109d0cf726cc5fae5f172f9fb44b58b61 |
C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
| MD5 | 3a290136fd8e522fb86d3f0dd2053464 |
| SHA1 | 385533a7067fc2d6a637df899d3ad613e7814f14 |
| SHA256 | d1ef0425043b8fa16d3c6ec487c1f27e8a450f9f55f3c53afd78985b88e8d443 |
| SHA512 | 2a21d3ce9c01e0d97b28d94c30909e8c3b2a829699dfa12cc6a4a7debea5f013fe11be03c4a2fd98a2a6ffa3c6c59153f8613f6877f6bc0b98042ad42d04a034 |
C:\Users\Admin\AppData\Local\TempFOAGL.txt
| MD5 | e5ebcf8683ce3e8c02fe2f678d430a8c |
| SHA1 | 81b39fd3bdd5dbdcb4ba0b1c057e92b460100d4c |
| SHA256 | 157380c53f94d8d4000436e42940d63ae2fb6a91f80d71c35830f82d3140d2c1 |
| SHA512 | a240088407b1d4aee249dc6a129689e9abd10969497281f5c748c50c54dcac06929929a4bbe569b5783cb78e81ebb8cd4cbdfc3cfc87c8cc659cbe702187c56c |
C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
| MD5 | 1d0379e678786840cf573638ad6700f7 |
| SHA1 | 48d883a7e0115060a52ff2534d5f3f54258d6a8b |
| SHA256 | ce54c25d2192a6239f064c48a34dc6d6b82d5d40a9344605943156ac71f18beb |
| SHA512 | aae718a4206eb348dd13cb76124e5857ea9af8b076c0a4e67eb43dd35797bbd40dc692ce3ec868a9d8beb4e3d0b62cd5f2e3a068c44f76b69857d783cdc4fd8a |
C:\Users\Admin\AppData\Local\TempKVTSW.txt
| MD5 | 355451ecc7c98543b7df3b0daca5947d |
| SHA1 | 430fd0fab7fbc041007083b40ddd47d2846ae9aa |
| SHA256 | e2b822395c0fe0d5648050cf3495407eb02b80552ede58aaadaeda938bf1df6c |
| SHA512 | 56707a77375b6f1c892ed4abb5248492375cc6d151530c55642112e73a1b7006be14b7d6c24ab4946754e59aa81a674aa2a3c26103a7a8bd4de503ce6394161c |
C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
| MD5 | 74c6256d5a3e368a8a58ff6cdb3c1474 |
| SHA1 | 88be0e0199d5fe70a41cb7557fd63c948d075f4f |
| SHA256 | aa757e26feb2cbe18a84f16420288437ac1a9935db089e1503a0c1b91fe88ec2 |
| SHA512 | f1266cbfc9563d99cef5d168b8161d750788d5158db43ad3b37e4ba97c2de3dcdd04117c4317b41832bce5760b66531222b3801b3f08b3d592831cf519994a35 |
C:\Users\Admin\AppData\Local\TempQWNKP.txt
| MD5 | 465865360cd0ba68badf0ccd4980331b |
| SHA1 | e55ab780d6bdbcb4a1cb56eea47a86abd26a8f13 |
| SHA256 | 13df97d3733d9aa539f1980e8c0995929b9ba0914c344d5aad0e83ea02598e5e |
| SHA512 | 7b01180631ec16beeecda3322bac144ef0c1e01ba7295789b59be4981bbf0ae973f95b163af22c349fd3a083a0eb86df4233d391ca1669ee6e08896a2c473863 |
C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe
| MD5 | 751c3484eb1d7d1a1b821ebef557fb47 |
| SHA1 | efce2deed8cf841289c66d572f00471324b374b0 |
| SHA256 | 5e9e55375e06e00c8a3057c9e52e216fd80f9c8cb1ad7c3a50b89d258244dcd5 |
| SHA512 | 793dd61eaec2e6695b69324f39b783ae0b22d76a520ce7279f95fe755be6147420515e596a7e16194a5578af27ea96847b123201357f38d13b3b99da1e2227d8 |
C:\Users\Admin\AppData\Local\TempLIRDJ.txt
| MD5 | 0ad6c9500e0217c6a48554d553396c1f |
| SHA1 | ba19a344bcef4b2edb43ff807dd4aec698822639 |
| SHA256 | 819a70bd41db67deebfb277a07da2ea0319aae00f012a4cf28d2a713ee2c7d3d |
| SHA512 | 91378178711b44ff33de321b82a02a58ae4e73bc2cd3288b0b0f370f5cca6e4633fe5c67c21e9b6e340dbae03c2483cd5c093b641e29c8d2c6dd988bbb9fa488 |
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
| MD5 | 4846e9ae4eb6da48b3ff76bb0d1c96f5 |
| SHA1 | 4e449028f9559dc2384b58ad92ca4019b288caf5 |
| SHA256 | a04c60c94fdaddaaac8a7d5a8fb0c0198d45b0963e6ce1687fe108d78c8db2ee |
| SHA512 | d4d6f492615b40722308404fd2d660977625c7b642ec6d4dd52b9c81d7e8c5ac6046a49f6bfb2c0c2658fe6ca922f4baadfa1166608f56034b1fcb409604d6f4 |
C:\Users\Admin\AppData\Local\TempKSELP.txt
| MD5 | 1177496c947a69db47a7fe37d2b2c738 |
| SHA1 | e620660c26a58e6d8c51c30a336f037907f3f74f |
| SHA256 | d53a356106d076db04b76fcb363ecd2596af20fb4e489c4fdbae1e315d995edb |
| SHA512 | c2346ee11705256b93f4a4ba9d3b90ff8bca1524d11f3f3cc34a691b53dfb0fd2414140ff1cc34bda3d5a2f2eb6ed94b4e841352d7d8a6400cae9bbdd4bef505 |
C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe
| MD5 | 8d637167e6787c9dc26ac18fecc8e941 |
| SHA1 | 0a5c9f9b3218c92e20021ad4bb3de662f1631306 |
| SHA256 | 6ba883429f2b797b9b537a5b58caaf49ce5f603c13b3d5ee2a087c67ac2d3d00 |
| SHA512 | acfe64a693dbc03d2be238f15a4ca5a90cc4a98790b8fc99ff7abf5c4e85698ec17004dcfefb0fa46506663d362b57b8d942a8e9e625fee54180f1f00160998c |
C:\Users\Admin\AppData\Local\TempJIWDT.txt
| MD5 | 6fe9341909588e65cf059330f305041a |
| SHA1 | 0584b50ca63bae1de312355a58a7c96a32fcfd3a |
| SHA256 | 32c0e3e7914e05cf9441e17627a5fbe5bafa7fbd90b77f39002fb97286b1b081 |
| SHA512 | f1103b5a7ed0f2b7ebe8c41aae5310c3ad40a63c4a2ec357d9f7d449582eb85796dfd13db78e4d4dad8838cc58ae8c4fd740cd10ff687592747602244cc751cf |
C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe
| MD5 | 6c575affba5244471936cbd51532baa7 |
| SHA1 | 873b8b0efa4297a016afac8cea977977e56c8aae |
| SHA256 | 5032ece8d419e40b7a69c479145c3fcaace40bba8fcd30d7d915f3a89068e6e2 |
| SHA512 | 97a59daff9b12d86b9fa9b7cf52fb2ff4d0f179971b5724287c7e9ba616542a1ecdde2404f4624070eb02bd858b674ffa83d8a81281a640e4e43f9b47d78c43e |
C:\Users\Admin\AppData\Local\TempDGHQM.txt
| MD5 | 805a0854b6bdae48c71ee7464113dc78 |
| SHA1 | e875d5d0a2665556c4528d2194e4e721069cd0b6 |
| SHA256 | 352b1d6863171eea99aabdc71997a75c797d2c196682d593e1607aeb9a3ba959 |
| SHA512 | a18211060ec6b9aed9e9595cf1eaf730b6d840680b29fd2059bd731660e4d59f3af274c4d1420b975f4cd44fb750089fda5eb7b44c75e73c36fbe1764b2a2d2e |
C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
| MD5 | 74f40d82f8dada9f624e3872763e686b |
| SHA1 | 17d2e377a731c7582573d8a6c1e94c657ee3e6bc |
| SHA256 | 2e0a8f0f42384602727577a7023a848e218577a8cf311baf3be8fbea7f2bb2be |
| SHA512 | a770ffe6a760923fae6acc784578a16cb99d44917ca865fa831222914fc1537634b3a74765de83a4f012219ee0b8d04b48e6836a40447414a003a3cedfc545a0 |
C:\Users\Admin\AppData\Local\TempDHHBG.txt
| MD5 | f0385e3b9c074f1aa23c1ad26c6e1723 |
| SHA1 | 201d1a9a441b1bbee8c9a2f9c9706002b97c56fd |
| SHA256 | 341e1205affd8b9c64f10cd312144d757c25b502c8f1a1ffae36ba60fcfb3e14 |
| SHA512 | 0e134173c651a36685f66a423e0a1dce4ce34c7d215fa995ad4ce91581f5f89c8c3be52d75ee80339c910acbf380a665e8a4498a2cb608b587c9d8195eb617c1 |
C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe
| MD5 | a6e107c04e3b76a3930eca9ffe4e37bf |
| SHA1 | 07f1d83710550cc624a98de42e5825d27954568f |
| SHA256 | 329a5cb704ef0a1304fdd4f9fafdd5bc301423b203b639ccac960f5f38352c71 |
| SHA512 | 1e26488f1cd6aa2d6fd033dc8b90651bf044dec7644d4788ed096db25909be0f2db6ef3cef868d02cf144e9d81f2083103b5c4e15821554f65cca82e4d9552ef |
C:\Users\Admin\AppData\Local\TempPYATT.txt
| MD5 | 6f0441fab5f71b8ad67a9e9651b9967a |
| SHA1 | 8ca651b8d62a1a5f2a988ecf583ff2f0ca5ea0f8 |
| SHA256 | 5a231a15c85c0a463ab7c95026ae500e1be282361d2ee083dae5f1bd79da323a |
| SHA512 | f14ebd51f90fe50b5f49bf381d58f8ce7c867c01ef1548d27753a47377be165b044b3936a3b41fd8221e24a99be4f4012b9927fc551f932bd423da31ed4964c1 |
C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe
| MD5 | 0731002e5dbf89e9de8129d96f2d8c30 |
| SHA1 | a6bbce959f9714a49454773f85e40971b2c0aadb |
| SHA256 | e1c0916f45b3decd8de4ac6b86e3bff1b8223f3546a0a98796010e95beddb02b |
| SHA512 | 068a6e85cebc6bcd47c0bbac3cac72edc7deb47aab0c617eea21cccc8db013db995244c4c2416cc3f81f288ce973e967e76ee227ae0cd33a17c3ed7cf5cff31a |
C:\Users\Admin\AppData\Local\TempAJXFT.txt
| MD5 | 8cf1bf2846e63ce08e7fb6d7f2463b46 |
| SHA1 | fc0be31607702f4764e98398541630eab6b4f42a |
| SHA256 | 28f389f73d2135a4d96c1abce48626ed4561d31fb14bfbe9790b691b79297429 |
| SHA512 | fd783bfac613f1be8a48411aa0f9208dcabbb6c0496ddd3516dc7bea68cf661e6569b85147ddce2e7981e29ef30e4e97654ab397dee99cc3372da2dc7641db65 |
C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe
| MD5 | 9656d67cffc5fe64185f8dea7db0c60a |
| SHA1 | c5653c283f8f64f8a0b6798d067ea2f305125021 |
| SHA256 | 7f5368f2444c98759b1303832052adc116722b737780745a5a7688519f1cee69 |
| SHA512 | 2f45de6cee21e11c74f3f81c881788f6cc4f47462938cad0af36c4fd7127b7635f344db80eab23a926e73979e3a0b3c67652e5df2192504a8238d225277b6a27 |
C:\Users\Admin\AppData\Local\TempAHIQM.txt
| MD5 | 61cde408dd426c6058615a38ac55b111 |
| SHA1 | adbe0c98fdb7bedf65c3ebf822fc0e16ff8adbae |
| SHA256 | ba28d2450c52ff4aafa1398dd94f51ffeafa327a6b43f8f9d849406b11e86724 |
| SHA512 | 8194517c39f38dca4bc3a526b8df4d5ce5dbf20363867661c3c26125c74577a5db733eb07e5e63ad26827a473bf65e71ea0a1847eaddaca1119ae323a6d833b6 |
C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe
| MD5 | f66e87adf56bd65fbcbd7c95c293a8ac |
| SHA1 | 617256b55e82bf2f9d20f35426427f94bb1314cb |
| SHA256 | 048de65672aa699e71e71087cfd8bbc0606d04be54ae4db4a30d565147f6bcbb |
| SHA512 | f2a7b6cf3b364df4712ec51a7168f0941bdfb9e48e492f70446cefbf53c9262ebe29a5f0de7a4f80ea99d2484c624031c4d5762c39bb351a0fdf57a1e416110f |
C:\Users\Admin\AppData\Local\TempHQHBL.txt
| MD5 | c0f2c55747dcd57e7b8351e0d1d953bd |
| SHA1 | 575ac1a4eec940e1b5739e12773826a05c1318d7 |
| SHA256 | 89a87f9771461e63dc6cecf6e49f3f675390136d94671914a6a169ccbbeb97aa |
| SHA512 | 37e6aa6eff86f8ffb5cedd832c56411e1fd460e6a8c9752cd726b4069c13b96799940094ab53e6620e69b7fc2571fd34f67e76c2d08c4e788794116ef2e410bb |
C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe
| MD5 | f64e5fafdcda9e9db242d6a27d67692e |
| SHA1 | f7276007ac7cd232b7f340dcb98d4f36bf7ea904 |
| SHA256 | 07376effcdadec2d14cee2b18d49398601194e7a8f922eaae1c62a5edc5ffd54 |
| SHA512 | 130c3bac84e64d9cb02c5023285a0bc38c54fcb701e90ceeacf2a29b5a43c0f079000f5ef71a7a4b728cec2cee4a00d1ca574c4a2c421d9dec90986a7be9b0e4 |
C:\Users\Admin\AppData\Local\TempURAMS.txt
| MD5 | 35131b564a0e147be70d9bb5535803b4 |
| SHA1 | 7db8b9f32ffea1829c0f8a3f52f539dd6450e364 |
| SHA256 | f7f0c9bd1bd49051abd3100845174250086be3912a63f36d018eef216776d637 |
| SHA512 | 87545ecca1273af82ee58e9a6a2223912acc3cb00e85abaad2bf60c0085ce77b4514337cbc24825bee3c3014336339c5b61a770e4d2540a2d174ac83cd0a285f |
C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe
| MD5 | 68cabfd2b027159ea40897e78115fe5e |
| SHA1 | fdf52c02268476043253745ef71f46d7bc4b91ec |
| SHA256 | de32f1df1b28b3eae67cf88cd7c45e99d35f7e6b960c98ffa339970281a9f839 |
| SHA512 | 889dc1ab514bf7f6927f07d1b748897168c5d4c7a7b105f86a2cec776f0bcf377defe13cf517d4d136bb80d6666ebf345e881eca5b8cc43e6bfc025af5eaf7d0 |
C:\Users\Admin\AppData\Local\TempEPWMK.txt
| MD5 | 6df101e5793392a3a4687cb3f0d05d43 |
| SHA1 | 8bde684a4b0df6d745ccf82ac144b7f10552c5f0 |
| SHA256 | 89213ed3a57910f62abb88be0afd10006ad3c0229991b8387f4d6a915970e9cc |
| SHA512 | d918b19bf4e2ae9a0678321b6253aa4efec4b87d2248d3faa05e282fe1a85625f777df6bde8e6be7d92de6901528a29c97fba82027281fde1f7cefa2f827bea9 |
C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
| MD5 | 9cbf730ed081d04bcea32207e452d2bb |
| SHA1 | dcb0d45e022c18049e2ac94f7f1060bffc1b5bd7 |
| SHA256 | 185ccdb4aef4f07a55b4b495efc376f86ecf83c3d940d07c36a74fc048deef98 |
| SHA512 | 8b2cd6535e25ceb3391fc03ac534ead2d42d2a48b9a3ec26a0cd8f92480c2db68a60c272af62e8fec4ff84d4a42404e13d0c76094dab15bb0422c7788b32aa7f |
C:\Users\Admin\AppData\Local\TempNIWVH.txt
| MD5 | bafb50a1971b8546c449cbdebb9e6964 |
| SHA1 | 0bdb7fabafbc7f2d3703d6ddab0e97ba0ccd0baf |
| SHA256 | 4f5079af7f4649ed59b30f899f14d364dc414c0abad886a7fefc8a6ac1b8124a |
| SHA512 | e7ffcde9ee652c8625b151f8e82f5fb8d5b9afba03257a3b23c98f3932913ea44ff703b015340e9c616a928485bb679f89108080d311a8747bafd76336323fc6 |
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe
| MD5 | 3b8537577ef3c1ba8a43229bb139dac4 |
| SHA1 | b840c47091bdb14259f13e07a1daf481cb201251 |
| SHA256 | 91df12a7cad3890c59f7fd368046bc7b03b72ca98302f16d9b28d3b63dae2849 |
| SHA512 | b047b0fcb89d3a8b6b14beda53f926cbe9b90d26ac3cbd5c2059c5657aca1567ca0877b747383d709adc5d52375b6ff5ae4387e9d0f64cb7c7dd4c80bcc1cc87 |
C:\Users\Admin\AppData\Local\TempDGHRM.txt
| MD5 | dff4ae58083e32cdf232fb45d9f443c0 |
| SHA1 | 27541d36da950e2ae054582c47c46776d8bc19d3 |
| SHA256 | aa5a8a612ee9baae2cedddba86559f6cb2cd320c7b15c1b342461309390b87c3 |
| SHA512 | 5362115279c09230e1754c0be624f0800d7a1cbc9d6759b29e7dfd55d89caf3cb94518193c3aef73f57d56c1550082ae66bd9dc52c27c12ce168f6180ba23ab6 |
C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe
| MD5 | b74e3d14a777ab4af320b6e53b5b992b |
| SHA1 | 795b2ddc87f90456923d89bf566e62300bebac9e |
| SHA256 | 6c01d92f5e3afcfc8827d4990925cee549a88de0440e004fddc3ebb404ef6234 |
| SHA512 | 702de60ff996e81f40f06e138d729ea5de88463974a884b4be77c6677d17f8e9800f51a2e1d1986064484e431fc35acb36404b1ef0092eabeced326774f41517 |
C:\Users\Admin\AppData\Local\TempFXWTT.txt
| MD5 | 993066f21325205a64b0450462faf8a5 |
| SHA1 | 99079d6e1bf9f525b720fba70c64151a854e8085 |
| SHA256 | 07c52e167a8bb1810d5337f759e83f5cf7d69b0863e339c3b5239471f17b1196 |
| SHA512 | 43130ca52013ad6e00369c2af043183ebe6a260ddc536826bd42a85398f4d76b26e694f569bcb8200302578ba3bb87dc56b9b64263175c1d8cb26a7413b35f86 |
C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
| MD5 | a3ea673fb83b9a3b4108127111f5a3ba |
| SHA1 | 6c29a3f34e58c16e2d88b74478e590d69b582761 |
| SHA256 | 74bece6d8a95396efdc2a6273ed1d2e524261b7eff0ef4dad20653f20d3dbaf6 |
| SHA512 | b226849eea549a92e78003338e2f13dab48e97d1b4cb3c45f2f697ee55df8b1fea2253a98d783d803d6fa15e817ce72f411dcc4cb678af3cf01652d117a9ab1b |
C:\Users\Admin\AppData\Local\TempNWIOT.txt
| MD5 | f87838cab15eda7ef4c359836eceb7d7 |
| SHA1 | 76f05a70bba2933e540244898948213ea8af4893 |
| SHA256 | b047a9e48755404137e2102cbabff94592f10874757691e7d09714e36c1d8a7a |
| SHA512 | cab55ca4d4f50bba7c56b92363accec829b266017af508eb2b9a3e48c79435f48e4f43bec06597964598f79df69b1743df553c6f24b256403d04a3a2c2292d24 |
C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe
| MD5 | ec8f323623f6d1857b2438e114a56fb1 |
| SHA1 | 7be8b0dac03300c0edcbb985b2feeb01278a0513 |
| SHA256 | 1317b615c5302c15f6deb6680e0b339b39679adee9ca3bbeaacfcbe18c7c2855 |
| SHA512 | 890c48664cda2626d756fd869f7c7a61443d8ed5199a7f0461feb780c7f5727ed8a45fcd3d181c4feff8b7a2244f18258653e2021e40266925a03e864931f9ff |
C:\Users\Admin\AppData\Local\TempAJXFT.txt
| MD5 | 120537d96045d46e2ec2a722f68af997 |
| SHA1 | e14c077f5d18ac1ceb39cc6fbea443d10549f1f1 |
| SHA256 | 707a34b25667e08a7141de1eab266006d310482c59b7ea0b42c472e3beaa18cc |
| SHA512 | 2805bb82415c3feb1b5bea94c96e6128cec78f96999ba18a7ac9ab109347df0fbf87aeb89b523e3d10362ad4a111967430d920dbfc5acea73d4ce60773e8c4a3 |
C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe
| MD5 | 61f2596f5a0fdcaf59c627bc96fe4fb5 |
| SHA1 | 84b19aa6432391ad15ca4f16695db8faeb267b84 |
| SHA256 | 1d2d7fe5d87442cbef7bce02d721e3db2afb0e8a499d41493e43cdd258c25078 |
| SHA512 | 34b91543f1ef0224f5c250443ca3976a4d01f145fe58f1ae8cd6d6301e1357efa223ca6da76d956ffd358ec84551ca0e3e59739a429c1e24d58e4a241e4b8c59 |
C:\Users\Admin\AppData\Local\TempGBHVD.txt
| MD5 | fc4fc4d0e67121ad7c4abfe5e5e1a17b |
| SHA1 | 5c85394b9f2aa5972caab7d5f3e1730b143a05f9 |
| SHA256 | f5b5a300415e73e733e16403c35df1f1cc3957bd86cde08570adeaf45d904b17 |
| SHA512 | e57b463c78f1b96e1030f8973a404437c833271a878577b73bbbea0918f3ad263950dfa169dcf01380a01a24f1a2873370f89c09e4277cd95cabdbb277afd3d0 |
C:\Users\Admin\AppData\Local\TempNJXWI.txt
| MD5 | 52646ae1a90239b05b5defbc0c7aa789 |
| SHA1 | 3b9fdf2279c61e8a858e0b3277fa6694b512777f |
| SHA256 | df07f65149ce86d914f663c92961d4509168e04b71ec3c4f408785030fe48751 |
| SHA512 | ffbf8ee667a711ba4c60a09955b5d0551e38c1112e1a6f0f977f4616110ff7d1bd4bcbe693dfac84e2b6ba9022fd8cd40b32b24b853d7d58b57d8d310fa63978 |
C:\Users\Admin\AppData\Local\TempNXTAG.txt
| MD5 | 572edd0e76bce32037f4b62e35ad8372 |
| SHA1 | 0db2f37c0ded2a3462b298e379a7ed106c3d91d7 |
| SHA256 | c3a4e318118e5cb5873e83bdce7991328bdc7869fec42e38a1eaa4ef7eb07ada |
| SHA512 | a7da5e5f7789e3c96a62ea7ca7caacdf217d5f86a770637cb49c7d37a04be5423185dd2f97d5a4337446e2e4a52e648b267c54af997f48abce0fd81e3cbbfb95 |
C:\Users\Admin\AppData\Local\TempOPYUB.txt
| MD5 | f5384b44e8e5e967c113012b496349ff |
| SHA1 | 81eb9aebe47f4ce35b312f234ca6e33bc81325cc |
| SHA256 | 5eaa355f0dc5eb39ebfe20614e41728909ff00ae656998aa368f043c52bbf5e5 |
| SHA512 | 5f9f8d6696d8f0cdd1eda4cb8285d9c2036a4fe636141b09f330487caa94864832fcb00f53f22f2427b80db49bd7f175538a07f3e93f737d21699c6dd1f9142f |
C:\Users\Admin\AppData\Local\TempLHVUG.txt
| MD5 | 1b3335d1413cce612b26e63dea5c3ee9 |
| SHA1 | 5fc3a2553e2ec413c04f5828f4ba14e17e9d3d8e |
| SHA256 | 1eed0376af4941ff6ff1271cc33d724d723a7f5c2c33591d733e73bb634cbed9 |
| SHA512 | 3acf07fdefa32daf960353c147148355643ff65496b8381b4f3685dc5d1bbb940705e46802d0a1ec18e82a035daab7bab1e1d14d2f19f8c29d41b11cd997cbbe |
C:\Users\Admin\AppData\Local\TempFXVEE.txt
| MD5 | f22c6d404e24bbc2ee98e6a28aa195ef |
| SHA1 | 4399df7d6a4c520a5350c941fc9d59a399862e20 |
| SHA256 | 7ee75d73e4f2e5530d2a0cf9f5cddd001e64229a09cb85064a20ca21f82d38f4 |
| SHA512 | d297aeeeef4c2f954a43a0f6afef99294e452807fa5264295d9038530808ae5a9e9c93ebb854964be331360717ab29b53f3031dd4df346f9a73a1becb5d6a2c7 |
C:\Users\Admin\AppData\Local\TempXSSHQ.txt
| MD5 | 3e81e6dcb864b4c554164ae46d86c0ee |
| SHA1 | 942aacb46f4e6fc9dfbaa3ad5818e20faf2cc225 |
| SHA256 | bd2f8ffdb3aa85827b29d12470f888dcb45443d96e3b6c63ab537abb23e12840 |
| SHA512 | d80fba86dfc5ae889e86c9d311c992427faac892807f2770cdcbae05c8d5bbff44b806d33352a3b778ae2a6f879fc7f3a828f2ed2a1aca088c27850378eb7d07 |
C:\Users\Admin\AppData\Local\TempYAHHQ.txt
| MD5 | 559765df6500051fcb7b05a531784948 |
| SHA1 | a352c5b0ae4650404989944559c6aac131744d3b |
| SHA256 | 7218951015fbfda41d6abd84c116eaf053514c2ada6978fc0e50f17fe2ed8179 |
| SHA512 | 4b5cd8bc9a3792d6a216d5dc71d18177f325038bf513b6415be74f9dcafd5707aa46e276c7b682bfacb74681cbbba554f02ec84289699a410aae25937acb1c01 |
C:\Users\Admin\AppData\Local\TempUUJSF.txt
| MD5 | 03e34203e7084a09628f1ceaa8eb2a78 |
| SHA1 | 8470037796b3becf0334163d4e49f245b9b3a073 |
| SHA256 | 1cd045e752b401e2e246d554d546dbb6b88e2c906c2fe3f4688bb1a7175e74cb |
| SHA512 | e68dcd588006851e55f86a3fad42c34394732da7e9bf45ce9b33bcca01838df0e650397a32235d0104013a6abe145ad024af734981845f9fa6b0c04346eb10c3 |
C:\Users\Admin\AppData\Local\TempVBTXS.txt
| MD5 | 7fc83caa51827e24a9cb316306a8a179 |
| SHA1 | 1e2b67cf403653ac666382c3d9ebc83b94b9d48a |
| SHA256 | 130879b093bedb944e2c94661322f86925a1f4de8b10f081c45b6ea253f32ad1 |
| SHA512 | bf1a97fa8d2b18e20b2920b005656008af7fa2e7c01e1bcd031f6243d0d20c4b892deb554bd46f8338a547f4364fc6171e2fbbf6743b3b629868871672b26ecf |
C:\Users\Admin\AppData\Local\TempEYCNL.txt
| MD5 | 0a9d2556ac2930cd3b1e617d113990f3 |
| SHA1 | fb59dab6253d6e712010051723425c5bc7a4e236 |
| SHA256 | 031719e870b8b07f6da8d87e2aa3ac7fcff9d9542826f1d3eb7a21066e5f9def |
| SHA512 | 46484199f4ff22f743c26ff7478aa5c2bd24f817a8611f65e76fe34f50f4f66705e7f162bd83261be2030e9269852d3f06664b8e076fd23ae92d0d41be8caecd |
C:\Users\Admin\AppData\Local\TempUFYYN.txt
| MD5 | 35a1ab43d0d9daa94f8a90d1fd49b4a3 |
| SHA1 | 75695acca8167e2c70acefd9c9a8a5b5fe6d66b5 |
| SHA256 | a1f6789a3bf9d6d15633e5efddc4250dbb70d98eedb06d6315eecf38462ad2ea |
| SHA512 | 6a4e61c922a124146450bab7c7cb22a1f11e8fc77cb4ae069a52e163d30d9f7fcb9a22d43148da55c4b73b94018a5588c4d98a5e1f602542ea4526649423e3f9 |
C:\Users\Admin\AppData\Local\TempRMUJJ.txt
| MD5 | 1bc3fea9f47b62158e96f9c887c4e15a |
| SHA1 | 4e79a920c7df0a3bc564f074a3a52a6f736367a9 |
| SHA256 | 3bea3ce73171f8373ec63b4ad065f6a7d149d3125c116cec1a0096401d95b321 |
| SHA512 | e4114ff25e7217bf639128720921b9ece015dd4389eb634315a3217b54f92a04ddaaf7cbc362d9c2a0022489584afbb4d720ced750dc0e831c14957b17521e89 |
C:\Users\Admin\AppData\Local\TempOMQLT.txt
| MD5 | 5eb9108f067adcf608d833883e3a07f2 |
| SHA1 | e650d4150cfe98abda68db69d44ca5be8db039e9 |
| SHA256 | 034166308c5ecf920f9528df3e6360e277479d497e1c01504226893f1d3fb97c |
| SHA512 | d1fede2b3bb65ddf402b09de31213adafbb9ab1800d7e97fe855682e64aad93dc29a7de29a244ab200a52b7da3984050ddd6ec010ebe33cf12faea7c39a7f5d8 |
C:\Users\Admin\AppData\Local\TempGHEMF.txt
| MD5 | 6ad2fdb2cb2e9751b3f87623415b2c1e |
| SHA1 | f60a9be5ca20760142ceca80d23379bc1c3e8c85 |
| SHA256 | c1049faa10744eca932c04804ba0f59b3947559d457cfedf98e6287e22d422fe |
| SHA512 | a8326d6801d375b30e6e4080e3b3c1be4ef7bfa8833f7c1d0feef6f5495fa5038ed22e44096191431709909109ef7b8f6c93c87f9ae8bea2a6e9365bb164bb56 |
C:\Users\Admin\AppData\Local\TempBEFOK.txt
| MD5 | fe0cd675e27063dfe4c8dff3ea68c455 |
| SHA1 | e46a35fa22461c1816d23561cf5e0faaa8dabaf6 |
| SHA256 | 27ffeb64d8931b2d762bca7ae855666afbeda91b97c06c11768327eb39db6a91 |
| SHA512 | e294e2ce842ec8f577b1048b629a6d1dc6c6bb175f76541e6697207a92711be66f5c98dcb800a6295646a6e07f91653f6b872fc9ffad28a7ac7de124f6c02bbc |
C:\Users\Admin\AppData\Local\TempWFGOK.txt
| MD5 | dd8c4ea5e4f35aafaac1e8882649dfb4 |
| SHA1 | 28039a9804e5495ed7e7388c66427e22a4f0a043 |
| SHA256 | 8b731e9f8526e23d3182a593cb25cc84113933f7afd160b996f11910c18db9dc |
| SHA512 | dfa929ddcb14492b5b625e745d016ec5c91825cf7245f4d0dd05d77c9ee2c324bca75cc48012c31c7ab17153598d1ede79147d635b89fcbd4941d58fc141081c |
C:\Users\Admin\AppData\Local\TempPTOWL.txt
| MD5 | c7ae422a1713c3ceaf6d55a47a69ced4 |
| SHA1 | f7358b78eb996bbc9535a7a5d2f676e0b51cc2dd |
| SHA256 | 01930156d66b91739abec3f67c182f3676cbbb394b3a2a1cee02d3655f0940f3 |
| SHA512 | 3eec101482868ef09f0d1bf0bb961753acdb17222309c39c45f4b03b4c3607e0a15ee0c62167c1e025724683f7b1512cb039524ac7f1c400c26d74132a9a6af3 |
C:\Users\Admin\AppData\Local\TempLIQDJ.txt
| MD5 | 957ad5dbaa44ac91d5d250272d2a94e1 |
| SHA1 | d6c101bb30848098ab9c181fbbc422278ab6f6e3 |
| SHA256 | 64b0e81a7b92bcd7830d11fd3c39e32283c4a7fb1c38688c28fa581186061582 |
| SHA512 | 052d798609fb80f14c32c1ee87a9741d11fbf89a72e53e08c146031c943dbe2f450ef3c4ca6d35d9d015574eaf7a41f773418fc0c6637b3d5914e6ffd405e857 |
C:\Users\Admin\AppData\Local\TempIRNVM.txt
| MD5 | 7bbbb601e16501019f9650372554699c |
| SHA1 | 6e59d935bc5cafc0a452796b4771f70446480400 |
| SHA256 | 6f5263aa019468fb1d91be7619c35319bd7f31c7d00f94918e5c901b5acc29a4 |
| SHA512 | 4db55ec095a587030e059cd819c9319f2601be64aa0b963b867e83739e14710df5f7b390828cc2d76d9991f961b4ac5be1894548ec666d4f774ab708e0cfa903 |
C:\Users\Admin\AppData\Local\TempGAOXK.txt
| MD5 | c50c7621112fa1afb44904390e54c3c7 |
| SHA1 | 7b090097af1e5ac92d212cbcf0b687ee773dee78 |
| SHA256 | 5b26f953f04bf432172e566629398021a7a5e191ccb4d8d745c5611eea898737 |
| SHA512 | c73f09f0a6b1e33b9f216839fa1679f9bb800325667483337b127197835d109a161cf4260ad2fef587b39a6783bd4238a607ccdeac848ddb82b6d744d6caf81a |
C:\Users\Admin\AppData\Local\TempGPCYX.txt
| MD5 | 4f7f277105ed68afb89676851d86b580 |
| SHA1 | 568a2057b0f9bf90f234b3466871bffcc2ef6f07 |
| SHA256 | 5a37ec247c7370164d16b83ba2c49d12708e04db78d164e6c724fbbaa897d3c4 |
| SHA512 | cf55553e06960be9dfa8055405d97d45bd137ce3a8108dc59994cbcccbae0b8615c69d7beddd384ac4622a51dc5d1bc8ef45008860aad2af4067664c0281f1a3 |
C:\Users\Admin\AppData\Local\TempACQML.txt
| MD5 | d66f5919e5c9ded362fb8a7834e23ed0 |
| SHA1 | 6e91d02599911d1f38b84c0ed717427e87fcc00c |
| SHA256 | 592087cc6e79795816c74d8e7479e2393731b05f2675733596029f781b3bd365 |
| SHA512 | c616cb0f5ce0c51cd4d5a6ef16869ab18006f0ef7f08950744f02a7c8ced3ad884f27321bd22e25668635eb9650391638236401c2f85dac38c28a8f8c5319622 |
C:\Users\Admin\AppData\Local\TempYKQVH.txt
| MD5 | d1cfcbdc161ceaed63dc7266a83e42fd |
| SHA1 | 0aec884c475de6ece1c4322c69e7fa14c7f021fa |
| SHA256 | baecdb95b1e6bcce26d526880dd7b106c870d36ce53e850334dbe28c6d04f0be |
| SHA512 | e125a33ecf700d880a8419021310f9bb8616cc8f16877c26d8e0c0c3d918cdc681cb5976b6956b18c6e60fbf77d2f342c956ac3825b0c37448a5ca2f75f16064 |
C:\Users\Admin\AppData\Local\TempFSWWP.txt
| MD5 | b4dd6a91063ec87374151d302fe95647 |
| SHA1 | fc6509aeb470d6b168cdd832eb458d4d55e89c4b |
| SHA256 | 1ddfda2c13102ec9e5d79a69f67682de3f321b1df50b8d0e40421df5ff3bcd98 |
| SHA512 | 2eaf88609a764169eb7a14f20b6519f2eaf83e6359526b919376cf8c9cb4c7e2810412bc0f05a7397ae417a4898dee964f2240709f640264580f2f999e5e658f |
memory/2708-1171-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2708-1170-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2708-1176-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2708-1179-0x0000000000400000-0x0000000000471000-memory.dmp