Analysis Overview
SHA256
70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67f
Threat Level: Known bad
The file 70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Modifies firewall policy service
Blackshades
Blackshades family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-24 08:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-24 08:36
Reported
2025-01-24 08:38
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBGCXSFMH\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KPCOWOBDXTOCXJY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVTXLBOKIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOGWOCMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAWPUNDNHFIYUVD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRJFAQJKTXYKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUXBSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HQNHXRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIUFEIWXKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OGXPLGWPBQAQROW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRHSLJMYCHVUG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYKHLGODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQLFAFUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLFAAPQNWIO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTECHYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMDVNJEUNOXNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HCYRWPFPJHKWAXF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHPYAAOTLTHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YUIVGEJWXAKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULKA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LSWIGKFNBYCVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\AOXOCDYUPCYJEJY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNOBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNNUJIJFDKFVIQK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNSFJFCTRHHJEBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWUDXNDIARIGR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LYHITQOSNVJKDKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQEEFAFBWRELG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MIJURPTOWKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBGCXSFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYKIMHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKUQLFAFUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVVIJFDFVJQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDBJC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNTLCBEFTBPOAIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOBHMCO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QMANYVBTXSOPCHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GLYHHTPNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFBWQEL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOERITYJV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMKSEKP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GFSIWSQAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFPFKCTKIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQNBNYVBTXSOQCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAQRO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTYRHRLJMYCHVU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAUQLVGWBFVWTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMLT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFFRXOMQLSHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHXGOCCDYDUPCJE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACWSNBWIXCHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYOSQTEJOBNVN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSPUPWLMELMUQQF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBULMJRDKO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLMIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMEJYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe
"C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHLGODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOBXVA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSPUPWLMELMUQQF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNOBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPYATT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMANYVBTXSOPCHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEIYWF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KPCOWOBDXTOCXJY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKIMHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
"C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLMIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
"C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKSOXO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMUGNR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMDVNJEUNOXNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe
"C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYJV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWIPTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAQRO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe
"C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNSFJFCTRHHJEBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe
"C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVGEID.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HQNHXRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUKIMH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLVGWBFVWTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe
"C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempACQLK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIUFEIWXKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIJFDFVJQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIPTFD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWPBQAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe
"C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMPRWC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempACQML.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUIVGEJWXAKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTOXOD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYHITQOSNVJKDKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVGHFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKOPYU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GFSIWSQAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDGHRN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVTXLBOKIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe
"C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNYVBTXSOQCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
"C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIQCJN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRJFAQJKTXYKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVLHPG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LSWIGKFNBYCVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
"C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWGRXO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOXOCDYUPCYJEJY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDSXJF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNTLCBEFTBPOAIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAHIRM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFFRXOMQLSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe
"C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPWMKO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBWIXCHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe
"C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe
"C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYWFGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
"C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIJURPTOWKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe"
C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe
C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempXMIRI.bat
| MD5 | 69fd85dbaf4dcbef556bcf149f1dda5d |
| SHA1 | 1ba41fa17e55e62b36bbad12791376f690c01f7e |
| SHA256 | 2e9685877dafc63293ffaf96367653854d246e459a2825a307996757f08e5fcf |
| SHA512 | ee381a503939aa14fcc493ac6dbeb19c7ea1beccf0f16adef27a75d11daf7e85413ea711bcc80c495df294fb9626f1de5f1927dc8010ee097a26b03493fc0171 |
C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe
| MD5 | 42ea5034254723abd4ac197eae3d9389 |
| SHA1 | 8d50cc3c386814909daa6b93687c0ab4be4a23e1 |
| SHA256 | a653cdf73e57672017ea7431aefa6ced3c3db4d921578d2c63c7c26741a125e5 |
| SHA512 | 7132c3383d0776d21cc400507a573f35647d6b6018dc947bcae07080ddee8357e8caea2c1eab8aa48e4f963be25f6cb29b6903857a69a26ad414a5239da3187d |
C:\Users\Admin\AppData\Local\TempOBXVA.bat
| MD5 | d00a646ec0e45922608a0bffcf74ca46 |
| SHA1 | bc3fc2d2b51f4d5904971f4fb0f87bd13daa55e3 |
| SHA256 | 2a065e72607304b76b53aec3f324032f06d7cd21c6bb1d10e88e594285560edb |
| SHA512 | 3ad13ca1c032662e148ca5dc90fc07ea89fb6da214ee7fb0286777d64aa92932ba5c1695e356162889f7a4d5eda7fe03868172a1bc36f7a4f952c3331a3c5c84 |
\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
| MD5 | 0fed3cd73859f89da7939a21cd95d8e1 |
| SHA1 | 9b2ff34f6dd53f533c4001bf975caaba4bcb53a0 |
| SHA256 | eb65721e463b32c9fa37901ef65f7a78a1d03da9b60bacac2f8a52429511f3dd |
| SHA512 | 9360f41454964a0e4e01ee7692966b874130e7c4191d9aec9a58d6804b28bc7d70bd39945713508c54783647fd4a23e1d7166a93b835ae07a2ac024b7b8571b2 |
C:\Users\Admin\AppData\Local\TempOXTSH.bat
| MD5 | 6f4b20e850fe3812d23054f9510da012 |
| SHA1 | 77ce6864239e0073e6c7b0f40393ffdee94fe7c7 |
| SHA256 | 07116cd5debc065b43b7c8ab9cd706dabab8bb9dce3ab4d18b1c326273b33563 |
| SHA512 | 6bff96b9dbb3a3e52fd285ed8d45363c8b4b1dbb3b07760859c45b4d62c0d8fcdd22dd5efb54b2f397947d629d05817744cf5829330d52f7364fcb7ac2553444 |
\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe
| MD5 | 38e7d79273cab6ad657b8e97f280d745 |
| SHA1 | b970ab602c03f308c1c64ba3da0d1f5827d2c8aa |
| SHA256 | 95cfe08dd22ce8913081e336aceda44c222fab835b1dde1ec4a6579d2fc907df |
| SHA512 | e8dac0a5cb3a9a8e150a843bac0e60f9a8df970dacc3621e8b2b160867bc4c26a34d123dac9bc19be40a90a9b14c7e15f81ab0743d8c778e88100044ba1eb453 |
C:\Users\Admin\AppData\Local\TempDXBMK.bat
| MD5 | 1f1d8e37cc450a99ddac87c7cb1f9a86 |
| SHA1 | 031098a964f57adccfbc899b05f332bd80dbc259 |
| SHA256 | 8ff70b00b060797307632716f7cf8022ca98950d439be373e5edb3a805f03891 |
| SHA512 | b87f0443f3710186636c4dfbb59e0b4f6b680a4e01f2c1b342025dedac022616d98e8f0f73ee8d974799ad7ded018ede6d9466a2375710d1899d4070ca341692 |
\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
| MD5 | 496b07f3626c2fc760e747320afc5b94 |
| SHA1 | aaaa23ad6672db0759a7789698da287715844920 |
| SHA256 | a8b09941bea610a3b2fd56a34bd877a79a8bb3c1fa723c023a6b08b2dd4863ae |
| SHA512 | a50edde580c0efe87b7faa1d457e7ce2a0652b77acd6f960bebe445a3c5153b789bb539c2209cda3ee2650c15c9e0dac0966b4dd3eccdc236ede86b3a1ee2744 |
C:\Users\Admin\AppData\Local\TempYGOFD.bat
| MD5 | 1c8a1be9bc3ebb31b2592214152bb854 |
| SHA1 | ad9dc2375b15466336615991e8f93396679cd5c7 |
| SHA256 | 8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb |
| SHA512 | 0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81 |
\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
| MD5 | 38b5cf6d234eb8e3727764bff7c301df |
| SHA1 | 2e2773a60140aa5158f45f3d31742d6e7c7c7fea |
| SHA256 | 7fc0728c707b3be45d0b4ea0645604521306004498f24d04fdd589a2a0385f9d |
| SHA512 | 5f2399413678d398097075f1a3e205edad49b5627a8a10cee4fd34c0f51be3b19e7414858a437b7f5359fb6e98025ece0c61c72c0581fa172f20bd587cc538ec |
C:\Users\Admin\AppData\Local\TempPYATT.bat
| MD5 | 0e94e7f407c3860135510219d7c4720b |
| SHA1 | c0e9bab4e759f6821d232c6bdd90da12cf3f11bb |
| SHA256 | 86cdcebde5fe4d5f6792d6621243882116f6b4244d687eb4a5f1094f6b758646 |
| SHA512 | 35caee11dfbf70b33e60d1af90fe40f30e78a5f655154559f9cc45734954efeacbbbb2036e8af616dc20a648396ade018ed8dbf616ff240b08792fc3ac2a576d |
\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
| MD5 | db7b134300bf64c3ff4fe9b60605db2a |
| SHA1 | 59bc6abe48b5ea8b61c0d49786f232abd05312c2 |
| SHA256 | 16c32ecd22ac11e71b7aa38fe670346185f72e46c3efe2924f1ea3ce1d46495b |
| SHA512 | c67cf1d15c1ceacd9d11407f40550d8d0857a55eaf4e5cc78b8edc69dfd205e34c55ce4bb7ec42f89975055517e21791be91a93decff33d46d4375e1d92cff70 |
C:\Users\Admin\AppData\Local\TempEIYWF.bat
| MD5 | fe3cdfb6636d696b5524ded1460e0210 |
| SHA1 | 6ebf01b97852ea3d61599c60ed1bf58131fd2c94 |
| SHA256 | 0a4da1a41f98999c3f25b7cdbcc33aebc8b1d61a366046202d4f4629060fc1bc |
| SHA512 | 69cb25c65bfbe80545aeb1017549dfe8fce64097879601061fe27586f86d9074615e14fda5741a3e8b2077ca68940028a9100cca489673c3c417b45024b70337 |
\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe
| MD5 | 5c9e761c4217a5c8c7be7031672a8132 |
| SHA1 | a4d3a98ed50e6f571baf9a09883176cb0745c584 |
| SHA256 | 26b0a7281262e6443f5abf5a9311d23e4ec33126558f1f0ae49d8eb9e0e63677 |
| SHA512 | aae3bd80a959ee9308edcb646849b5d4d29b0dbff581ccac53274ba6318d9331bba8a5adc1cccc7418e9e0f66590a7f27a7964abe8d2d0381889aa3c1b924fec |
C:\Users\Admin\AppData\Local\TempUFEIV.bat
| MD5 | a7f29c655c9872138c89aa16608f66aa |
| SHA1 | 364b20abb1c8efe0f64a7932826c5fee409efb43 |
| SHA256 | 89f6ff4a0bd1ca5da799ceea4b9a8ceb42a59ae14d2bc65752258168e3e5328b |
| SHA512 | d0d8f36ad9eeb6c6bdf5dd125675afbda7ab6cd62e01f5dfa8fed25dbae730ddf00fbd0bed29436d5c92aebc93cc58244bccbcae4974a8109a037d29adc2e8ec |
\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe
| MD5 | e3e79cceaf08ca1639250a4ff3c75de4 |
| SHA1 | 9c4aafe68c5215297944b48e8f28619cff6e776e |
| SHA256 | 37821e9746cc7316669e7e0946e23639c07d3a12672297200cd270c3b68fea7d |
| SHA512 | b5db98ad07a958cc1d4633ed27756a86b4968e861020bfe7592df21f6e9eac7b3fa151422b7ba575e116ba6588ff2fa9d871fa3197f0e3f4408c2a4549f88be1 |
C:\Users\Admin\AppData\Local\TempXNIRI.bat
| MD5 | 493091b723f1019cd21d7ce77b87803c |
| SHA1 | 461c027f7380e8016c9b5171d1c4902d3701caa6 |
| SHA256 | 469cb83f54c0fa8390f132a90b71b4489ab9b004fb3ce7677f3b381c44c22a8c |
| SHA512 | 418bf2ef52d92ca29f7c010ea6f5993a93a4f9fdbe5d2d7b39440584ec890f9152e231502061e58a3515284afc7b465717acc678f67f6dfc13f1f60df2aaa5f3 |
\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe
| MD5 | cc9eb396fd95282b9c851f4f4e4ba129 |
| SHA1 | ebdb44b0798a53beaf054f5a0301fa426d646129 |
| SHA256 | 8f42def1f339396efa22e5086de257dbbb793b6f54c92f9534f058703fc4a9d5 |
| SHA512 | 6dc3b5ab5995b61e4223996a7af2e6f0c10d7e5746c3d0b8fb7455997d705253206d61bb5aa658d847a4f9ecaec0ba8fbda5e3b3ea17493cf422422335481b37 |
C:\Users\Admin\AppData\Local\TempKYGUT.bat
| MD5 | 1c95cf0a551ea20f4178aae177d34802 |
| SHA1 | 20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a |
| SHA256 | 8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48 |
| SHA512 | 82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c |
\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
| MD5 | f185341d648750244966c9e5f0f77a68 |
| SHA1 | e4e881f76e92d0af9768e8eb6b3d6cdaa36fa163 |
| SHA256 | 85c616ad5826b842a4d73a3c12ef80af0056e980c44fa2591fe57b3c610a184f |
| SHA512 | c80d6adda39c681a9b4a7a98812895f721820975ef3a2d36a4d12c28f0310290f1b8ae41461ff2eaeef548f03739a4c21acfc97984157c9d1b4d569ef641a852 |
C:\Users\Admin\AppData\Local\TempOMQLS.bat
| MD5 | b217cd93f39c76822c7d59441e2bf72d |
| SHA1 | b74743485601810ac45731f8ef0ccc2e3a1f6e08 |
| SHA256 | 72ff7221c084a4507b65f996ba9e40a2237cd9ce008748e9383baa25ac9d5f53 |
| SHA512 | 193521f7f1e1c0257c63db0eedbdcd7737f295107be6e7da3fd61685fd86a0f8f593c268a575342623a24bec0682b1b33a0d25514c73db45761ce9d7f911f4c1 |
\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
| MD5 | 3b91d5aff3c13961f5c5c2550023772f |
| SHA1 | 702a2de20200ed92ad9552776554ada8b012d0df |
| SHA256 | 3e373c547aa9ea54b5a905259e1d0f70924121b453e02ed2d71522a614c14822 |
| SHA512 | 9773fd77fce9041730f754f84031799e6392cb4b6a40538553f2254b4a1ffd783c6820ea69c25c4f4d2be3983ec60ca7fd6c78a5ec14891334d279b3a3ca5593 |
C:\Users\Admin\AppData\Local\TempXDVUQ.bat
| MD5 | 85613293accabae3c3868aadbf4bb7c6 |
| SHA1 | 0217840ab173b577bca6a62ae889cd597b02ddb2 |
| SHA256 | da81422c87423e7f4fe1793b46df7aa4ffd8c8eb96dd83f74f8f0e22544948de |
| SHA512 | 4310b9873b7f44edb9d44a51ba910f0f3becac5616d90a8c456e9f33893cc7372382df0e1013616989100d209e79c4eb760a26879b4e12117387e318529104c9 |
\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe
| MD5 | 0661dd30e3384b1634b90be957d68b81 |
| SHA1 | a8b4c1268b7cd5e2ead972b00db32f3896a29cc6 |
| SHA256 | bed4cd01197a995ec6e657e7fb51bb185cc0e7e3455326ab5817ff77f2612a78 |
| SHA512 | 777d680cad65363418abc2e59d960365c265258ff2c9a232bdb40c5ca0ec63935a85cdd60df62b1fab0e6386fba4f19fd7d60885c99c2a9a3abafaa6a7e49c9d |
C:\Users\Admin\AppData\Local\TempGAOXK.bat
| MD5 | c50c7621112fa1afb44904390e54c3c7 |
| SHA1 | 7b090097af1e5ac92d212cbcf0b687ee773dee78 |
| SHA256 | 5b26f953f04bf432172e566629398021a7a5e191ccb4d8d745c5611eea898737 |
| SHA512 | c73f09f0a6b1e33b9f216839fa1679f9bb800325667483337b127197835d109a161cf4260ad2fef587b39a6783bd4238a607ccdeac848ddb82b6d744d6caf81a |
\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
| MD5 | 2375edfa9e09719d004d3234de1a3043 |
| SHA1 | 7529440c07b5325224a0861d3b3e7e5c64272ec1 |
| SHA256 | c047631705d62c91056dfda708f80cc86a43d43bafae5b444cf589014f47bdac |
| SHA512 | 684184b1f0af79fe063207ab17667a3593ae986aceb34a62dc42f35a35d0d10622ba523961243158a71b8aa8e8c829693e02ec92d6a2ce7e84a4c2149eea8c75 |
C:\Users\Admin\AppData\Local\TempKSOXO.bat
| MD5 | 3431da64f39c91423c177f3098cd52ea |
| SHA1 | f69db46a9924188d30e400b9e4cb37ff3cc40ff9 |
| SHA256 | fd9c683a2321cca540096f5f23558752c9792e528cf4392bf2ccdc50f019f67a |
| SHA512 | 5f8f3835bc66b2d567df9dc3e67a95262d34b5b4456fbd30a493be1bbb24d20e9278860117c7f9e6dc93dd1d4d1e31b09d2c3dc5df652c912a7ff36a4c90fb90 |
C:\Users\Admin\AppData\Local\TempMUGNR.bat
| MD5 | 739447080a3e22332add31b3d6b14dd4 |
| SHA1 | 88b1f4b2bb3b85dfc58ccc3dfb90ece8627e3969 |
| SHA256 | 626b142072fad964a4323fcf63a1baa0088373953747789ef2afe3b33643564b |
| SHA512 | 7f2e99cf7b787cac0bb7396a704f826fad3c36066a527e51f55fe6c8c2c6e88e5c7ae4e4ce45f1f4598bc11afec60934f2c453f1c72524e213c67ef67918950d |
C:\Users\Admin\AppData\Local\TempGFJWA.bat
| MD5 | f342746ed0e97ae4805a0dcbd22f6711 |
| SHA1 | 389aa2b56393e8521feeb335d0b448ff9febf2d1 |
| SHA256 | 6409a6c8d8f94ef78633fd17806d1ffe6df0b931a90e4bd9816b840f018925c6 |
| SHA512 | 89fcc183b55e271ecd36cbaa72a64b92b910beff322cdfd6677049fa7839acb39c7f5b45e84ece54cf574734f421ce2d6e1258e8e3337057d1bbb3a47e976d75 |
C:\Users\Admin\AppData\Local\TempWIPTF.bat
| MD5 | dd507783b244e1bfa969091d48776a83 |
| SHA1 | 1e2e668cfbecf139dfa53db1d5983dc7e9bc6946 |
| SHA256 | 5f7076f94fc2a19f7d29513fdc17266f5353643cf9fe7b82e1b8cd4e7650cff4 |
| SHA512 | 6ee73f1e25c780a32db39eafa1a56c6d965c27032624dc105a62762c9ea401d03b4b8671504b1e725893ca7c49fc53efaa153a0596e9923d88b8fa6875ddd2db |
C:\Users\Admin\AppData\Local\TempLHVUG.bat
| MD5 | d75c35c49c091739fa8e237703fbb5be |
| SHA1 | 6f4f5091ea425894e46bbcd652365c32e210ca29 |
| SHA256 | bbba4256828f063db5ba9fb2e034e993d5dc3b8f8679e2ee5efeaf7f22e590bd |
| SHA512 | 763f88b02d6e6df01794ec982a530f7c2631bd6070982ec5be6933f5fd4714fd3de4faa903790edf1e25f760fea9bbac9f45a9a12a29f69a210d072de563c414 |
C:\Users\Admin\AppData\Local\TempWSRGP.bat
| MD5 | 1a5ffb40bb1b61b3f2de211f85cb4452 |
| SHA1 | 29109dfbde3136692272d25d2d366334885c34ef |
| SHA256 | 829b3c15ff9c57dc1ceaa8a4270a42885c7cb995198164721e5470fb4bada793 |
| SHA512 | 01351190368e3c557103977be10a37f2dad788178af57888e50a98d2e0ca69f8b7a4a1b28df5143d149a745d0292cd4eea9c20e3d9b0003a44398f84442248ce |
C:\Users\Admin\AppData\Local\TempOPYUB.bat
| MD5 | f5384b44e8e5e967c113012b496349ff |
| SHA1 | 81eb9aebe47f4ce35b312f234ca6e33bc81325cc |
| SHA256 | 5eaa355f0dc5eb39ebfe20614e41728909ff00ae656998aa368f043c52bbf5e5 |
| SHA512 | 5f9f8d6696d8f0cdd1eda4cb8285d9c2036a4fe636141b09f330487caa94864832fcb00f53f22f2427b80db49bd7f175538a07f3e93f737d21699c6dd1f9142f |
C:\Users\Admin\AppData\Local\TempVGEID.bat
| MD5 | 7c8ee1053c012dbfde08afdd92dd76f6 |
| SHA1 | e9c8b515c6e21010cae30a9ad35b081331af0df6 |
| SHA256 | 51df4901f14127f152809c3dd444d41d0a623ba75c6cee31f4d23a2d83ddd38f |
| SHA512 | 78b3bc6481ce26cbae09f035084d5e96b4cfa6750e32f4cea42458375ade6db79816ecaab345a334f806a746d2e934e38519b4a79d1eee61820aa4a461173ee8 |
C:\Users\Admin\AppData\Local\TempUKIMH.bat
| MD5 | ae2842a439c6b8c7f1c37622a815b1e1 |
| SHA1 | 2522555d1615e0abf8fff285290f316b0cabf78e |
| SHA256 | 77be13c912c0b1d6de3ee8b5546a887ad20afa32c6323c7390820c4b03250fba |
| SHA512 | 9ee0a27c64ebcaf1218ae39845a39ec53a8625c91064c08e28e9c8e37cba7c7540022424a48136a99b0250d446a0cc60040127dfcda21911156d9ce03ff65895 |
C:\Users\Admin\AppData\Local\TempACQLK.bat
| MD5 | e480cb4cfc35c5be7922272049017a24 |
| SHA1 | cf6c7155fb23ffa4a87625aba227031e9af314e5 |
| SHA256 | 3e02f4647234af2861527258666ab70e7211b8585553139cacfad7f17a087d54 |
| SHA512 | ae7f79d26ffbfb89af4578821728be899762de1d624280b98c620a6d8caed0d8d018b023cdcb734da9a26597ad5ed28837115a45349a2d545750971c09c53cc2 |
C:\Users\Admin\AppData\Local\TempXUASW.bat
| MD5 | 6ef2b43caa087b15ab235ad5bca73cb3 |
| SHA1 | 0065a2f4a6dd15a9f53154204b5d4d594eda4e44 |
| SHA256 | 6775fa779f6b98be85c3af5f45ab8d5879d39e0bd78831fb515eb0f657a04201 |
| SHA512 | 9c5bf46752453f33fb884b402a90160df4c72774c6f7e875e0daa143d26516e6198bbcdf899cfcd5218d73ebe3b9c836d7d34565c63296d3f9ac903824ee7a70 |
C:\Users\Admin\AppData\Local\TempIPTFD.bat
| MD5 | 13c37c974a81b3bee474200cafab0cb1 |
| SHA1 | fca5969136b58f6fb5d544a7073ed304b33429ec |
| SHA256 | 72801a866cfd1ecb3df595ad44bbdc01348b040d981fb00addde95dfa28fe82b |
| SHA512 | e9965be0d02e15219e1f6f6cce2414dac147d9eaf2fdd2d044cd6875a8bf2971981a54e59798c2e6722337cead878720b24a1516dbe7ec06f8878ec6214405cf |
C:\Users\Admin\AppData\Local\TempNWSAF.bat
| MD5 | 96b2a97d96625bead810db1f5886ec15 |
| SHA1 | 7daae2c9cc03c286031858def45a35d0d05a2a9d |
| SHA256 | ab7fc64f1ff4ba696e5e0c067327e32f6a23badc91e86a3c20ae15bd576f080e |
| SHA512 | 95a5b17110e2a66021b2af5708dd91e2bcb4501361d18449d33eed78899f3d2223f521f56723a42a566ab77b19aa8c9632fb67d630a6891bfe165bcf7db401fa |
C:\Users\Admin\AppData\Local\TempMPRWC.bat
| MD5 | 5826b21bd1acd9827aab11fa4ae96f80 |
| SHA1 | 70dbcf9b36551660a8101cf41b3d223306a8a912 |
| SHA256 | 4837e9f3bdc83a08cb1b271cf3ec8df340f9f366fc4f3bc9398a1c05f3251f0f |
| SHA512 | 961b179a7a08c6548df904d249a39055fba8987a5d76a2d8ad26c717472b61797dbefe0a8079337d26551f6d19de118c4fccef25f6b90cb52e84ebf030c841d6 |
C:\Users\Admin\AppData\Local\TempACQML.bat
| MD5 | 9197458fa323a342a83d7e185786f916 |
| SHA1 | ae7ccc2b80ccc08393dab19eb577a6fe828a6cb1 |
| SHA256 | 8f6bb51ff52ad4d71b690a2b1d58f082da0adb833048f3424e1f4eb615922c1e |
| SHA512 | 8e912b036479e355b531ad7ff1729fff23937064950dec57da81d1a06cf69fbd88d794fb9b42641aedf5f8379f98a9a65b73b78e7862998f59e46369d67c6c3c |
C:\Users\Admin\AppData\Local\TempTOXOD.bat
| MD5 | c8d316c3aa2dd7a63998c60c132e8ab5 |
| SHA1 | 8c1019afb6a9f4c520e688aa92e436cbb8e97f83 |
| SHA256 | 2915e5a438a255809b986a460e5df6c651f71bf1d3493ee520f9e1e8e262a6a0 |
| SHA512 | 89daa56405e81dd6694c04ee30d841bbb61eab33c4a426a5b9c6e7f998d3d755fc59cbd4e765565516f3182572b890ffbeb9cde29bbbd4056b8c32ac6dc908f4 |
C:\Users\Admin\AppData\Local\TempVGHFN.bat
| MD5 | ad82842722ffb58f85923fe72995a080 |
| SHA1 | b0196c7e43c41f945699d8086d0bdab02be7119c |
| SHA256 | bddd1ccc5afa476901c4fb69ff910093b51ab37f436adfe4e3daa069d2b633e9 |
| SHA512 | a101e08b3809eed1713d50d162ae3d7a00c9b3e89f41de67d91f01091eafe2d7d93e0bb46ee4eb52419dcff7877b5c3ed1fbf33ae53c407c8f84e517f6b42bcc |
C:\Users\Admin\AppData\Local\TempKOPYU.bat
| MD5 | f580c5408f377b43b97fe93b33e43894 |
| SHA1 | bb6cc1246dccedd60063a8b5c97c22a15d89a755 |
| SHA256 | d1e0778c2ad02971c77cbc5e9bffca5414ec447c93d18634d4987d16a242a8ed |
| SHA512 | 7c6effd95c1b343564326311a594cb46fb94c456514553c0a14e929e4cc5aa1e0e0f743e2d2d0357654c0d85f03ed88a960d3e81a21754262ffa1cc6682e2a11 |
C:\Users\Admin\AppData\Local\TempDGHRN.bat
| MD5 | d6d497a7c8a2cd3d805991f834f301bb |
| SHA1 | db7b5181d26833a06f39ef3a4500ef8247b45992 |
| SHA256 | eecafe061030a3131c21f255a783fc84b164ad05493576c795e94e8dd8726fd0 |
| SHA512 | 1a10bb454d6c0a1d729013b7e07d18871894ea9fe5273bb0ef1704503478ffac5ff1170711fad1a5329fda63eb4b43cb3959cc66643b16940af0329e3a5ad1b8 |
C:\Users\Admin\AppData\Local\TempQRWDE.bat
| MD5 | 5f86bd202bfcd38eb1df9dc3f99b3f2d |
| SHA1 | 20eb5c3c335c0ae536940a2687e7a4b19f36ce56 |
| SHA256 | d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84 |
| SHA512 | 4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c |
C:\Users\Admin\AppData\Local\TempOPYUB.bat
| MD5 | cefdbdf3e03e35a03922a2739efb8950 |
| SHA1 | 3a31bd0b4348e8e7674bf50c7914d4f20a2008d7 |
| SHA256 | dc8ff0c84c87ad432951831214861088639a8d0b992f8adb206caadda2fcfb69 |
| SHA512 | 308278fb087d6df2de2e68bedea72fb061a38bb332e7bf3b13f934cf457a65b0e380c4acd79c8e2262dd2b45a5c6efc935abe3dd554c0fca0fcdb7f151b8cb90 |
C:\Users\Admin\AppData\Local\TempKSELP.bat
| MD5 | 2571fac6f6656b5ebf4eb96ccd0641d6 |
| SHA1 | 34438c35a6cd5dec850e15b7434901d24934b2f3 |
| SHA256 | 50d344f65fefdbfb049d62ecf2a851885c505f284341c1555b1420d1be814098 |
| SHA512 | e3a8a5a713dbd3b1c1f79bfb355ddb07a22b6a8bcae88cce5ca2ecee3130280a4963fab979119c6947da0cc33f18066d1606fd04fd460aa07266802ac1e25e37 |
C:\Users\Admin\AppData\Local\TempPPYAU.bat
| MD5 | b6e7e717427b9a2a0cb73db79e705a84 |
| SHA1 | 27812bd748e98425f675803b8f176a4256f194ed |
| SHA256 | b504483495d7dc2be123b22b234915a5fe61a07a357a00b56f2b57222e3a63ce |
| SHA512 | 47677f7e8dfbb53cff8c626d252772dc3910b82133864bba34838c246bcf1050751a5ea87fc5f46d8d7068109c8d1d09dbf1fefbadd163c2d97f9f7d6fc299d7 |
C:\Users\Admin\AppData\Local\TempGAOXK.bat
| MD5 | 7ed000eed1ab7f3420e001d25a18e2e0 |
| SHA1 | c53a4d8d38369ee75f7de08af9704b1032aeba66 |
| SHA256 | 6f4c0bbe1807412382dfb5ef438f76d25474df51ca65947fc4b6efd98f49a840 |
| SHA512 | 1ef1d0bd91022d6b1b06eefed48e0adeb5d4d988b65e4fa1819d5ce4d95e56612f73f0ed8f5fd1ef37ed2f354757ccbe0ca1bcbe76196eb265a098741f04a2e0 |
C:\Users\Admin\AppData\Local\TempIQCJN.bat
| MD5 | 89aeecb52a2220185f9c796c6d65c102 |
| SHA1 | cf6fd2f64d8a7e8e2a914660dc518a44d059f1ab |
| SHA256 | c3e66a6d7ecf3d2b408934acee54892c8d6d0a2aa0d1d666d83d29dc8d0eb824 |
| SHA512 | 99abee4a494e46be9bbf945f5a8dfa91fc92372f7199844ab4f9a6381ec0056fbb74da29512411a53792b1b60620e6c8a7593935fd44934a8977c9a25adce923 |
C:\Users\Admin\AppData\Local\TempVLHPG.bat
| MD5 | 9d1a78b99bf4b3d346fbaa3c0ef3ca47 |
| SHA1 | 944068cca2361487fd9d9c9079cbe17dd002e117 |
| SHA256 | 8a0d3a21eacd041ae16f71c335c24e969f3106765424fd07ce2cfa5d3f58ff26 |
| SHA512 | 9e6382e356871f8aef1057550e0942e242a82f9a147251c075a42f19b2f2e13bdff62e9f28cb0fc8e4644c2ce204be69571bad9e74d6ffc9c89d3a8a9c9d37a8 |
C:\Users\Admin\AppData\Local\TempWGRXO.bat
| MD5 | 215c569c494bc0b35b3ff85c64b3fcab |
| SHA1 | ed33e51ba911c5a360d9e1ad17e531860cbf2637 |
| SHA256 | 6039b42b9c82ecd88d42e5ac42835ca83b5b616b33413f3dc8f129c21da898e1 |
| SHA512 | 8d43a5ae7794eb0f525c512a8f2a3c22f54c586ef1e498acd3995daae62c9e9bdfb194a609aed83a05707934e65eb3d75bbab2b003339a8c16e397d7cf20d15c |
C:\Users\Admin\AppData\Local\TempDSXJF.bat
| MD5 | 93215aa027d5aa1ad9de1ea6c813c145 |
| SHA1 | 3989ff0aea627444c44f1d52923f108f1567c216 |
| SHA256 | 92f2e85aa71ce25e1c3093678c400bef44c9b5f8a124c3ffa0d50f1d3d7e7742 |
| SHA512 | 8251a2e2bef405bf04174e95ded7753faf7f7d3b2aa4c05d667d7eb595986859b5ddc450e84879f4d75c192e3002b7edc8cd3b16ad44a20861311f10ef56f615 |
C:\Users\Admin\AppData\Local\TempAHIRM.bat
| MD5 | b5bff1321838fb2b8dff0d33e1060a19 |
| SHA1 | bbb2e9a7c11bddcd3b948e820a180c2fbee9848f |
| SHA256 | 3e029f2e74fafd0a0026d54d7bc8713e7589755efc6a324c958657e26fc75f18 |
| SHA512 | c0011f08a80013f9942a8c55edafd7cb41c3eba17dedbc5ce827e2c207dbc0f054babbedd55311584b67c0dfaaa84c22f28a2da9c0540ff7e5446f4f268f4e51 |
C:\Users\Admin\AppData\Local\TempPWMKO.bat
| MD5 | dda85f8b0d58ae1c32bfb3a623293ee1 |
| SHA1 | 5290027dda62b16265d2cacc70fc8dced232ded5 |
| SHA256 | 3a56eeaa48064e930e0a457a374cc3c44df9445ab8c0ce37a43a6848ee18339a |
| SHA512 | 055f9e8eb1ae0295896234448df3b0d79ea3e6a40a227a1b2fb5dcbf1b974d8d78c7bf4e0cf9d942c9bd76c6248e34d2a8ae4e3b6ea70ce8b1c621c18d177dcf |
C:\Users\Admin\AppData\Local\TempLYGPG.bat
| MD5 | 2538190c6062703177adfabf523b9e75 |
| SHA1 | 85c7ead20672b32c7efdfc2a759c252cd82bac7e |
| SHA256 | 16f5e79997c3314eb05c63dfb750478c20bf0f0b485544e73fb8521214643c42 |
| SHA512 | 3e99bbd7c635083eb18b1f53f4abcee43429493725ce6cc4b557a7fbf8f6fc0a61315e85701b42ce2f52f16c60cf48bb5dfea3b5061db8c54fc79276fd67d846 |
C:\Users\Admin\AppData\Local\TempYWFGP.bat
| MD5 | bd2237c7ac780902289fc98773bf052a |
| SHA1 | 408bf76edb3d6762ea829853779076d28dfde6c3 |
| SHA256 | 1c8fb43d288c2463e85ac1cc604ab70ed8251cc3ad830eee13f74ebffca4361f |
| SHA512 | a6280437eb3bdfcf7564fc01a90e4b630f63a6eff7e64b02652727b918fbe8556eb69c8af3bd04d8617dc33ac68c0358032874f4526d6079afe820fc2a2c478b |
C:\Users\Admin\AppData\Local\TempPYPEN.bat
| MD5 | d9885332ad1d18e4487f28249af37e4d |
| SHA1 | 71a2930a344da57ce46735fbdbe631c9d5610a58 |
| SHA256 | 2003e36e4e6d6ff4cee47dfa721b5405e0c6e6350eca95717179a60ec8d739f6 |
| SHA512 | 7ed75aabe1f02b6af699b83db8b499afa311b354eb5f59d16f810973776b51ada5dc55f09948b540874c3ff756e5a7b20d9fd9b643cf85138a4a0b635a617ba9 |
memory/2140-1170-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2140-1175-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2140-1178-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2140-1179-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-24 08:36
Reported
2025-01-24 08:38
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
94s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOK\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CGBJUWRPRHVDLCX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDECKCHW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWAOESNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LGEVTJJLGCDNJXW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQPCKBTLHCSLMVY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQCCPVNVJTJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTHTEDHYUWIOVVG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVSGSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TATDPOPLJQLBOWF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KQVHEIDLAXBYTRA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFOFKCTKIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHWCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQLRWIFJEMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OJHJNUDPTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHIFNGKBM\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOLUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSWIGKFNBYCVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNCBCXDTOBJD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MREIEBSYQGGIDAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVTCWMCHQHFQO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KOTABGESSFHCADY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECGYXUVINUVGAOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJHJNUDOTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGFHCAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQNBNVBTXSOQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELHWKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WBTXSPQDIPQYBUU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEYAVPDKFJXGSYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDXVUYLBPLJXOAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HJVVWRQWSIVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAYTRAATJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBRRPXJQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQDAPXOCDYUPCYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMMTIHIECJEUHPJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FTAJWSQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLCTKJUR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSGSDCGYXTUHNUU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVSSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BEPRMKMCQXGRWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKKIQCJN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKPWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XTHUFEIVWJPWWHB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXTUC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESOMRDQSOGKLUQD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABGDS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXJRJSOJTEUDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIWRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKCSKIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCNUYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTDKUAQLGAFVWT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUVRPRHUCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1288 set thread context of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe | C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe
"C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAOXKJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTHTEDHYUWIOVVG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
"C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLOPVB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYAVPDKFJXGSYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
"C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
"C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPKDHI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDXVUYLBPLJXOAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYNWJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSGSDCGYXTUHNUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFJEMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MREIEBSYQGGIDAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe
"C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDPTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
"C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYLKX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTHUFEIVWJPWWHB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe
"C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSGNIM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KOTABGESSFHCADY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAPXPJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ESOMRDQSOGKLUQD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe
"C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYNW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVSGSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe
"C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAMYJI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CGBJUWRPRHVDLCX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe
"C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXFNEY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAYTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNPYU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIWRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNJR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCNUYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe
"C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGFHCAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHUCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLUQDA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEJYXG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQDAPXOCDYUPCYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIQHBL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LGEVTJJLGCDNJXW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
"C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLMJSE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQPCKBTLHCSLMVY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYAUT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSOQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKXIH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJJWDT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGYXUVINUVGAOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSOJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLHPG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LSWIGKFNBYCVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
"C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBUJXF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQVHEIDLAXBYTRA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
"C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKPWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe
"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJREDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WBTXSPQDIPQYBUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe"
C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.99.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.27.33.23.in-addr.arpa | udp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempAOXKJ.txt
| MD5 | 29321513607c0c119c775f76237d6d7a |
| SHA1 | 9748598691bfcfc190c7926dba03a77bb0298d22 |
| SHA256 | f8d9b22ed6509c63cdfcfd687d2822abc0eb7ea94498da8ff146fff4dd92c6bc |
| SHA512 | 3626c8a267a07a9ffd407c897ff38eb8c9bbc75183568d6651c1066feba919d5e506f6f05bad2fc8e25781ec5d4536c1abb04e63090d7446db1b0d9a52e2fa8d |
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.txt
| MD5 | 5cceb9fe3c184c5dad5b1879d5e8a890 |
| SHA1 | fec62ed4e0db6938dd267d164954e38086476dfc |
| SHA256 | 8786280ba2c5fe174aa653fbcd4c382bd9bad0cdd3d1caac360b2174f1d7155d |
| SHA512 | fac859b52edefd61ecbdb6e2d86f39a13f629214bc6612992e74e0a8d15663506356afab9051722c809bc1ac7cac69b217968cb983fadd75e04e6a1e5dd96da0 |
C:\Users\Admin\AppData\Local\TempMHQHF.txt
| MD5 | 5a25b81aed74b167ea51919cf873d2fc |
| SHA1 | 56b2f2e5184300b74b0e947721dd445ab94b5fc1 |
| SHA256 | c94980ad5bb0ce23cd44cd7ec3580a7fc7f4104201304ab657e3506921f5c05d |
| SHA512 | a96b1a46f7957df8ea087efaaf0fbb2b6045df6b371cd56e5b4f475e0c0adfbc2c3dfb3d2fc85041202874bc4a58d6e28eb98f8dd08ea2203dc1cda217d3f0b1 |
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
| MD5 | 74d1a45118cbff55a34b1d5f5405d78e |
| SHA1 | e3ece577d20d2f0e41fb0af6e4d9a184e62d722e |
| SHA256 | f2650975b1fe10b05ce43411ed3e3cafb59323b67eff891e9078a4b443557425 |
| SHA512 | 2b255a06014ef5bcffa67947f24272dab0c4977c065c15d49f7cb45c87fd1fa2e2648a323f40c497b27b95fbefa60515f9eee07d2ada01a46df0b1828cb28d09 |
C:\Users\Admin\AppData\Local\TempWVRSS.txt
| MD5 | beb0003da9260463a7cb0e32e3704637 |
| SHA1 | a2e726a978203f3fd4c53408cb3ce429a516e816 |
| SHA256 | 99f820126e97c2a537ae489f2904e4746b85b55bbd13e08ae8e20f74dabbea92 |
| SHA512 | 7c1a9270763b66b31032096c6204b9a4873961943694b790ac71353f37a95d3347bc0eadc8571de416e22d65aa65c22c70d6ded61fd19de7aa84fc8732e6c6e6 |
C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
| MD5 | 1610b4f4635fa595747035745c537d71 |
| SHA1 | d9a92ea76d5fb2cad19c9fce5b2854df0fc74996 |
| SHA256 | d6fa33608516811a2e7fd41324788e022de97b1ff720b8e4c23eacc1a5914a30 |
| SHA512 | f4e3c0c64690c93ad6c2214572f83d3793a85062ef447b98c39089342f22070471d7de5c491cf762addfa20fffd953d6c18d8f9f781ad877bd5b0b88341e0239 |
C:\Users\Admin\AppData\Local\TempSDXWL.txt
| MD5 | 06759fbf084239e9ee1c0f2ef4138a48 |
| SHA1 | 1fbc18020db2d4cda85d756d957bf75f14fe7a05 |
| SHA256 | c100e9f8b8b4f04a07b4d309e8260245bf1a6b6506af1fb090c5b05e92b9bbfa |
| SHA512 | 46fa33c2ecc23586735c40232dc43dbfdbc6170bca5b11083895ecc0e82b458c4776cf05c74229fe9315b14d02d6d709d2e27c418f69afd77a73c833ef8768b7 |
C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
| MD5 | a145d787210b8a90bdad84e234afff47 |
| SHA1 | a4d68fd48c1ec0f09da272865eddb85e2261d97e |
| SHA256 | 33f214185b2de10151e97c49120eb69a56f2aa589fcb49eb4d337dd5ca155041 |
| SHA512 | 5f4faee44cf0f96b6a0564241314eded26e5b73fbdff9b848ecdaee53488b6ced43adf7a272b79633005a24f36d47b77327f7efca2fab50b905e14d7c7ec4fa7 |
C:\Users\Admin\AppData\Local\TempLOPVB.txt
| MD5 | 5fa3d09504478c861ba80b6d0fa6765d |
| SHA1 | cfc7a0e9ecffdf8a8c3406c73cfa4caa889198f7 |
| SHA256 | f3ec550714854be007e6baa6d6543ebea691ce45c543147ce4a639bb94d79866 |
| SHA512 | 32dff33bd9d142c4e57c6be68456bc5b39e7d92c01fc98cfd700008ea4600b5cd0805a2cda45a2aa685bc91989e557a776f8b35225fd723b4fa19ca36b119d91 |
C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
| MD5 | ec75969c15bbe407a6351147d6c66574 |
| SHA1 | 9e18f4eeb3879b66a22f020a7fc56d654e52a3c7 |
| SHA256 | abf19e5ff0fd37d6b446f68a830934fb08f72694900c6ebc8f0e0f32c2169328 |
| SHA512 | 0c32269f91168d0aae106e737f6dc88183be4ef4d8f417ede1eb6728ddebd80cfd0db151870f24f97be5e553ae92b2784c24320f3c1ce60a81790884b8afafb8 |
C:\Users\Admin\AppData\Local\TempMQLTI.txt
| MD5 | b6b840ff8307ee32791b0a11dcfc6c1b |
| SHA1 | 48ab0432da2073016e17dbd5475f8ad1df654ce1 |
| SHA256 | 4ae54b9e9997d21ea0277357a399b36349def9b6f1ad5fe59d2ff90951aface4 |
| SHA512 | 3b3d034efd66858153a7b032357ac6bacaf75be3d46c46f16f0a1471871aca13b8fa70690567f5af92617e9250086c76d664126ab8dca87c5d48b444224f0762 |
C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
| MD5 | 3e0c6dbc810ed5bf2c2788b62a2e6ea4 |
| SHA1 | 7e33d008b0f44af7a2209c531deea1ac296673c3 |
| SHA256 | 28b97e9fae4212e06edd11c27c7b6c19039db5a58689ffb153d1c8fc1612ec30 |
| SHA512 | c3bc294f9c628ce329e3fcf5f514f02e2d23699013670e171f1e27f4fea808e0b219794db9ba521c4b3a6a3380a38405f5d98d568942e3ab8f202f25ee9417af |
C:\Users\Admin\AppData\Local\TempXGGPL.txt
| MD5 | 2d88b6f973244a550fc52969ff4731d0 |
| SHA1 | c2ee94c917051b866b4e86c4a9172cb5bd55fcbc |
| SHA256 | 725fb8315a8dcc5fc12d0de6a3a0e307b80ad030920bb41897555c0948b4372b |
| SHA512 | 7c09587a68a3813cf9554294c66cd27828ff4852dc1fc2d66aa792da3f78716b4e626b749ce0264a0148093c1400b6a1f8120777d76f1408f295854d6e8fb693 |
C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
| MD5 | a5a23c228768ae9334922f61400ec136 |
| SHA1 | 8e5da7756cdc4d41b79344b9404d78846386d11a |
| SHA256 | acda3ae836590ffacb67a200e2201c8c659bf92db493d030916cfa58750addb8 |
| SHA512 | af8b58a98151f69f2e2284aa9d566519e22722609a0278a2cc0abc17b447d5c7de77ee8fa8acc66189ea9110ce518b2684e4a0215eea971e70aa69de5fe779ae |
C:\Users\Admin\AppData\Local\TempPKDHI.txt
| MD5 | cde8f82092a7c710b845f2a0f43cf7aa |
| SHA1 | 6d68571b4600c17966c15a5549e1b3325a267fcd |
| SHA256 | 3da7ecd2cdcdf8c57427e467a4ad2ff0e2631f67164a4baa8b27aa3f017b60be |
| SHA512 | 0f07b87ca6672ae2b6424b733b1351136bfeda19e776f68886ed1f93bdda2c38929f09bdb7bd882231380f11108839a54dbb5970be9a6a3d8c4a93492d13f5f8 |
C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
| MD5 | 7c1ac2f6c07f40e9073c73df782ca1fb |
| SHA1 | 4b6fa31b1ebe4b2a7874cafa39468316634b1ca6 |
| SHA256 | f2b93ef6ef528f56942c8c24dc4e119d1df2711c26a1431dfe84b698788da5e8 |
| SHA512 | 4e835e5ab2c2e7f1c0a37b516608a57a286977e5f60dc415d9857f631e1194a722aec529760ea4e9d49c849b771fa73cdaaba2e571d4287102babdbe893e4444 |
C:\Users\Admin\AppData\Local\TempPVLJN.txt
| MD5 | f3931ccf4bdf284ee5fb347c6e43bbf9 |
| SHA1 | f538a7c05c86b67b4989635505496f06645b6758 |
| SHA256 | aae5447814b780af09a0f1a0e4bb253dc6dec2fb60f5bdb4e9bc7b27c21f77b4 |
| SHA512 | 64cc45490c27133d4599cf71ecb148c129b33e83229572c6da074334a7016f51c1fba50ecf66b401fc2933c08b8a0a07a7292bd86bab251655555b34f8471514 |
C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
| MD5 | 8a516acb00ce0156dc51a288b2c79034 |
| SHA1 | 6cdf300d75e2c8328400ebf005adf485753c16ff |
| SHA256 | 509d726365d867e5141d9506379d5c7ae9bd825191136d43b3246f045ec7ecae |
| SHA512 | 0201c7c2fafd3d39f6f17abfba63754936711822420c39958d1a5dac134695a0dc2279fdc34cc6ff80357f1cac228c2a4fe1cdab775a03090ec81a9c64fcc8bf |
C:\Users\Admin\AppData\Local\TempFYNWJ.txt
| MD5 | df01f4a40aee87b7ee5954293fa4b573 |
| SHA1 | a740458aa28514b7e90142f52161a4d18352a963 |
| SHA256 | d3a10ba0ec2363628cda14010da7e80f4c1724eb857831f644c9c7db39a88522 |
| SHA512 | 0b310096fbc962bc77e251d7081fc474c271599e8c41b7e2cd8e822b3dfd5b70aedfe7604f11d1bc7365e29e3ca6e4b53fbe7b8322fabff3bdf8c640e6222809 |
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe
| MD5 | 5d1b224a375961e4a5be0089a70bbd4c |
| SHA1 | 3c7b066536a51786db6c15b91bfaba55f6e2d92e |
| SHA256 | 106a32df8303288c3120a08c575d43c63db0883ba5997dbabdf21549a254122b |
| SHA512 | 0e9aaebaca7fdef09091dcf8b25fc0a88ae6f1847de2f4131f2f4d77ade2fbfd70d8ff2f289e2c3b8e75f38a66fd267061ef97039566b2c1accb559c3e85f316 |
C:\Users\Admin\AppData\Local\TempUSBCV.txt
| MD5 | cf0710f0f5e21858095eb02d90380c39 |
| SHA1 | dc568d72b993c384aea74f7cdcb7fc4140f90f45 |
| SHA256 | 0582f4f97298d78b0de11877baf24c7d8146262d615bade867d1d4fb9a4bdeec |
| SHA512 | 3187a9d1599d9104819d7e4340fb52bd3878f00b053080a5d11595bec8eae7fbb040820c3f4c7b8b1ac45e60f7a7add6edc62c55dba975206474d91cc2dfdd79 |
C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe
| MD5 | 1a0ae144833f4a96d24b9336070250cc |
| SHA1 | d1680a4aec80bf72cdcc42e931d902d87ac157ea |
| SHA256 | dd61794156e3a776d59292668d5f4ad9a0411b13b0eeb3ead12799d96551147e |
| SHA512 | 2a3dc650d20d7e2fe06e5f5a519494e5544a1b4eb2601c7a69745206cbcb56bb2755aef3cf2b36e66e57bd56ca29a9cc05c6fd332db7cb7eeee06e2ced5352af |
C:\Users\Admin\AppData\Local\TempKYGUT.txt
| MD5 | d612c52e460fe347f03804b504fe08b2 |
| SHA1 | c5e6e2ba2df4fc978d564c07e208e6647177b1af |
| SHA256 | 1eadbe5eea3a0c6fe9bb4281d38f4c12141dd02c87b97cbece76fee8b9af2dac |
| SHA512 | 1dd02bbd9d0123ddacf2aa2303153c82ae0af66021f23f9fdbca4d21aa64787f737867e77befdad1c764706d8b9f7456657ea64652d8bb1a920676939cb68ef3 |
C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe
| MD5 | 8a4aaf848c64eb00082059da52aeb808 |
| SHA1 | 9cac45bae5fdb4e29bd2bf3ffd442c75fa3b3e2f |
| SHA256 | a82a32dd93e8e08076007db2851704c22e579e4f7ade3c69e816e277d1f9ef08 |
| SHA512 | 6b50c4a9bf7d8ea6a9500ee252fb2189e03cd41552b9433b2901cdf6c0f56baa80b8fb1d6db387ae583a86864018b8b9683e5f60b4e09bbf4bec7320045c737d |
C:\Users\Admin\AppData\Local\TempWVRSS.txt
| MD5 | f7c2b529214710d2bba1b9dac4bdcef8 |
| SHA1 | 0341723ce1dc588132281d460b672d26556c9c99 |
| SHA256 | 71600a0cf16a5798f7590d1088d945259ddf2dc2548b5b04825a70066f685691 |
| SHA512 | c0d55e5894c48b924681a5c4d5d7adde5a4f3b3caac8decf33e4cc604c41cedfac18e4d6174442b98aa590327492851a054cb291371b425c2b45f14c40ca4f2c |
C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
| MD5 | 317ccac9879b345fe8ac4293631969d0 |
| SHA1 | 6407976edd204c973f466a90d76070ceb03d21d9 |
| SHA256 | 72f0aea8dee6ad3a3bafbbe77fb220d84d4f0fd76c5dae6e5f5ae1c14808e5d4 |
| SHA512 | 19bcb6b0b350eb1cd646ef2c4db23072b1d6201b78aef7b65a7f4cb58c68ffdd3c0b9ce3f863075e678ee097bea627319f9393c2df77e452d0ec7e3ed1a084a2 |
C:\Users\Admin\AppData\Local\TempPYLKX.txt
| MD5 | 84973159198fc6a47d4ee7e2843c299d |
| SHA1 | aa83110f2b15b6fb05ee0fd34a05edaefc9c5a7b |
| SHA256 | 77c3bd7cc0ea87c59d4aed7055dbf3365b89ef8845dfe2728e53c25b0bb26391 |
| SHA512 | 08c45c8d5463c57f6da07399416b6a2bc8cae74c022ed462c56cadcbaf323eab43b4f8a06431a02b4c14e39c50ecb6a95513f54810047d798c8eb4eea4c7cbbf |
C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe
| MD5 | e9002683034f1657e0d7fca3d03844f5 |
| SHA1 | 19554cc8986e5f624be8846ec2b1194493c51001 |
| SHA256 | ed8befcd26b5764a941a2a1406056fc79548647310e1ee77051c7931910bf77a |
| SHA512 | 668e5100573a2e8b9dc4bfdc2f18674650705d0d31237ccfb064d77149e8b54fb1822fc50b5fd5e0a1da7bb4152882f10e21d546b01a85ff5488467908e8070e |
C:\Users\Admin\AppData\Local\TempSGNIM.txt
| MD5 | b184f2f6fceabf37ef0d7f80f6ac6f91 |
| SHA1 | 04712f75ebb47c4456185ab2001cd3a9c0c709c3 |
| SHA256 | e7985ce90b7608b32921376f86821a7d5e63f2b8a30120e4c2beff7975a6841e |
| SHA512 | c71fbd33eaff9ea012dca66f119b493c03011dac2adabd32b937f79b12913f39cbb6c1b9df7dc537e602c9f5bb127f7cc6884b18ec223724ba4ae63aab1e9ca8 |
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe
| MD5 | c45f19fd3b4c0f17d480a9c79d9901a3 |
| SHA1 | c165b6735c6d7bc2c8c5ff315cdbf4fc1b95aa93 |
| SHA256 | d47227d315e9ddc8fd7bb8b06f6377b44e4833590245ea5af13b4be7beaf0136 |
| SHA512 | 037bc39ef52879e00d39ee5baef6e9b0d2f2b92f24a36f44df5d465d274797cf2fbe6b0ee4348f11b660dab9d0fdf6d2d704684c402b718555bb21541e4d7d5c |
C:\Users\Admin\AppData\Local\TempRSXEF.txt
| MD5 | 9c69a49bc663b0a59d50e45155108d50 |
| SHA1 | 44ce998eee7669f8c36f1c1dd1e32a7b3f5e0931 |
| SHA256 | 4437fa602b8c9b981570ff66dc7f23bb13c5324b65586bee76ba92c5c32fe1d3 |
| SHA512 | d2ba847997fadeb9e8139f8127de763e994141682ffb0883933f7814d779a4bc48a2073a2df63e5b9150c6310affe96d07c0ef2a7c0457994f421c975f006b8d |
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
| MD5 | 43c401bf191dcdbbbaa86ac0c00f8a8a |
| SHA1 | 297a77b05cc38549ae91139bffd9a9cdcb3c34dd |
| SHA256 | 697d310f03c8a6c89f19aa28438143a96ac90c35749623f4497b9d745ee382ad |
| SHA512 | fb016278d836c4140dddee3c606f4b2d7d77f9e81470fb49046c647ec247499844cdfadd2bc898848a23c5d9782c3310d5a65de655caa1aa367155b26fb5513b |
C:\Users\Admin\AppData\Local\TempAPXPJ.txt
| MD5 | 80cf7932020e9b5016495e4b020c6887 |
| SHA1 | fa0b1fcf5ec01feb2bae82623b0c5aa7703ceec5 |
| SHA256 | 6c7ad0abef65a55ee46641824b177a82ed725ec7d8dadbe76622b232b2273652 |
| SHA512 | 68a58ef747f0442584dd7180c2b45fc0d332f36fa41416298907d85be7d5ecf23fa706e289a49e44308d1e663df6996822267b4d4b6860bc459bd7c88e111fb8 |
C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe
| MD5 | a17c0dcdcd8165a18577eed5259b829d |
| SHA1 | 6eb9cd1a2c6e5d1fa77c765460cfd1832097fe0f |
| SHA256 | 6bc76b7a4c0caa7b2aa1b6311ee06dac1661b53423ed7e296c1a70c6fc178c89 |
| SHA512 | 8069324e659d1b22fe9329ebf78073ee3ba26f4f667b48ce09773d8170be87f87fde2382c2957078f7e50dbaeca4539100b31e8cb675dacd621b0c09b5d8464e |
C:\Users\Admin\AppData\Local\TempUFYNW.txt
| MD5 | 808b10324ef2c9f3667a72caa4dfa7fd |
| SHA1 | 21dc798bf9ae600cc0cd31745caa77cc4fedaa2d |
| SHA256 | 3e0a9595d08e5c5dfe573208bcfeee5a3773e82dc0efdc9e15d9a91ed7fe0af4 |
| SHA512 | 8cd4978bfa56dd1b967205e32c7eb027d6b106958a0bc06d12b579a0523647c47cd1054446e85f832336b73140f5be351d9ab8c2426127c5f52e6646b51a3d59 |
C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe
| MD5 | 11557f972413dc88698fe1a880427533 |
| SHA1 | 74549fbb46486b667db540fda4ecb9e6f3515b49 |
| SHA256 | 2e6ba94c9bf754c6b814df4b5a36d16aa1c9a30be533377b7f4eb0f0513f3c5c |
| SHA512 | f227bcd9403a0f861ff84cf01a670c841d9b388ff02246170a6c922e2714f2b94f4e05902094be763cfc1ea18c5f9cc8c08447271d7fe6d1a42100b506681f25 |
C:\Users\Admin\AppData\Local\TempAMYJI.txt
| MD5 | 016472b5ff8b2e7c4dfd8c682023930e |
| SHA1 | 2f079833f22d53b327b8e2194513f3c97ac02fb6 |
| SHA256 | d78348bc794fdb36c93970519aab2dce2dc4b40d1942a758f34d610c58f33a97 |
| SHA512 | 18eb250179cc497252429fffc882d658e6b072835d6a620209da12afc0155394850a093ea0f935d9b6c02b75ed609cb012870b14cbf9b30a3bf9503b24bf09aa |
C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe
| MD5 | 77ed43c054f23282fd3bb0137d6a400a |
| SHA1 | a9a0e1cc62434eebda877dd7ea5371c9616da706 |
| SHA256 | 3dfa8febcd173e5e4ba8ec6d8791b3ca86d067fe42626e3283f41c097b0b2895 |
| SHA512 | 34d036d728b6f3cc1ebfeaf859043da4dc360263c8a9f4cd7082e043342bc3c0df28075c9fd255b90e1b952d3c2e8da843776df111146bce8d19fdc4f09831ec |
C:\Users\Admin\AppData\Local\TempWSRGP.txt
| MD5 | 035f1c7ed9b27d9073d73906455a2fa7 |
| SHA1 | b6edffed330d3b9db173f4f7ab44438b8de0f0e8 |
| SHA256 | 086f99f1b6aa48c8e62a088b99ec7a6ae9334ee35ecbac29cd73903cbda438c5 |
| SHA512 | 838ebc31f4c26a0dbdc9ac895fdfefe7f1ee0e5674c75e7087c52e01ae1b45a1271e1149c24353bd036b49dd8b319328779e701370de2941b276241eb7710d8e |
C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
| MD5 | 6e5e85540000a34edd68e4e5d00583b5 |
| SHA1 | c2a31b6afbe0468b94754065d9fa78a2bcf0dbd8 |
| SHA256 | 54f1d57a086ff03289910c287df01bd35d0fa45c23fe59dbcee66672e25e6690 |
| SHA512 | 3aa41f78292cc14dffd1eea93c3e4cb0e0fb84c4060d77be3edbfdddd11bf737a02eeeb81586132f675995dc73b318f94fab923083b371a0a79bcbc7a634250b |
C:\Users\Admin\AppData\Local\TempXFNEY.txt
| MD5 | 0e13ee2c6dcb5d6db9961e93afe834a1 |
| SHA1 | 0f1a311cd3e6ab578813b39dbc0ea36efe53fc58 |
| SHA256 | 7a9c0b88733dd6037a8413a2ef0cd1f5725c3c007b10ae056774c901ccfd4db3 |
| SHA512 | deaf2ca0f316099b683a3b139d65c10ab2f60eafb458bf4cc1ca9a62828b224dfa71688f26f4dddafa2920ad31eb7a1c891c2bad52cb37fcb48012d5271a8efd |
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe
| MD5 | b24255355b6ab0763d155661af09352f |
| SHA1 | 3857755c6e78430cacffc3cdf301ca22a81a2f63 |
| SHA256 | fc21753378c8bb183fd16c22bd611ea523aaec400f6a82c098b79cba9470e4aa |
| SHA512 | 24e1a6063e6897f898a7f7cfbb87d4985e02ad31dbdc60c2a0cdbcda260a7a09b80e8ddf2795815a0571af376b8c90691b116fd69612278c124d59e92117210b |
C:\Users\Admin\AppData\Local\TempOMQLT.txt
| MD5 | ef5edc187dd574db15bc13db15c29730 |
| SHA1 | f3b596b9657f17c374bf27f16fc9a6df8f4c44c9 |
| SHA256 | 71487f836772b1b39fe00590cd2d3670db8827008d6032759d213851ae7848cf |
| SHA512 | 00077c646294c3abfd99c621bb844c02c9fb37f1dd17c740cb5258ed2f877cdd00d25f641ccb2c022182a79cc9013080024945a6c86dcb6e4dc114ca87708bde |
C:\Users\Admin\AppData\Local\TempKNPYU.txt
| MD5 | 2eb2f361f855b94606ef7e80eff0bf2a |
| SHA1 | 3aae294038096ac207ef9b6850651299e3e4922c |
| SHA256 | d45f39789853899fe4feb550aa2ddbe4c77d309342a7b578d0566c016116db51 |
| SHA512 | 01de80786d23d61ffbc6d8e2f14a4044ab05d7dde4ff463cef9b232db01c8f4e322ed294233e8059bf60b5275e0d3c99b1c0fbfa2faca10f1799f621840ce2e5 |
C:\Users\Admin\AppData\Local\TempDGHQM.txt
| MD5 | 0a642b13e305d30ca155412d35b152af |
| SHA1 | 781496d9955791faa48807abc37e66baaf0169f5 |
| SHA256 | 1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797 |
| SHA512 | de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578 |
C:\Users\Admin\AppData\Local\TempEXNJR.txt
| MD5 | 15874e9166b9a49fcd62435843b07430 |
| SHA1 | 2654aa23dfb896878702f52586eafb8f39831a72 |
| SHA256 | 4122df0cdb9895f48a3e278c65988c3c6c5197d6a6cb09d32217ef89100a43d6 |
| SHA512 | 428a3b68e17e2404592e39b8eeb056a3d17de12296ee1a0b788a0e489de3d7e6d5273aba85afdaa143235b3c776e79fd520c22aa30e3fd9b6ebd32dd23837b5c |
C:\Users\Admin\AppData\Local\TempSEMEH.txt
| MD5 | 4fff14f3f96afc630022f1cd49679797 |
| SHA1 | bf9f7d514150513bb4a169657ded6dee7e323042 |
| SHA256 | 7fa849ee648206dcbe76d2ddab3ccc18de8e595a77ec3950629ed2b79cf60f2c |
| SHA512 | 4385ddce5bf79f94eb37b72c4917c247fd8204128be70229b16ff548ca47cc872756bfdeef94f911ed569345920ade5b740747be1f725f7c448853cfd1a0f32e |
C:\Users\Admin\AppData\Local\TempCWAMY.txt
| MD5 | 4ccca2d921a9ac73b28b6b9184427516 |
| SHA1 | 6266377f1d89239073b37acc6b7f568943359209 |
| SHA256 | 1f98e0c82803e42487e3c3043f77058742d13e42276b0e7eb93cc8f692eec01f |
| SHA512 | f1d2d4c76aa1d103c00cf85c9f87664d7cc622d2d0e95caad7e86a44657c9bf29210aa31e5e49108a70d9f4d4a50b84bc1905cb1fff6b79d49f01121ec6a4300 |
C:\Users\Admin\AppData\Local\TempLUQDA.txt
| MD5 | 0887f8a053b6634da227e398c394d81b |
| SHA1 | 7e302400941306dbb1fb3a489a23add27b1209d8 |
| SHA256 | 2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c |
| SHA512 | e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8 |
C:\Users\Admin\AppData\Local\TempEJYXG.txt
| MD5 | 73053e23ed5ba3072ad1cc61295e8261 |
| SHA1 | f38fe651f708324bb06c21fc99be059e2de7e663 |
| SHA256 | 3ad189bb0eef99337f1df10f209508a205446a5ab7aef7a6812041313632e385 |
| SHA512 | 6b26af6d8b8ae55a33c4d2353a91258f9e5734d0732355490a7210db03eb9f43b97888fbfdad19e951072171a1d1f6f05cfc747d14720c88295fde5ec8942463 |
C:\Users\Admin\AppData\Local\TempIQHBL.txt
| MD5 | 9ab7cd71891560db437de792cc8e89df |
| SHA1 | d24b02e2f1b4ef681a14d8b47bc182e0447d274e |
| SHA256 | 9bdf3defc869d9c7c1bd75f76494f556ad93d962b6f42fcb89fb40ad71398b80 |
| SHA512 | 21665fef517a55d16485e68f385d4e3081d8b3b53365d4dfd1e6b874ea183a03937f8f29471dd55102f38a37f8dccae2f8c9a11b9ef3ffb824abae2376724591 |
C:\Users\Admin\AppData\Local\TempMPQVC.txt
| MD5 | 01005956b2e2f9618ee5d54677a17f9e |
| SHA1 | d06659adf8a2855ee3ad04156b940a9563c9dc64 |
| SHA256 | ee05376f2a67ea7274259ca95873248ea3ee11b830ec3c4337651ad369e0a20a |
| SHA512 | 56de6a0800e4b55ff3bc177e923cc78f83c3254a186d5b876c4085c203f4d4b40785e8609e44074873823e1fa2b6970c8c30d677f1701b53c77efd33daa125ba |
C:\Users\Admin\AppData\Local\TempLMJSE.txt
| MD5 | 35509e2b03676f4fa2ad6b3d194846c4 |
| SHA1 | a346fa6c96e1186bb0dd1e3188c302ae136cfbb8 |
| SHA256 | a60d2d437ce08dc8d030a70e52d182e4f2fa67fd5f2be1d78ac6eeb9615344bd |
| SHA512 | c737fc6ffe178c970f97e3d261154af7a67fba8276b995ebffa5c19faa00066c4cb00732a7466d5e370206af7e8013dc7eded5cf9b15bbd8e250b07da5fc3007 |
C:\Users\Admin\AppData\Local\TempPPYAT.txt
| MD5 | 8017c40b3b87f358920ddc3a7822801d |
| SHA1 | d1707ebb4875777b38e09531e15d0cc1bb133731 |
| SHA256 | ae1c8c15c6aa20d60fc888d7e2067bfcee9d767bfe85da8c6922e998f4c2ed5a |
| SHA512 | b9f5f59b6d2d8e5250737c461625785dd78e697c9abf87e5f94751aa0f07e1f62fca270c00202ec6af2b18afc052de611eba4cd126b5ce78c913b0d518ca9354 |
C:\Users\Admin\AppData\Local\TempPYAUT.txt
| MD5 | 6a5d696b87c0b6fe1cee953dc16b18d7 |
| SHA1 | 60c05a7bcfc30fe6820c354216d291b5bdd4401c |
| SHA256 | 99e1967b9d201e2b8d8f7a4149191c9e3884de073943f85c7bad42d31eb4a9c8 |
| SHA512 | 07e185e1f14bce9e436858891a62d22489e4c1bacf7be01ed8b415ba03c05f5337bc0ffc052a11335ad5f0b60031126a1e398d0683ea1a461845ca104dcb589d |
C:\Users\Admin\AppData\Local\TempVKXIH.txt
| MD5 | 1d04dcf7878702fd18d7e6ed7562894e |
| SHA1 | 7eb33af482be5164ce41ef0314274bdb945898f7 |
| SHA256 | 12fac302f2e1efc661afc1594b5e5ab31298e3ac7cca736909610a7d48203890 |
| SHA512 | 90194afa6724fd1ffe21cda8776505cc7b5457813b0bfd230f5679d75de2477e28d2491956e19588c55d4f97da897a8ef687290a0e8077ee130fce7696df5c42 |
C:\Users\Admin\AppData\Local\TempJJWDT.txt
| MD5 | cf2241bffc3e3a6c62f7bb879c8d873b |
| SHA1 | 9bbe1c96f7400b540aa9b0b5db830a5cc44b2d84 |
| SHA256 | c3c1dcea2cdc75e2ae9a319fbdd56f25f89dd24f67aa59e076196d3c948c4226 |
| SHA512 | 032432bc43f2780531c3e9b15cf30628cc15f4ccd85c8ff27a0ed7f6687deee9bbcf0f088af769c79b22529708e6bf9cef29bcf50b6ccbd0baa0770ab0cc8cd4 |
C:\Users\Admin\AppData\Local\TempURAMS.txt
| MD5 | 8242fb5d6fa630c4073388efd1ffd44a |
| SHA1 | 08cae6cfde916d69ad71d6b49be42d24ccffab64 |
| SHA256 | 63725b478c68cc24876a429fd219ee83d663c7628e8fa56909231cc6e4a6f566 |
| SHA512 | 8f35c03bbcfda32266613552ae644ab96bcd1d97bd21d3cae80b8a465a58ffcf1051e8eadd2f01869d86a739936c77d24cf103b6703cb73661e1d70eeb225ec5 |
C:\Users\Admin\AppData\Local\TempVLHPG.txt
| MD5 | 9d1a78b99bf4b3d346fbaa3c0ef3ca47 |
| SHA1 | 944068cca2361487fd9d9c9079cbe17dd002e117 |
| SHA256 | 8a0d3a21eacd041ae16f71c335c24e969f3106765424fd07ce2cfa5d3f58ff26 |
| SHA512 | 9e6382e356871f8aef1057550e0942e242a82f9a147251c075a42f19b2f2e13bdff62e9f28cb0fc8e4644c2ce204be69571bad9e74d6ffc9c89d3a8a9c9d37a8 |
C:\Users\Admin\AppData\Local\TempBUJXF.txt
| MD5 | 3ad4916c06e2d08e999c89860267d573 |
| SHA1 | 8e6331e4b1ff713fe532cbc208a4264fa630aeb0 |
| SHA256 | b53498f2410b619ff7a7a9bdefbbcdba03eab7899458b91820792ddbc7e62e20 |
| SHA512 | 9b787ffe1c510b0c69afa87bfdb895894fd9ea916d0d3a5e44e40017f03827bcc107c43b2a9d9c8ed364bf47f9330bd49f94e96d433631f103621c05e579bc1f |
C:\Users\Admin\AppData\Local\TempEDHYU.txt
| MD5 | b0e3f78dd578c1827bffd537f7263b0f |
| SHA1 | 866ca32b655e01effdd00b4526f5756a5a6df846 |
| SHA256 | da7a574d162e97a70dbce195f1ab7df74022ad3ef406bf41325a0ab8c5554018 |
| SHA512 | 73a574929bca426493fbebdea7a601429811a25462d827b9c0011529ec14a7831b005af48b66cfde904ad8c37c055f48c06c0a077a0e7b5a67c960bf62b86897 |
C:\Users\Admin\AppData\Local\TempIACQM.txt
| MD5 | 1725034dce64e5b21bf9bb34f976d7f2 |
| SHA1 | a6a51a02e2e4434a8dbe3be66f59ee9e9198e035 |
| SHA256 | 6b7594806abe8ee858a0469b3bd160e6066e3c8ee725cf7dc6a3e9af9c119caa |
| SHA512 | 9ba942b7912e4f69c72238317d4cb8a1d57c39e193d9523ecf106b1351fe804c67cd5a7473b4faee9da769902a8335d6046ec6b3516c8d699a0b50c62f2055e9 |
C:\Users\Admin\AppData\Local\TempJREDR.txt
| MD5 | 5fec7328af99ecb08c5f2ae5a5353c1c |
| SHA1 | e45990b8c428ce291e6dfbb0e3c9f22f9d421cdb |
| SHA256 | f6ca5177631ec299a33eba5241e28f45169fc69bbb8b6e085f9486bb495525b9 |
| SHA512 | 957ced51998e63ecd28c2fc9530c855495dd3594cb0e4bf4a20400cfac82d673818e9fa64e71fc8d2d33d93e1cad0e98cec54bd824236e34f5d29ba903ff4526 |
memory/2468-1074-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2468-1075-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2468-1080-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2468-1081-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2468-1083-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2468-1084-0x0000000000400000-0x0000000000471000-memory.dmp