Analysis Overview
SHA256
a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0
Threat Level: Known bad
The file a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Blackshades family
Blackshades
Modifies firewall policy service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-24 08:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-24 08:42
Reported
2025-01-24 08:44
Platform
win7-20241010-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMI\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWPFPIHJWWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBYEWVRSFKRS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKALEYCFVRSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EBFAIUVQORGUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKFYOPMVHNS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEMDVNJEUNOXOOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQCAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFOAGLB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDPT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFAAVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FUUHIECEUIPJOLW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBVXLQVBCAIB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLPDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QHCXBPFTOMRERTO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe
"C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHKMVR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QHCXBPFTOMRERTO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWWSST.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQCAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
"C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDWWLU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBYEWVRSFKRS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EBFAIUVQORGUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHIECEUIPJOLW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCJXFS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLPDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUGNRD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SEMDVNJEUNOXOOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe"
C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe
C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempHKMVR.bat
| MD5 | 3bccfd4b06163ac67c33cb88c7ae7a01 |
| SHA1 | d8b2544ea4168fd36d4c2f1702d2c8d5b8f4ffe4 |
| SHA256 | bd236bed554c64d36b5dab5dc3bfc82c1bc32a6f2d7d1736ed64b325b5ab46b1 |
| SHA512 | 16ba5b1f07d63538ff311535243882b72e7d25e0e33c1c14ff12ca36b334690f12c3baa9d3c8fc69874a22ff4d521bc328761370f3a36663d226a0710f9bf0dd |
\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
| MD5 | bfe6fc9126381c7699bc5c7d486bfc20 |
| SHA1 | aa40b7097c054568e1769a888ddeddd4794adca7 |
| SHA256 | eae47c5df60c53f21f559702f40f5f5f086162bc460b19f1fb576843b4a8e9ab |
| SHA512 | be98a497afb2c697cd9bb754b7161e4e8bcbf4590844fcca42ccebc8a83f996c85452bb7d02c98dc7a2b915fc6c36f630dafa05f5d9a35fed51c013f5a578513 |
C:\Users\Admin\AppData\Local\TempDXWLU.bat
| MD5 | dfd4cab5f88961f37b56f920f0a3bb11 |
| SHA1 | 20ff1258fc401b7bc515f6d7718123bc2fbae639 |
| SHA256 | 9cd237b7606401f31ec6b1f136480b59cee627b1c57c6aa16c8dcfb01240fe6c |
| SHA512 | 2ea225c72ce94447d6a204a98ee8038a03e8d043f81a4f2f66ab930592dd984923e272342a08e2ac08e02b713dd4d948ff931fe8df6646058a71d6ab9f69e06c |
\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
| MD5 | 60f49dba802424e3c6bb1afd7934f4d2 |
| SHA1 | d9e2020d8958e6d1098f89a3686e9abf85ccd756 |
| SHA256 | 291753ceb4bb5fafff88967b345ad71dfdcf9e0b837ca37fea960b9711ce84bf |
| SHA512 | 0521e45592c57b39da9282b88553cc5f44f8187e09f4507c87a812a347333804ba78ca995de3ad77e458ca10e6dac61967b4fbd999dcee7c5cd6d703157d57f1 |
C:\Users\Admin\AppData\Local\TempWWSST.bat
| MD5 | 7263bd0df17a5ae271fa59745cdde26a |
| SHA1 | 1c9d8b250257a149b67daaec96471871de9129a6 |
| SHA256 | 7ffde724cf09f4918e391d1a352935f9561ca1afe0131db2504ea27c38fb07e1 |
| SHA512 | 12aeaf2ab4867e8f1784b361c6d847302dbaf5b407716f0cb3af448e6478fcba19c13c95185bbc5d717215223dfe0dac392d6f4d0951c67d770461cefa8dbce0 |
\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
| MD5 | 31496d44f2289e7e3469a08f62804bc0 |
| SHA1 | 487525b58c3e684a8438f800db5f14586be86454 |
| SHA256 | 1621d0c31970ed164b282bc2048b4556633ede090a0aec72c7c904320a6a71e1 |
| SHA512 | a89b58ec9d734570d89558ed119767602e46b5b59c80235962c9ba603732ccdf459422881199a10e0fa31e322c1f2d8c9256f96539fa368284a494b3e63b5e9c |
C:\Users\Admin\AppData\Local\TempRMUIJ.bat
| MD5 | 759a614ace0e3352f7d48e1e47c9c016 |
| SHA1 | 3f96be3a19dde37ff44f0630880feeca3c6a2fd3 |
| SHA256 | 7af5d185d2338b34d83e10d849f5424ff517bbd2a1947f15952e8b346020be89 |
| SHA512 | 6a145c0ba87f9a98d69c68bb1f6f16eb85e1f10019e75241fe3ca77010cae4ec4fadc6625b11a8725a0f7c48a0df57062adf01f74ea5156bbf5fb76e83e8c4d4 |
\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
| MD5 | 0feea7168c1d934c0b64b5bff31f623e |
| SHA1 | 0428224f62c3a1f8d7661cf3fb64121175ad0e21 |
| SHA256 | c557d10f3c479b914ecb934da80984240b994d88b9579a840584a0834a0b0a2e |
| SHA512 | c4897d0b639899f6145920cf283735f00381775ed3c1b4474cf44442b41030d60c021fe312a8655ccadd3daa4896e4be62f11a36312bfc9fb61408e819d400f7 |
C:\Users\Admin\AppData\Local\TempUGMRD.bat
| MD5 | 8bc446799ac1efd505e98f107b57e679 |
| SHA1 | 82af7d010f7271ce26fc4d6b05613e713c54e7f8 |
| SHA256 | b1bb234cd272d589fd02ae79d372c4d8be2fa47c77ba2b3ffa1e1c07eead5947 |
| SHA512 | 7ad69ce6c84280193766049a6583b5c2b0a58b11f96faea8e50ac6f4bc5ac91d4c5214aa6abfc7b4359557d260c28fb6f68dcfd268bfb4d94357ecebbaae4806 |
\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe
| MD5 | 9ae5cb00d1eb9a3ae39ddc5b8e2668fa |
| SHA1 | 71c7f9775a3288634fe89fa0225459ece8340b1e |
| SHA256 | ca96fe61cea9c791c52264dc531cc95e371d3170955de638b78a84769bfd2848 |
| SHA512 | b9e1df7932aabb5247dad939e8e38865d442f60c6d11ba3b7d6a1c51a7e564f40f3f3b082ee8bc1fed2e1ba5c24d749ab1a8fe13ad791586c800343b61953b81 |
C:\Users\Admin\AppData\Local\TempMQLTH.bat
| MD5 | a9cc1386d7d3d38de7068a49bec17a6a |
| SHA1 | 855b3a57690b2c86127ddd9c746b273dc6b72414 |
| SHA256 | 38a0efa00618cf832804271dc356a7687235c67987ba96dfa0d3b90f7cb43023 |
| SHA512 | 6c244432550399155c83ff1fe8f8f72b31bde6cbadf67353770f1fa6482a01f7a5807951c0a270a7df8cf7c277fbddb30740cbdb94e3ec45c298180296fe57d6 |
\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
| MD5 | 0d0ca1ef70ab71a89b37717feb4ca223 |
| SHA1 | 3ccaba631325aeb6cd15241fbe99c191227b9b05 |
| SHA256 | 433f01ecc910c5b36b85fc55d30027e30f36c8faf7a2c736addb8ce2e7978069 |
| SHA512 | 1e02adada83edc6ff3b3157a2cd568043981248f3576fdb48f69e0332ccc37afca7c779833203caa83bfbb902b8624502e9528408f154df751020f8f71c25fca |
C:\Users\Admin\AppData\Local\TempOPYUB.bat
| MD5 | cefdbdf3e03e35a03922a2739efb8950 |
| SHA1 | 3a31bd0b4348e8e7674bf50c7914d4f20a2008d7 |
| SHA256 | dc8ff0c84c87ad432951831214861088639a8d0b992f8adb206caadda2fcfb69 |
| SHA512 | 308278fb087d6df2de2e68bedea72fb061a38bb332e7bf3b13f934cf457a65b0e380c4acd79c8e2262dd2b45a5c6efc935abe3dd554c0fca0fcdb7f151b8cb90 |
\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe
| MD5 | a6d30373b25cfc1f03d91b0f835478de |
| SHA1 | 4eca4c337344abb58aa9c122a67d48e80b166032 |
| SHA256 | 504aa23a80b02b93c0b7ce1594c1de61fcc35588b4bcee4148a023431741e8bb |
| SHA512 | 276a62769f0bf9dcb3e175163d105bdc554f74fb487d3cb1b626635c41202933e2a9c6adb3b5b32db4814a3d4a2347232d50ac272b87666b622bccb62962cf88 |
C:\Users\Admin\AppData\Local\TempDWWLU.bat
| MD5 | 64a8a9965a16b8538c8f3541a69924e1 |
| SHA1 | ceb4453715c04935c1376be56523462262bf7193 |
| SHA256 | 1c444f758b36a224d05f34e4dc704134b4e01e7af502400510f78f52e5f5be42 |
| SHA512 | 8032e25b88aadb819af06cf12e73ae96b09bb6848b0e31ba765feba3c95dd6d3270897f843c8f436ace393da0639bd740a485b5585d7d9efb97a6b4ee0c2a92d |
\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe
| MD5 | 8f566e475a5ca531e1dc017b80e92eaa |
| SHA1 | 07ee567af430b8faeb34e339787f18a8618f333c |
| SHA256 | e1f7816c02d24a42934ef6b40356db35dcaa24d5318ad94f41d28b550374ec26 |
| SHA512 | fb2d7decab72f10a3fa2b1091f7934d338e8d31db904565a19a430206e8a8c6af52593e59cbf1435028ce151cfc61cf1f383a1c37036c8ca17f76edc0b34fdbc |
C:\Users\Admin\AppData\Local\TempWALYJ.bat
| MD5 | eb2ea627f21ace553a67e97ce09cab97 |
| SHA1 | 60f02c527ae3a018931610f9e59ca66efbbdf9b9 |
| SHA256 | 5768f8f93b792be1be2bf03009cf2960d2ec9eca16d547add7a94b061a79661a |
| SHA512 | cb69c766291dad88b4e668adf8c4153407beff55ea9e19f1df918d6aa29d19354fb1b6faa821b2fab01b4b97bb57d8080734217b56b3c1e245c37a6a3316c418 |
\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe
| MD5 | 90ab16c3cbb1562da69bbac98073e5ca |
| SHA1 | 6afa860e41dea43e51f2aa36f2a157df7c8211d2 |
| SHA256 | 995f08cbee3889e27c5e405c0171a1fdd932ff3472ad22168d288fab476e30dd |
| SHA512 | 658d110767adb779fd13638a49d7f724ccffbcf7f1102baf40f1ff5cfb63f85a9f10fc1decccd891f5aeeb8cfb249d687c201ab925d55cf4211e1cf9b50036fd |
C:\Users\Admin\AppData\Local\TempTRVQY.bat
| MD5 | 837385484a466d032600efcfd1c06143 |
| SHA1 | ba302abcf881a95266b89b7a397e752bee48d4f9 |
| SHA256 | 42a8b1eaf912dd73a214ffecd50d4e9f4b6067f9cc9a56cdc7a86cd2d466b7fb |
| SHA512 | 86901bed761a1afab9811772576a5ed433a3cbc79eafb967f37cb4bbab376aefaea52b4b4a86bb0c799b20456cceda803988ea35548728a70d4945afa2560774 |
\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe
| MD5 | 003f9a3534b477aa112bac5127200a4a |
| SHA1 | cafd7b19788160c52c3fe65914bc977857898639 |
| SHA256 | f20663556ba543b0ce90ebdb9ea4366b7bc5e268c10879b4ea0d54b9f07a56d8 |
| SHA512 | 5a62d07976db5b5f855f72058705a9bf15a4ee9ac6ee772b540db61dee61af598277c7d6fd2d7733b878381306654bcc1266f83dc73376754f6eca17ded26ae3 |
C:\Users\Admin\AppData\Local\TempCJXFS.bat
| MD5 | 2f95f2a96658de6587b87e60c3a5cbe2 |
| SHA1 | adc5aba721622c629fd84f0c493bb2afdb9c58fd |
| SHA256 | 0bc51d72d47501bf212eee4c04d487fc7db5efadf1a2373ca5907c833b3633d8 |
| SHA512 | 2fb9e6872702aa9ce979dbd5596796b6df4b24ece974ffe1a766b238cfe71a9ba2927806fe71ecbbe52e14797bdd3d5cc69b95d2f04e41b43ebc4907b7cee188 |
\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe
| MD5 | d6a09e3e5e9fb7269a25cb90e67c7023 |
| SHA1 | 9bb91e1a15100dda973de39f03ce9f1c2f1b04d0 |
| SHA256 | 881b4299aaa166ce5732e826b68359fbbc2c26627eecba7e2ae9180e01a6c0f0 |
| SHA512 | 53d7137cba282bc0bd98189766ad35f3fb4d3782006dc8232e6cba6a552e332e5e345dce41ef196283ae75982bdb333171365d91ac022b432170ab5d0fb80821 |
C:\Users\Admin\AppData\Local\TempUGNRD.bat
| MD5 | f05d37af3f91e2c54faabe704576dfcd |
| SHA1 | 620e2c5c81d8a2f30b828a440557b8d3e305e5fd |
| SHA256 | b127e76ee6e4eb444a5d761567dc00e960710f97cd43d9af2a41d2274d01d574 |
| SHA512 | 55e86526fa510435ec3654e35ab74451c7ac4a897af17cd49120d9a7b32812c25a4c54a6cb30e996d20ce56ab073511f26dae82e299633ba08fe5f468e1f5831 |
\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe
| MD5 | b6346705910a45040743125c86a47165 |
| SHA1 | 7216a43709e35399769b618184d6129daa77db4f |
| SHA256 | 16cd0e0b3849aa86e6584c9cf2b8b4010ad202f027c7616a9dc632805c160e23 |
| SHA512 | 1e790ff59c50966ff076290b4632f5cd5e5b909bb57bbeb7fb9b0737709b0264f20185f460136f2fb170ad5ec2be60c6bccddd6b9794585bfdac6e0412b4b2af |
memory/3020-352-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-357-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-358-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-360-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-361-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-362-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-364-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-365-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-366-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3020-368-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-24 08:42
Reported
2025-01-24 08:44
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOFSOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOHAGNWMSJRGQG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKXEOXVFCMGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYFFDLEIXXKMHFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIURPTOVKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXLBOKIYXNANP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOFWNCMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONIRYJFAQJKTWXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSKBLEYDFWSSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJVRPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXIGKFNBYDVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IXYVEEQWNKPKRGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGWFNBBCWCTOBID\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDXUOCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVROTGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXVEYNEJBSJHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCBDYTGNINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRAUYWKOUABHET\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RREGBBWRFMHLITQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QWNLPKSGHYAHHQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLRIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQLRWIFKFMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWGSSTOMTPESAJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHXUUC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQNBNYVBTXSOQCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVXIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKEXCEVRS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INSFCRQEFBBWREM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOOVKJKGELGWJRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUVRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKLIRDJOBEQRMKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPRVTWHMREBQYQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4612 set thread context of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe
"C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGLITQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INSFCRQEFBBWREM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKDGHR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXLBOKIYXNANP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLVQE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOFSOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVROTGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONIRYJFAQJKTWXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGHEN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKXEOXVFCMGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
"C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
"C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCBDYTGNINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
"C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQXGS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKLIRDJOBEQRMKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOSNVJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RREGBBWRFMHLITQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempULAJV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QWNLPKSGHYAHHQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFKFMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJVRPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
"C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLHPG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXIGKFNBYDVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
"C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQNBNYVBTXSOQCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVXIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
"C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGHPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEEQWNKPKRGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe
"C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXLSBM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYFFDLEIXXKMHFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIURPTOVKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOLPKS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDXUOCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.99.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 192.168.1.16:3333 | tcp | |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.154.216.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\TempGLITQ.txt
| MD5 | d3fa1ebcd3ab74895688615a59794f94 |
| SHA1 | 6dca95af0ed8a6407196ec24c27df51b1958fb82 |
| SHA256 | 84b85b72a54dad84321e7f99465bed1d9b5f36b8beb56b72db51cb64a2423532 |
| SHA512 | 168a68eff85598f8ec3054703853588ce96ab9d0131a059badb22bd597f6f639408448e78b870280e639716e1c2d58aaa4b1dcdfd907feea82e9957bc936c2bf |
C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.txt
| MD5 | cce79fa7a7bf6c7700d5a1d5eb42fd4f |
| SHA1 | b8e839145515fab98124b7e13da197f5e1aa5c64 |
| SHA256 | c89847a298323c00e235d26e43a2392fd770be5bf8b41c12fac4aab762efeed6 |
| SHA512 | 1ac5c2b4eb6deb44c38676feee3a902bc4f9faa7fd9e5dc8000b1b87e9e3e3f04b51fa3cf387e60d16ebf34245931aab85b4f584f3ebb351d7a64b689955d8c7 |
C:\Users\Admin\AppData\Local\TempKDGHR.txt
| MD5 | 25d052c8abcc5616b1f0e7a985fc79bd |
| SHA1 | 0ba35a86740963ac171c43595d01552ba85aaeca |
| SHA256 | 1a00782514e566c8a5ecbcf69375c3606c057ad20ecc00a4dc1b88420a014c3f |
| SHA512 | de907ef9781e066eed68634da9264cc639187f2ad06d5f8986784fa2b5b27f815139c109dd719f71ea156dc422df85d4ad6d332f7b9178437616d8e7e724cd58 |
C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe
| MD5 | 55dd83c5998c976d91d7a202b09da00c |
| SHA1 | 881e64bbbcb2abca03b56c582bf64b63336b22ca |
| SHA256 | 957e77007002657acf73d1d0e00f7bd0e930b7f04ddf607744f33cb5a68a1175 |
| SHA512 | d7a93de02b0294fb59de864dac74c6c89b466ce57825c9f31ed13ffc0f1dfde158e162e00ea104043c9a3b6cc0c87fd71668c5a90ac48ba2175e9f6ee43bab5f |
C:\Users\Admin\AppData\Local\TempKLVQE.txt
| MD5 | 0772b3f1aeeccfd133fb19957ff9231e |
| SHA1 | caed1401d7556c54ef25a5d29b5bcf8a0d1f52a5 |
| SHA256 | 477b4387b01ff97a51677008098701a980aa0e8742579417069d94b009618734 |
| SHA512 | a2ed5eabbf35c043f4768453601edf8bd6647041aeaf181d40c697636e03dd9141a54a49e746e315df86b2be5f5a155aaafce288d4fbfae5d95f18d4ed406b52 |
C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe
| MD5 | d4aea8cb3d8a94504e7d52f2ef9b0186 |
| SHA1 | 265d356176ba23e07c557205c20f3f081af67671 |
| SHA256 | 12f3376c45d663f80ca2b13f7a74eb1f40af0bff49e93baa85148d081302a2a8 |
| SHA512 | aef5ff0cc6b65384b8ac6d1487c902e92cedbbfddc17971aafe25bc81f3e3020d5f829d1ea578740ed2667636fe03323a4efd8ab41903a82b3aad3efa790c083 |
C:\Users\Admin\AppData\Local\TempVHIFN.txt
| MD5 | bd032580b7effbda479aa5f35e128787 |
| SHA1 | 50508bb841bfd66058e19d4d0d971214fe972095 |
| SHA256 | a9692075f56f7d52e431da2ac5574b7c74a01dde78bd823e0c4796483c39fad8 |
| SHA512 | 3530dcd2586f93cf7061be08b75951e8350e9df9153c0619f9f7b06f7448ca59893777576a5c0fee503a22d83147a6e4a56614d549b9c685c1f4730c2032944c |
C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
| MD5 | a5115d950dc0e2fd3b2ef37d5bd282ac |
| SHA1 | 7bf77748ada1531294e27305c8083c9cf3227195 |
| SHA256 | 330374a1b9575728162e906b8d08181257d2d739bb61e12a40db49b08c988742 |
| SHA512 | 07a9400f4d4c99fc1e6e17254e794c8fe11481158f9bbce30ddcde4f53b96dfabdaf58a04b722b1bcd75acbf152284965b2f92c83727483d65e681faaf30f739 |
C:\Users\Admin\AppData\Local\TempOXTAG.txt
| MD5 | 188035e192b69b039c0ab869ab12d229 |
| SHA1 | 600c49f198f66838326e57ee697b89441e6cf48d |
| SHA256 | fbff84acb16ffa33468ea7160cdecef4d634ad0c60995dce8fbf5b1f9e9e6375 |
| SHA512 | b41618cb1fd7a5ad5c255178bffb3a40c57f4296ef0957b39aca353045bd225bed287846f2ac2cbc35bbbf653a70199263ae50e9df18ee3658f846e28b0a6d9a |
C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
| MD5 | e0e901fc4e62805bc4799ca8c71ba993 |
| SHA1 | 299addf58383a13c99ce674ab7fdccd6ffc4ad37 |
| SHA256 | 412b6c741a00ce1c8f1aeae2ff42c1d5ba03bd0a249440a29a120f0d6cad4982 |
| SHA512 | 22db6962b304000f9afa8b75461132e6800dd6162a3a378c71b5c75ba39305e687f1bdf389146a88df6f82bf9e0baa9d89f659fa32168b1e49718f9d2de9ae04 |
C:\Users\Admin\AppData\Local\TempKHQCI.txt
| MD5 | fab5d0126cf77eddf769e492bc1d084d |
| SHA1 | f445840aba09a8d1f8a7add52a172fd605b0b0d5 |
| SHA256 | 241c1c9a1b55d5262cea18859160431f9fd7d1cdef980e265574ebf86f357fa8 |
| SHA512 | 9781dd5be35e276acbb13fa3e0a1e1dc9de43e3cbd57a277e09aeb55358470c4e9cda38674162d324deb09e33f07f35f20d847397d845d466975a61f42ddfc5b |
C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe
| MD5 | 562ebba8e8ff548c768a5768737dc31f |
| SHA1 | 4745a0d721603ccaca200f1a4b66d49cb685150d |
| SHA256 | 2dc52af521965936757888b7e08c7421820accff41008842f4825bc2f6f43e87 |
| SHA512 | 6dc6a59e1d680d2025ee8e781a262f890ee4b04d8a0a2e5599ab4564776afd384b1374c028405d9df5102ecfa934636895aa52b684078e9a188152c395ea53bd |
C:\Users\Admin\AppData\Local\TempWSRGP.txt
| MD5 | 035f1c7ed9b27d9073d73906455a2fa7 |
| SHA1 | b6edffed330d3b9db173f4f7ab44438b8de0f0e8 |
| SHA256 | 086f99f1b6aa48c8e62a088b99ec7a6ae9334ee35ecbac29cd73903cbda438c5 |
| SHA512 | 838ebc31f4c26a0dbdc9ac895fdfefe7f1ee0e5674c75e7087c52e01ae1b45a1271e1149c24353bd036b49dd8b319328779e701370de2941b276241eb7710d8e |
C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
| MD5 | d213b637d13419955365cd9df3c89022 |
| SHA1 | 7fb5981d3912ec3aa9cdb2f3687d351c29ace750 |
| SHA256 | 2db1efa99e25dfc4022133a184d94221b526b02e2522b8db4ddbee6c18572b6e |
| SHA512 | d7cf28978d6c6634bd67c16a21da66e8278038eb3375fea3fca74487c17c75e0196fc4174d281ae139d1076d37c7f8ef54489662acfe93859c6fbaa528f3edd5 |
C:\Users\Admin\AppData\Local\TempCWAMY.txt
| MD5 | 1cd39d2f28bdc0e35e059bd9a929c777 |
| SHA1 | e0f0451e82611dc51329c2cc1213543133393057 |
| SHA256 | 4af301a83cc0fea0bc0e6a4abd8d1a0b066d987fb79c9c58ffa225a3813236b0 |
| SHA512 | 640b1bcd0f4c14b7eda5086448d19042cdfc4284752da5ecc7c99d417db5230201b6260f06a0067396d4389ea390f8f20e7a56788cde2587fbe11ee37546e12b |
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe
| MD5 | 594b4d4264ecfc63aff5df7dfaa81330 |
| SHA1 | 1df944645301b28696a34221852bb41b4506ef97 |
| SHA256 | 07bbced43594ae9a19b211dc5935bb956127dcc34a07d55d15c763e58b864b3c |
| SHA512 | 39e3cff3c1572d862ed432b21a371ec74f1d778c2fc774d706bd2e614c4d01a4e24a1f8a37dc78dd554548d8f0dc41c9d16692231aee8b9445f9669393aacb49 |
C:\Users\Admin\AppData\Local\TempUGHEN.txt
| MD5 | 771a0d697e8d2daf76b5fcaeda95e869 |
| SHA1 | c935556bb99880967d7d32477ec39bfa8ea1fe78 |
| SHA256 | f64146df60407c9c4acca8467db24c82df7848197178bbd42420724fadd8fa51 |
| SHA512 | 6c4671b23fdd31bb1d0b0bfcd6d622cdec8bebee3050b2fe72c93a352789f82f81dab4ae561f137ee8e64968295f02acbce80cc5725a088b786b508709367900 |
C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
| MD5 | 83d61bf6b40a8c3e5afb8a4ea53b08fa |
| SHA1 | ec029aa9fa255bf0cd3bc43e6e9f6509f3f04696 |
| SHA256 | ba652cd7941fe48176e0264dd5c4f591c477604b915c84002598944e96427a54 |
| SHA512 | 2bd599bad10a3fd4b82a13eb6238755b20ee428db2c4be3f22e69e6176733e45dd1b8832dfa5f0bd959607d7ecdcc646119463e5e8e2eca5233681242b72e500 |
C:\Users\Admin\AppData\Local\TempWIOTF.txt
| MD5 | 652f407aec6e62db91f8dceaeb49bb33 |
| SHA1 | 0eeded2abdfe0fb8c0eeab654b062b4bf3030bfe |
| SHA256 | 9a073162fd314d1076ec3bd0432a678aa65b00df5414ade34a9f5fb716951e5e |
| SHA512 | 7ccb3fc2c29cc1257bb2eb0d163e07204c476d0c26a2208a38bef33ad45781d50738b8c356d29f478bc467efd4d767cc406ea26035dc010e6672de293d228960 |
C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
| MD5 | 937e130bc276f869bc2faa47411975d7 |
| SHA1 | b29d95cf5b2498415bb3d456b44edce8ea084522 |
| SHA256 | 35297739a1c62d402864c4de871483a5e25210dad63fac1054b2a10f158622c5 |
| SHA512 | 42a2affaba85dd0c4b90624bc6f7f92a881878025816211729668123ef12beaf7c35a3df2a182dce3e8ec866ac794eb3339be52088eba6b18113c43031f24fc8 |
C:\Users\Admin\AppData\Local\TempQUPXL.txt
| MD5 | 77fb7b3b674bb437efff72e6f9af15d5 |
| SHA1 | e0996042797ef9aa3021581752684135473e1b9e |
| SHA256 | c93e4840f6e06266123e0bfd7e059e5aa695953efdc870b0a63a5afe3a28c0e2 |
| SHA512 | 54787de251dc7e90d9d6234fdb8edd3f21efa278d106c0b4a1cb11591363dfedbf81f65ee9f26ee6d63d24f0dcdf69b22b939b2dbb1bee30ebc6c616e3e132fb |
C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
| MD5 | 860a959ab547833a675ed2895ee06fd6 |
| SHA1 | dbbcacf5620a21e9a9321a0a4fa1fe31354ed466 |
| SHA256 | 678e8cf54cb2449ae87ae2d54946f94d5b73f47d388e3d91bb8c6f804ced292f |
| SHA512 | 5993a39e9c7dee5de0100947f7fde7b521a8bdb2a596790354c683c0410df9320fb43c729177efbf87b67feacd756f44d0bc065341e77936b6d1466dd56d80fa |
C:\Users\Admin\AppData\Local\TempCQXGS.txt
| MD5 | ce5a5a3b0882fffb6fd22e978d01ab45 |
| SHA1 | 5fb9c89c6499a33e9cd3831e32930aa5eed8e347 |
| SHA256 | 2a7db1fbcbc42c9ceca442efa08e73b3b3dd2ce8166874541c9d0fb36b410eda |
| SHA512 | 2cf4324f2aad4f952533af515661f14f0458942125b68291d6c16daff7f4bf135c0d6e17e26d25496a1d9a443729ed8e4d8beda608abb245fad53883becf534c |
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
| MD5 | b971164d38acc0205d261aefaaee4487 |
| SHA1 | 0cafe16c53a0ccbf6da9a2a140f8de57024e50fa |
| SHA256 | c12b6201364e727feb0783adcd9afd92a1bcf1fa531c65c0a7860dff79a5576d |
| SHA512 | fdfde5ec6eba5cdfbd5b2906f0ce10ffb731bf81bc74a63cad57e12ce721cd721fe5883d15495c40749c75e6de7555ef14710482897fba4c375afe50a936f548 |
C:\Users\Admin\AppData\Local\TempOSNVJ.txt
| MD5 | 2b60fb123c8bf9bdbd0c5445de3c045b |
| SHA1 | 9c050f4674a4c42b9d9b5b3527a962ef45b14474 |
| SHA256 | 8352b6331b16b72a1adcd8ad414abe52f42088e58701ec9fbec18793ff291a80 |
| SHA512 | 6c165382e51913f41059fbcbe8973cace7ee85366f94a465450546c37b09e8d25f680290c6a7744c448a084e4bd96aa340ab6b87935efb49815a23904383d4e7 |
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe
| MD5 | 5d1e8dce6f569882eb64264bb75b6eb5 |
| SHA1 | 040d7760cb70d11b42da5fe3f6f49e1340dddf80 |
| SHA256 | 9d02af59bfa71eed58523dde330989e0f44ec19a0fde52ee9e97f99eb527e88f |
| SHA512 | 25a124881efad0f15bd04316194f4b9c6987620b1ca92568644d509f8281aae43ac1686b5426850658ee31856ea745a10845f917669dd0a621ae9475679f1420 |
C:\Users\Admin\AppData\Local\TempULAJV.txt
| MD5 | 00a75ded919bb75bb3ce6dceaf4e7b80 |
| SHA1 | 8f2f197fd077b13151d428f70e23c6a0148fef23 |
| SHA256 | b8f1e98aed569e6ce3d958153895476a67cca02183968170b01b89ad49e2c7c2 |
| SHA512 | d97fbf2c3b71cf5b5888c41c5acd3e8ff93f87ec4a1654aff94fbfff3bb894efa3b704c86610306c6ed7ed7dc3321198ea5edb5d6e2a31bd0f94dc73a4d60b11 |
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe
| MD5 | 01b4ed810318c900411412e85698e9c9 |
| SHA1 | b1d60f43d2c3b6ce47d138a27715a33189bb7cb2 |
| SHA256 | 3a99805a6e88e0a07f44401d14a53622bcef65c6c6fa15ee9122d82523389439 |
| SHA512 | 81588b03530034f07979bd2b9954d9b6b5efe371fb6886132e9dc8fb6713c1f619a6f68799ba37f9fddbad614d8c7fb8c442306794d1c2e11f764fe30482f799 |
C:\Users\Admin\AppData\Local\TempUSBCV.txt
| MD5 | 697d191a1e40243d81eb84e57ff474aa |
| SHA1 | fd3aeb22eb7a9a0dc6da26efd96b8d42fb32cab7 |
| SHA256 | 2a9b1756c3dcbdde5a61dda7613dac2dd5297e065bee0c2400f3b88cad9f794f |
| SHA512 | 55a5612fe505b547641d56297c4eb0e9963b8ae833d97bea71095a14f63aa3a5ed546c4daae7e34f1dc422aaf2845b7eb3d7249da01cebcaf42e8dc952597a17 |
C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe
| MD5 | 9f41f533e15e1ecb3c3a3fadaa52c68e |
| SHA1 | a8f99c7c7184ad6658888511ddd76bb146060744 |
| SHA256 | 9e6c54575c939143fa69a25142c615ee278dcabe2adfc4d2e3a9b78308e2b650 |
| SHA512 | 7538edf3d674dbb32042f3339c8d3241a56caeeb5d1107d64cb10d905801cd24f3123223ee869dc8114b34dfcce2063a350e6d6b8073b21d2ec3ccb88da5cf6b |
C:\Users\Admin\AppData\Local\TempUQYPE.txt
| MD5 | bbe5f152b4f3e3d5ef9931d5cd8d0fee |
| SHA1 | 5211e43dc2141d5760599ff6ff543bf75cf64a57 |
| SHA256 | 6891da7dc2d09c62f86c43a3fac820a9d119fb92e6a31547cbd02785a46ece9c |
| SHA512 | d434ae818450ebc09541f35981b839cca71d8a9f6d2947cc1b81b4bc58c9c5c4948502017e1cfa03a7a9c024fe644353a88d77ebcf66e5280169682e0d2aa3c2 |
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
| MD5 | 47a6a3d7e5a19136d51e6ffc10269311 |
| SHA1 | eee480552578efbdafdb174cfa3ef501fd0fddbc |
| SHA256 | cf9b404e0da3f5734f69686f675aa653b047343e758a86d15d0aa23abf27ce32 |
| SHA512 | b768a897aa9cbc3c61a3a64ef0a13a2326a3c889cafb39c274bdc3eae7ac9131348670555c563b8c285645d7a4f638bc6c09de1eafb2788afb5f5f2f6cd26db8 |
C:\Users\Admin\AppData\Local\TempMJSEK.txt
| MD5 | cf937b7d55932faad09ba835458e6a83 |
| SHA1 | 1e3445e2c1ca834a6b29cbf5b5730873a42f8cd8 |
| SHA256 | 8a75c414f3c319a6212bca79c0c2628c4bcbd12114d0f248290a5733d08ab9a1 |
| SHA512 | 60111eeb8e2c72c0ee781a23f819c5889a07a553e7d945a67b1e4b1f85d1fd862c19e0ae101e3b90c615817bf48a8c9a40830d36e81877ae0f5c5ab2f7957693 |
C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe
| MD5 | 88770301ab08d657fa121456d6cd5652 |
| SHA1 | b7b4e5a828807937721f6cc024e83d43c5d4cbe7 |
| SHA256 | 4de38b1b82d13f20daf00cad819dd9cb85d935a021c98edd9faabb19ac7bd2e7 |
| SHA512 | 67e6474ba7b12b3dd1f63dafbc2974bbde2e18897584b98b8dc75b3fc63d98dba991b241df21d266aac38b85fc0054329cf2e88e72e5116cb643f83363e78a5b |
C:\Users\Admin\AppData\Local\TempWLHPG.txt
| MD5 | ebdc032816aaefb79e13fcc01617ed76 |
| SHA1 | 60df98023e3b3e1bb01b27248744736ad911275a |
| SHA256 | ae7c352a3f0ef3534ded27c45250a72c2181851f1094da8964635dd531313a13 |
| SHA512 | 1470bd9a80d167c1dfb54c1aae97cc855fdc9f0395f05b472656ecb59a3e7b076a70a23ea35d2165611ce97e364ec8c9146c44ccd44f84d5ee0ae25be3a8facd |
C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe
| MD5 | ca2a8417b141583ff6912c03d7d14ea4 |
| SHA1 | 870d17903eb55f99b00a24524307fe5a0a199129 |
| SHA256 | 7f1876be7e993af47f25339489c5679aa3d4b6bd7f3b0bc02c9efc3ee7a30383 |
| SHA512 | d564dc93e6b6e5ed9852f2940e9d40555601975fe49c814d010878828698598f1c3bef017a90176cc75cc91ee88f3d4227f40e493284fa0c1e337e954b61594d |
C:\Users\Admin\AppData\Local\TempPPYAU.txt
| MD5 | 8091f700af1dec52239d936da72f76de |
| SHA1 | 1c04177cac4f084810636624c8c32df53c4359d5 |
| SHA256 | 5535390657902e65292e71ca08c60749d634da0ea2b29e7c358936afdcd376bc |
| SHA512 | 733c544f08ced5fd56454839e79fc5e225ee1f0fe1b8e309d9b0ef20b412dd6253180ce66a621d71fa1b3e7cbc5e07597fa231740553c0c30306a05a330d7435 |
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
| MD5 | 56f93e0b31fc97bcb9bac1ddad00c720 |
| SHA1 | c62a225237fe055bec1469c0652ca56f7ddc3ed0 |
| SHA256 | 8520073c1f917811ba97478b79e8bef46b3456bcd9d44cec58040e25f4682c4e |
| SHA512 | ce286f8983ac347e408a20819c8c4ded5bcc2717557b75738cba6a542d6a547dda5c6698411140e8477090ab63c71934cbb0c7567d8ca0e0831972c1c314c3ac |
C:\Users\Admin\AppData\Local\TempGPBHM.txt
| MD5 | 208e3a0f906b0b72f4d8c1627360b872 |
| SHA1 | ab6473eb79f2067297371802228f733fb84a8d82 |
| SHA256 | 3a38af70eb9eff06c24abdadbb3202280c08623bb318b02ade8f808ffc83a89e |
| SHA512 | acdd4f1ea9bff2750af8880e2b1c442d6481a84f30318ffcee3d751feea518870d9156a6683b791452688ef330a82fb0b26d975d54d01cfb71b9097454b6cc39 |
C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
| MD5 | 4770be7809e521b6110e586c4668c921 |
| SHA1 | 1e591acdd684f65980f45291fc2327c14a438d66 |
| SHA256 | 1fb7d90cd734e0f379e28ce8c691eb418cc116d432dd77124e96103d453abdf4 |
| SHA512 | 260e4073d167209801fba77661f812ed7a55e2a8c18c8575e23738286c04a0bf43444ef8074e5ed8d011b8aa91a70ebd1b398b334eb58451943b3628f518e168 |
C:\Users\Admin\AppData\Local\TempXGHPL.txt
| MD5 | 8dfc297eea781ffd153772001f007318 |
| SHA1 | 8239321a5600d63ca07fba4fd71b3a9fb97b030c |
| SHA256 | 0ae65a09c15b9b6292a4fc952a57a0d63e013350cf55de5c5db4dad59e323eb6 |
| SHA512 | bf11428c3c5e4b169f719356f6ffbf8573a29ea2c6f6d6099ebfe733b31994c311a1ead69874fd24d169e2d778c045dabd385f3baff8f6be5aa9df2735e25bb6 |
C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe
| MD5 | b6e826f4fa6ffbd91c3c76693eb65930 |
| SHA1 | 1f77211d95629df8fdc7f84b2a2c079df74d733f |
| SHA256 | 481b7d91863e59703e45e7ed2ae78fda099d9610714c491a616e26b19eb3f7b1 |
| SHA512 | 9dcd15491f9b6b5b7b685334089125f747894567799db2c7bddda91ea382b0f08d3a8173fa9dd693666fced5269f46b5228ff80aacb43abb5684ba59a4cb9666 |
C:\Users\Admin\AppData\Local\TempXLSBM.txt
| MD5 | 7b6aa8fa3a23f066ef2ae9e0139f2445 |
| SHA1 | 057b8582ebf931f088321f2f62006b5069fe7653 |
| SHA256 | bc2f6f5e95690c3a07bf70b5b29802fd355cfc4fe9e2d1a351819673a1721846 |
| SHA512 | 9aada9f4d0ea9a23637b6325f8f240a5320bdd3e26d476bdb6e9c7478d0230d87d39a698caf314690085fea422b2a53cfbe4ab71bb3bc01726e8b0f5f70cdbaf |
C:\Users\Admin\AppData\Local\TempPYPEN.txt
| MD5 | 55bd3a47e06c4e9b33e178babb5bd08d |
| SHA1 | 7a9be0964f4a0089321addbc9e7fbb972e6a46cc |
| SHA256 | 9ad24f852571b6c8ef215cd87bf67cbfdcb04a008cc896d9bf5cb6c8837b71ad |
| SHA512 | 5e07900f2a170912ca5b831d4eca63272a2858ab8b4a0b349077d44da12ddcb407985c75e22a1e3b8de0dc834127db35b092c6f329016c581a6f2fc3d5d80ad0 |
C:\Users\Admin\AppData\Local\TempGYXTU.txt
| MD5 | 5d65185cf81a270b57e5eb51921d7ec3 |
| SHA1 | cd8923393bf26361256b1fe8c08f0b727290df62 |
| SHA256 | b3190eeaf9f16458ba697b7ec35039307993c297f7ef229c57fe0bb886f8c4c9 |
| SHA512 | 483362daefb7b81f5792a12de29690f86909584c9d86a1d8d576d4e80a60d201401a51a86daac988484d8d2bf8f9713b7f5b4a5d62637f37b931c42bd662ca8b |
C:\Users\Admin\AppData\Local\TempOLPKS.txt
| MD5 | db41aecb626bb456c0df32e097af764c |
| SHA1 | dfb3673ceba03c44be54080f12f73c6ce85215e9 |
| SHA256 | 4e59d99236405abd65f6e08fa469aaadd915f2fa1a1625cfe7971a340b29a7e8 |
| SHA512 | 5b3775c2062284c2b922c0950ba7c8986304bef682b1ac7211d517b715e08f52c8ba079bd2c8ce8408609d0036f3a16497806bde899851162dd53bd422c415fd |
C:\Users\Admin\AppData\Local\TempQUPWL.txt
| MD5 | cecf77ffb4676f98aea1eba4214be944 |
| SHA1 | b2daf9a2223d232945f30fcf49bb6d230326404d |
| SHA256 | 0bff23ed7c7942adc9224c0920e5a39f26ca7926337183aca90b95cda676e016 |
| SHA512 | e47b6a4a2f9c17fddedcef371258864c6b06b48298d898663809e6b40049cb4219e08ca1282f92d07f91b41db24f6ac68109471ce6cbab20951ce824d7ed3de4 |
memory/1928-690-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1928-691-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1928-696-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1928-697-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1928-699-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1928-700-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1928-701-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1928-702-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1928-704-0x0000000000400000-0x0000000000471000-memory.dmp