Analysis Overview
SHA256
35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6
Threat Level: Known bad
The file 35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6 was found to be: Known bad.
Malicious Activity Summary
Blackshades
Blackshades family
Modifies firewall policy service
Blackshades payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-23 22:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-23 22:02
Reported
2025-02-23 22:04
Platform
win7-20240903-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRXTJWENE\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNPBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIBHOXANTKSHRH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNMQDHDBRXPGFHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCUTBVLYBGPGF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXWMWPOQCGLYL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ULAVRMVGWBGVWTD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYXNXQPRDHMAM\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWUYMCPLJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPHXODND\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFTAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNLTFMQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEXHTSTPNUPFSAJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIFJEMBYCUSBCVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROIDDSTQLR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFSDBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IOTFDHCJVWRQSIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULKAU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYFOXVGCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWHIBVACSPPL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKWAXF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNSPDPAXDVUQSEK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYJHLGODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQKFAEUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMGQXHEOIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BSLRYJAKDXCEURR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYBGPG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHFMIYLSC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSCJTPKFEUVSBB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUIKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUEPUERCAF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FPYGDRVHIFOAGLB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQUIMHFWUKKMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTLJAU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DAEHTUPNQFTBKBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJEXNOLUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNLSOERYI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHTFDHVWJOVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XKMHFIXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDRHUQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKCIPYABOUMTIS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGELHXKRB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFLCTKJUR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NHRYIFPJKTWXJKH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHQNHCCRSPYKQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IPTFDHCKVWSQSIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSFSUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXANTLSHRH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNMGQXHEOIJSVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXLBOKIYXNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOFWNCMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFAAVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YDNLKOBFBPVNEDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRXTJWENE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJXEN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKKWTQUPXMNAFMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHHIDBIEUHOJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSUGKPDAPXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQCINA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NHRYIFPJKTWXJKH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFTAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNMQDHDBRXPGFHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVGCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe
"C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe
"C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe
"C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTFDHVWJOVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
"C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVGHFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUIKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGQXHEOIJSVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe
"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMVHNS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe
"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe
"C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IPTFDHCKVWSQSIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSPDPAXDVUQSEK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
"C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCUYTQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFIXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMWRFC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVRRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKKWTQUPXMNAFMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDGHRM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXLBOKIYXNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYGPGD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFJEMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe
"C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXWSST.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUEPUERCAF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
"C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXMIQI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYJHLGODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe
"C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGQXHEOIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe
"C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFSDBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEOKYX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQUIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe
"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFDHCJVWRQSIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe
"C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe
"C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOULJN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ULAVRMVGWBGVWTD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe
"C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMNXTA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDRHUQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMWSFC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSFSUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKXIGL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DAEHTUPNQFTBKBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEHISO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUYMCPLJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe
"C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YDNLKOBFBPVNEDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe"
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempQCINA.bat
| MD5 | 132ee7f892bcd0d0e5b996711fd34cd2 |
| SHA1 | d76384e799dad01ca934cef98f2ecfb4ce20a5f5 |
| SHA256 | 482366c7c38bca8a31cac2fe83c84e6269a84043eaf665885e58b84ac9a365c5 |
| SHA512 | 3844b6dda104bc3f012b4f21874aa8efb315409f592d8a4fe977de6ee26123b4119eabc3fcac3911f712103a63f5a3991eacfe6090a49d6f46516db182d33343 |
\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe
| MD5 | be6675220d2463bab5e6113cb9675360 |
| SHA1 | 834ba1d38f0c5942cf559f2a0134247c8b660f0b |
| SHA256 | 361d2cbfeb6a72f96de13379215650f7c4ef2d90b9f9199d955d924a276784e4 |
| SHA512 | 0d0b623c2bdd592940c780f3599c635c04bb94aed81c88a7228db993832662454df76e76b71d300211aaba556c6867932dfbc0f7cfa90c81b021aff8b33e25d1 |
C:\Users\Admin\AppData\Local\TempKWHGK.bat
| MD5 | 26dc1b311a85668f400d2ca6a520c43a |
| SHA1 | c3c32cf0a9c2e34e642a96a8fb02ae33dfaab962 |
| SHA256 | 64bf4db157623c7c3b5793e1979cb2802dca2e64c99cf9cf1a1a89b8e8d262a8 |
| SHA512 | 3a60c95a339cdb4477938255a03af444969d2574bd3ae341f0b61524a1a435673185ad385f46acc758f01ff1e6df4258040a0725314a263db7f353ff7fbb0107 |
\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe
| MD5 | 92aee1b50e78def0612095f0faa59492 |
| SHA1 | f23dd4488d64fcd46abc4b708f7d90baea055ce5 |
| SHA256 | 44407e204f58daad73cf8894750035a085e91163e6873f579b92a52ad5eb099f |
| SHA512 | b584580c45aaa036e4dba5c57aaf828559fa05fa4527ddbbaa6ebc61017bba15415c732ae8a0c7de5c35d1db2c338e548c8439c987767e60edd19bb646e75f00 |
C:\Users\Admin\AppData\Local\TempOMQLT.bat
| MD5 | 9b8ddcb8a03dda0db854de76f0b97656 |
| SHA1 | 33e6cf7b482d51ef46095957b6c7757aeaf3fe6a |
| SHA256 | 4e81ba1a0b8e70dbfa0c5b77c2b2ba7e2a1e1842ddab305960de4d3f8422a368 |
| SHA512 | 967d33476d233c9f45d452247268ac5c03eeb104330a885bf6bfaf9143c19a67680ec766122a884aefeaf6375d2b9c4959cb7458ebca18443b5610a2a8223840 |
\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
| MD5 | ed3e1b579746d4046cbd6a4cda4506a8 |
| SHA1 | 077d30f5d8870b84e0856bfba48f12d10f0fda5e |
| SHA256 | 30378eca94a46f32c9a81907fe1a448bcb58d9a25729f1f2350ceb401e09152e |
| SHA512 | 5300f14aed837bb4817fca5968a35ad64350706f59a71b26c63d0f06a54cffbe8f9101393374c52dfbde95649e1663da922889456a1ef848a8f1568c576019b4 |
C:\Users\Admin\AppData\Local\TempJACDR.bat
| MD5 | 207c5e2e589fb20b3290f4adb1e585e5 |
| SHA1 | 7fef3e2e35d9e04b7e2841eca3b3fd3b740d2903 |
| SHA256 | 98139c5f13002d6873a1eceb5caa23ae8e4d32856baf9a3ac9a3b60b9fd7bfc1 |
| SHA512 | 7cdd023c660d4aeb15864141dc0b8e82a8c58b4cd1c15252e11999ef5596b14232238898fdf1b1e1cae084727c68993d40d82ca3055bc55b4e44846a5c72fafb |
\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
| MD5 | 7aa810a0e0ad9d1e336bfc86de25f3e3 |
| SHA1 | 1eb54bb999d47408ba44ea70b489fca65d9eddc9 |
| SHA256 | ba450fe2cc0866aa22e86a8f7b80653ad3c849ad2915fb343675811d0c98d143 |
| SHA512 | df54c5fb787d91bf8c88c6648329bb0de01c48baec6730a5b01bc106f58bd16d78e7651411f7041d9bbfa5a117eabab2e52a35a2cee7166445e0779fcd4f8b42 |
C:\Users\Admin\AppData\Local\TempAJXFT.bat
| MD5 | a30167e31c01f85d6c92a66e4a1e7a45 |
| SHA1 | e6827711f8963253c69d0bbb93b1cdf6a9a6fc33 |
| SHA256 | 2193d0aa846a104c72d63655057f9e3e8d2db56f6fef38704c962da0420eb015 |
| SHA512 | c06abd285482f11a340756bb44fc90dc258062b4bda20625c561e4b2c5013300fbd2a7cb643dc7888c33547db25e132e34863d67a1bbb3a27d19949b18cc5d3d |
\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe
| MD5 | dc7f130b15e013906bf59727d068c563 |
| SHA1 | 2ff3ff7b7873dc1f585fb063381175f9328bed7f |
| SHA256 | db14e872ed7f1c61e3057c3b69e3b5c3d9046d5c5ff83e2d01fcaa74cd003417 |
| SHA512 | 24c918a4ae6d8925a639365818e03c7854fb2026cfba6165880ea2bd0db6a99901cec9722a14003c1b505b8d873adb44b2a4dfba5d62d9b48cf3ee29750bf7b0 |
C:\Users\Admin\AppData\Local\TempGHENF.bat
| MD5 | 589436d2282c919a7471972002f0b1d7 |
| SHA1 | ccd1af9490b3201fb03e8ca72c3b036bb889065b |
| SHA256 | 658d9b4f290c38e30eb6b599cd21aa76a16ad64d5694e1543f8c5c6d8f5fe1e9 |
| SHA512 | 1d9e52be33fa2208e76082b4146853ff33877ba956e9fe77263b6093381ee836d052196d6f3899750e5553c94fddf2e1a7c32db5b098fe1dce9b694ee6b809de |
\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe
| MD5 | e0b003352a3e977596d046cbd42f374b |
| SHA1 | 941a845bdaae058ac9d864106c6e1d5f0407646a |
| SHA256 | fc4ba345eb916428693b9a37065788051ac8f386cfb61eb695682212b627de9d |
| SHA512 | db63a293eb06e170dcb5a1f6f328a1a55cc1f71d43855dbde3b6dcad502be5c3d3f69c34698bddaab66c6733e154436b8cd3e4e671d4f686ee0b9c92839bed4d |
C:\Users\Admin\AppData\Local\TempGBHVD.bat
| MD5 | eef7357c045170887b4993762e5dd5cf |
| SHA1 | 21031e1a02aa4160baff2c33dcb5e923facf65f7 |
| SHA256 | 86bab36c4455d62e74523fa3fff5943930a38b858fa9043df93eb6906a01999b |
| SHA512 | be86486ed0ec7459c6306edf10196a647aebb0e46f453d001b0838c064e9e233f16dd4532e79840365f2051110335a11ef60b0f22a5d97fd9f17804050a297fd |
\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe
| MD5 | aee31a9d17205c606ad1b79edef34973 |
| SHA1 | 48443e9eb42496f4e8220adc5f5b153e7bf15825 |
| SHA256 | a08f3eb5a5fcc973af9434eb39b588c76c36f5c343bcaa9c49e6890981a28446 |
| SHA512 | c46d8c5c8da4d4274c505ec01b19897e62f39a6cb315d1838c6202c3ec09f2932b3c3c96f9a8a039e1c660ed747d21362875d05a17c51823c3ebbb02a10b744e |
C:\Users\Admin\AppData\Local\TempTYKIM.bat
| MD5 | ef318d36c60c50998d4ee3612bb2c364 |
| SHA1 | 6d4260c806898d4833c0fdbf33cb6261633477a3 |
| SHA256 | d17d6d8fc2dfe6e06c477d461b937c0ed710312c8fad215f656b48ab5979cb97 |
| SHA512 | c319cb274db910d20ec4b0f5c540d4cc4f29ef05283f406cf10ca068f08164115031b296ee8b31e316dcce6abf248041cef406b14692277f9901cfda5bf841a4 |
\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe
| MD5 | dec65c9aad9a24611cb9c2cfebb483da |
| SHA1 | cccfa5db5127605d3fb697ff45ee3085a6e35e10 |
| SHA256 | c811785ec916d1a99b04c82a9d84cf0ad23a07c55673455a4d9f0a207739d771 |
| SHA512 | cd05e4265b375dab5f36080d90c8624c553e1e2e46e68d6dc78deea6e2092ea50d88408ef0a948dd709fc53e4563a290ea1b36d3996a959cd9bf24c983a03ded |
C:\Users\Admin\AppData\Local\TempIACQM.bat
| MD5 | 9fe31522e32686d96aa4b7f746e43622 |
| SHA1 | eb58bb76f771b5113e0cd148c3f708dd5544bb28 |
| SHA256 | 3409ec305bc11e703108de450fd3ecb5593ddaeef8f099d0ea7d065310c19a6e |
| SHA512 | 6966491fbbbb745f6d21cfc8a8717902cab3e448009722c51984162e202e6feda31d5dd4f0211bf5bfdebedc20a1135b24af227d2788ccf3342953cfb98c5a47 |
\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe
| MD5 | e3badd68e786495bae742015fd1ce9bd |
| SHA1 | 48d54b0a1f1162dda4337d3ff27151ef0120fb3b |
| SHA256 | 2a09baa2c29ab6063b90a63db7c27b878288edce8df6d8c6b8a84d29de50be15 |
| SHA512 | b9213db8938b0afca8187380c2e6b81e214dfdf4c420064df585226ef2ed4e734cb694d1ec40cc14f886ba923835c58b41e5a19fa12ce04a66b4b1156f8e706e |
C:\Users\Admin\AppData\Local\TempBPYLK.bat
| MD5 | a10f7849903f762fe4fa5132e5c47f3d |
| SHA1 | 27d9b61d92991d2ca2c120be1b4a6f071f8a240e |
| SHA256 | 03b747a65a1f1813551874b2f4e6133dbac1efd8bba28abbbe874d38199286ed |
| SHA512 | 4d922b5fe3e2e3a385bd7cc7e9b21ac489e9eaf1e9fac1b3675804cca68bfc6f9ca37a7f7726d19956d0337abdd44de758e338356d07fd4bcdd27e8ca23a92cf |
\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe
| MD5 | a176592e1a6f756ac11c28ccdf952b5a |
| SHA1 | 968d6e6f2103543520c14e0c5c01e5b01a235e2f |
| SHA256 | 19af71d5a1ac35668f97c003e80a74d8ebc45138ecc1ecf13094002b4912481a |
| SHA512 | fbc608566c773d85bab6ecade373b1160d8ee0eb10eeb2b99b73fdc17f4d4f8a87d11776f2395e39dc640e4fb7fdd2bb93df64f6b63f897fd387886af7e92213 |
C:\Users\Admin\AppData\Local\TempXGGPL.bat
| MD5 | 2d88b6f973244a550fc52969ff4731d0 |
| SHA1 | c2ee94c917051b866b4e86c4a9172cb5bd55fcbc |
| SHA256 | 725fb8315a8dcc5fc12d0de6a3a0e307b80ad030920bb41897555c0948b4372b |
| SHA512 | 7c09587a68a3813cf9554294c66cd27828ff4852dc1fc2d66aa792da3f78716b4e626b749ce0264a0148093c1400b6a1f8120777d76f1408f295854d6e8fb693 |
\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
| MD5 | fbd0da60992c474fa8f710a05abbc7a0 |
| SHA1 | bbea64e98b9e17e464c4676b0b39906fb251b82a |
| SHA256 | bbd22cd39bf24e54e4dcbf1dbe64519878d37df8868d7d435028132e9ec0e391 |
| SHA512 | b505805af2556922147fa98af06e63bfee318d33b91f9d3575a9fc20d9aa5e1eda901a73b74dde81f497f058bc05c6b71718f1409469b764b0423a45e3354faa |
C:\Users\Admin\AppData\Local\TempDGHQM.bat
| MD5 | 0b57c15fd2f954e4c0ead7c5b4f07712 |
| SHA1 | 5b73040f77d43fda38413a933725a8c217d927e1 |
| SHA256 | 0306c67f59bc629b07b635cd19ab7b7393149afac18b8ff119b1c84fb1ba32cc |
| SHA512 | 0cc8ab2799c04ad5ee51a7058b5eb3d01e231440f737c2695fd43ae466635ea4d7eb0c7d27d3e4d43076cf8d2c7b266e0486ee0d7e097ed236c27de5749807c4 |
\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
| MD5 | b34cf32225094536ef476673e881407e |
| SHA1 | d2a952eed56b4e72f94f42f4672380642ff38ceb |
| SHA256 | c8e66148b36714797ea1edc36f893eca02fa802082c6a6f3684422339d935423 |
| SHA512 | ee95f25a788fa6478298a40d5084c2bf16f0005dd3a01d33a9020561d1c08ea0653b27e4b8d975df11d0b1075543e443a4c1fc23434f7ec2dcc3df134b609c98 |
C:\Users\Admin\AppData\Local\TempVGHFN.bat
| MD5 | 649768245ee376ffc501a33bebe3ff51 |
| SHA1 | d27f6c33ff1c4afc71dcf3eb412dccf631a44782 |
| SHA256 | 9ba2fd48a5053939f3a6ef807b75510608cd60c4fea4eb8880b16af43695b8d3 |
| SHA512 | 8351c21ac564aa3a93cbdf4bb0f8277d10db872bd9cacd8c5257475f89133383431b9687642f743cb91966d98bb6cde1978b2a33536dd5799bc063654d389adf |
\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe
| MD5 | 87948ac7ae836725479f8eb5719f2962 |
| SHA1 | 723c4343c61bfe097b61292be3923d7349cce6d3 |
| SHA256 | aa88fda8f91696e516a8045f35c13c25439d09ea40821cef55266236185b471d |
| SHA512 | 8454575e22b8dee37ce737cbcf41d34833361079617730e6eb58ad793477d98bfdd8c1e3f849b1dd1d05c65c54bcdb58d966e5e5361d939892a31ede0165d41a |
C:\Users\Admin\AppData\Local\TempJSOWN.bat
| MD5 | d39cccc913240baa6efa209416c54650 |
| SHA1 | a80a7efbabf2efeb182cf64e9f19153c475cf2b1 |
| SHA256 | 305e94792baf3df0a537a78527dd659f5359f28291242e09928d6c78f916f545 |
| SHA512 | c951547be1a48011283fa7bfcb0dbadc01e21b377b1fd1fab96f61c4ef692544fcbfa87f5d981221e6a8c7e2520dc87ba269c8cd8532e833df6d5a5df047f5c5 |
C:\Users\Admin\AppData\Local\TempJGPBH.bat
| MD5 | ed6b9ff4ddc912cb5e4b9dea8b4eab46 |
| SHA1 | 76088644ad856ef052be0511a66e55227937c96d |
| SHA256 | 42ce7a5e9fae45e628311783ba8bc11feb7f136b32a116f89935b46b64bd87e3 |
| SHA512 | 52f394838fe2bf38eb858f9686a58545c6e9f9911c00c9271b42e19146a996be895646c260138790de95199d044a67fe418efb24e9113ae55ee7e4fbe6d9b175 |
C:\Users\Admin\AppData\Local\TempLPQVB.bat
| MD5 | 0b5902a513078dce612bdb0904f70d14 |
| SHA1 | 96280bd49e5a5305afd1e9564f063b95218562e6 |
| SHA256 | e1a1bdbf6313d19210601de717b5f513cae9cf90ccfb50ba9e06b6627b20bae4 |
| SHA512 | 76067c4641dd3e186b1cbf0f8c969fd58a38b5b72f444ba6c1be91e0b1d9d2dacaab831691e972d1fda45e9546469f6400ed3d2814d2435fb91b838e6ac6095f |
C:\Users\Admin\AppData\Local\TempMVHNS.bat
| MD5 | 3c9866df0081bf211407a2e5ef5b956b |
| SHA1 | 27c071f2ffd32e19eab77cf1f14bd73d7380fce4 |
| SHA256 | 7e0d3b53ef1eff61a0dda5f24bc00c980c12eed99c2087f11286e06c96cae586 |
| SHA512 | ef5aee8c438ded5dd4c03ef16c951f8c86eeb7ad0d19ded0db1247ff26c7f09d610325e4c51a353a1958613054230d08d287081065c71ee616856acbe1f612ec |
C:\Users\Admin\AppData\Local\TempRCVVK.bat
| MD5 | 1b8a00edd0fc407d3403cb505dbd5f65 |
| SHA1 | 01e6613e2bf660ccd6a0c976b7ca8a7abaa54fc2 |
| SHA256 | e11c26837d37df3c197fa7828924cc2ba298fda359ecef1db90c23f8f2503a5a |
| SHA512 | b63261cbc40fb7e5cb957f9417b78e8857ea5fb57c49aa98421737892626ccec8cf51426500e88e942be731c5fc8eb48b533e7c962081aa0c049923c31688f4a |
C:\Users\Admin\AppData\Local\TempLIRDJ.bat
| MD5 | fd2e1ac873abdcf75d414027ffc438af |
| SHA1 | 031fc7c7a45c88e0122241cbb6d2d8f5be1a12be |
| SHA256 | 397ccbb85835159e8a38e447cc96082365901a66ed882919641a6c6f114c60cb |
| SHA512 | 9565732efe62cca6179aa42fd6c403ca1b333a63c2cda04478a9589fa67b48efd2369961ab01fc7fc8710f078a52f402d621772650e1eb185816adbfc327d4b9 |
C:\Users\Admin\AppData\Local\TempOXTSH.bat
| MD5 | f7bfb453faab979096f675bbba881d5e |
| SHA1 | 0018fd00202db197fd7efdb7d17749bae0f863f8 |
| SHA256 | 282a1d54c280c2510264d7957caa67f6eb563107017bded592a55c3d5fcb6a15 |
| SHA512 | be71e8a29234d0de31003c30af92dac7986d192c5a41197c7b6159f4428bb94be89ac777e15322e8d7e11930dc7adfd24fd2ce001884599113a8149f5f87f7e0 |
C:\Users\Admin\AppData\Local\TempHIFOA.bat
| MD5 | cdfa77971a1f9127b97660a76d4fb58e |
| SHA1 | 875b079728e19436dd88625936b1006a4ad03e07 |
| SHA256 | b299f4cb54fcd5fc0b66cd58f10dd34a3edbc01e542cb6ae3f8e2e23cf29c2e4 |
| SHA512 | 74fc432277874fadebdfbc3ce5e2c2b299fb4eefdcd9fb971664eef39fdf29e5e4fd5f6c1befe62065a5a4827cf0d99f33336da413343e1e1e9dcf01702037a8 |
C:\Users\Admin\AppData\Local\TempQBUUJ.bat
| MD5 | 373e3e79d33ab24a63920df75aadedac |
| SHA1 | 025ca3368b01e37d1e2f466a1612d6be164af035 |
| SHA256 | 559746d47a9aab1f4b5e26da733afce2275997ff8470bc178f65d8865bd4ef52 |
| SHA512 | 33af5673baf8114720e31fc265dbbf6f3331709e0e9608acf90ab02f67e90c8dc57a860d19be1b5ad0716fd2c43e7739c2c70569122c009c42a6ea9e9d4d48b8 |
C:\Users\Admin\AppData\Local\TempDMDXB.bat
| MD5 | 86d46b22ad4be83bae4400be75994f3a |
| SHA1 | 36833b490ee0da163a18b8135947a608c5076df1 |
| SHA256 | d0fc60d20c3b5a2910e4cb3c545f042d32e5d3c350a755fcd5edaf687fed6f4b |
| SHA512 | 384347bb010665ee7325babd297f3cce0756a88ec3019dff2f6521f70e873416b56cd773034c5f91e3913462ba5fc03cd0905712021e20b67e423f159f709328 |
C:\Users\Admin\AppData\Local\TempQBUUJ.bat
| MD5 | 6b22f9a52b2074c541d9fdb9568d82ec |
| SHA1 | 0ca1a1050df5be325decf699718c1c9ac037596b |
| SHA256 | 7e2f886fff4ca79f00e82433820ef385513659e190c15595c09b0efc3b35d806 |
| SHA512 | e9a9ece7080be7b19eacca0b9990ce5f1f629d0a6b448bae8c9ce2ee8a0f5b4e0fb8fc8e7bc7022339a678b8837296487f7def6f75e7fb730d06b9b9f6efe9cd |
C:\Users\Admin\AppData\Local\TempRRCWV.bat
| MD5 | 1c62971fb6a107488ab956b7fa44de74 |
| SHA1 | 800a7560fafd0eb6277307513266e9cec10a2dd0 |
| SHA256 | 7f3f14eab8ffcd3f6b0dffde00360b5a99862e56d05588b794a0f4b2c8737159 |
| SHA512 | 6e98ba70daba32ce6fc96bd721f704bee928c7c1c3f1b470e9aeac71b07adb42dda54e7efa86d601061c71ccfe093d400ea6fda9d74a16ac107adf2844a57c23 |
C:\Users\Admin\AppData\Local\TempCUYTQ.bat
| MD5 | b643d0a270af101a499759dcdbd0c158 |
| SHA1 | 322b05844e3c68bf26a948bef889376bf098599a |
| SHA256 | c223e954ca44188c8423f4b8043401d93fe8d5c4020d194ee8b4c89bed33c671 |
| SHA512 | 73486fb470f3e99b5a402eb148b9adcc44899218f545ef4e5d03f8f191739e68affcf33c8f311384f31859416764baea4c6712d7814d78dabc7c6380abfe98be |
C:\Users\Admin\AppData\Local\TempMWRFC.bat
| MD5 | 8ef398f10eb3af1865b8ec58c18aa300 |
| SHA1 | 888e18364349d6e9cbcffb02a5b1a7850e11b659 |
| SHA256 | 51c32cb3454514cc43944ed14e7dd22eb408737eef7ccf8e2196ad5494895278 |
| SHA512 | 744b2b7be22dd6115ec3608fc8d940e3489f606d1365374c65b7268acfdf3cf418455ac12cde71a3d7a729b1b9c7cf703caa1c5223c7bd79fc3c6d1974b23ff8 |
C:\Users\Admin\AppData\Local\TempNWIOT.bat
| MD5 | 3fa377d490e135358ff8715b7130b57c |
| SHA1 | 90826df37fef897b8d9b2a225d23b581e87e5e71 |
| SHA256 | 07652d1b9830b4d5d201dd0a67c88e979c0a47fa940c7cb638286e51b638b7f0 |
| SHA512 | cb99c54fc5345e204f70433c41f232e80d8893ee4447f152781f9b7a07b24319ccc47805fc35669ed599fbdce7c0c58ddd70bd6b3b0878716368f0bee0c1b61d |
C:\Users\Admin\AppData\Local\TempVRRGP.bat
| MD5 | 177ef685f101b4514d38da08c26b4916 |
| SHA1 | a8de1a4932d0a294866dfe6df603332810798f01 |
| SHA256 | 68d249174563164568155732d8d4b0f6a204dabdcba1dd9cc0200bd546553a52 |
| SHA512 | ccf51f66d9de532f2d73d7618484c1305001aa7739d1ee7330d9dad7dc08e8f1a2ccc50fa02e594681d534f453992d455e41f5df76274c4728cebc5f11cbe384 |
C:\Users\Admin\AppData\Local\TempDGHRM.bat
| MD5 | 0249cdd5fec49f655d0544e0408066b0 |
| SHA1 | e4570b515d8315dd7c7ae990fed0e0531d9f6717 |
| SHA256 | 770e28d52596e72f3cc06bf58ba8b7055cc4a67e4015ffe5cdc92249d62a134f |
| SHA512 | 135aa6d91b2347882a50de341f8e7067958b94332342af2c68f5ed31d02d4689d34b014385b9ca6bcac26db030f6fe9601ec421f0ad028c04d66b8056e85573b |
C:\Users\Admin\AppData\Local\TempYGPGD.bat
| MD5 | 1f8f579ab62cfe581c4c6de860067269 |
| SHA1 | 6f7cebb86c094487b897e28f8bdc260ff16775b6 |
| SHA256 | 206b0a8b5576f2f0dff9c0c148dedaec8c2e8b12e29a91b89e3af94010328d84 |
| SHA512 | c3fdc977c60ffa648d4e3e9d79773512721dad09ca6502c700cd4bf0f8f8fd08f6f559221b108263af8163df501cf439d73cb2c4d64937501551171dcc3c01f0 |
C:\Users\Admin\AppData\Local\TempMHQHF.bat
| MD5 | 7ab00c2d0ec3d74d552ef677edafa12d |
| SHA1 | 9f553e5d98a60c4e079c57b27d9545066605e02f |
| SHA256 | 898f879244a352030d694967feced2116a26e20ed258ec21ec23df4afaacfdc5 |
| SHA512 | 23c9e91b67f5f3868d16d43fa5d3271f945ac0c48dfe77ca6aea7e0b24832a86e8b8da26647b200b25e1cf6445f75802bbd33566e25eef9ed5c86e9949f8a9e3 |
C:\Users\Admin\AppData\Local\TempXWSST.bat
| MD5 | 9345f08689fe9ac123c094bb65366e77 |
| SHA1 | 470d5369ba4dabee336ffd97339d7dcb6396621b |
| SHA256 | 0a26021dfbb14124ea33771520cbc86fe44997638dea0ab0f44d423e3d36bfea |
| SHA512 | 55c30f1fd537ad7d87d282faeba49bbf76700f3d1a497f3c0bb7e90cf900099945804c860235db2462b10de94c90d75dc6d44aac4665066d855179191d02419f |
C:\Users\Admin\AppData\Local\TempUASWR.bat
| MD5 | a3e636817c81440b8ec8f4a3fa40fe14 |
| SHA1 | 7ce060d703b153db843dc9c98bd4d751fbe06292 |
| SHA256 | e9336459ff6c1d72c98003c12815003c4405a650da6ce3d5aac4ec3b2906c12e |
| SHA512 | 90256f066693580819968efbaa7c70955b49df02bede8faa27c6b9ac8de6231ed31d16f7456e69779e64dd4c52d2d4f0952db5132b2b335a6518e6cf57a97a4d |
C:\Users\Admin\AppData\Local\TempXMIQI.bat
| MD5 | 23b334148f422c981734c5e6931abd32 |
| SHA1 | 73309ce790362c60b09e6846bfedc5fa0fb97007 |
| SHA256 | eed120a8c0e01c0cc8dc5b653e163e164398ad91e1ceac1413ee081c23539d1f |
| SHA512 | 6086a33d99e2b73b1d03e52641651f6cfb4910e40d3b50e31dc3e4acd123ea5dd85f6e6cfdcac965adf08dbb32cc7af70e8fcfeb1f346b4a664de3cb71f23619 |
C:\Users\Admin\AppData\Local\TempRMUIJ.bat
| MD5 | 759a614ace0e3352f7d48e1e47c9c016 |
| SHA1 | 3f96be3a19dde37ff44f0630880feeca3c6a2fd3 |
| SHA256 | 7af5d185d2338b34d83e10d849f5424ff517bbd2a1947f15952e8b346020be89 |
| SHA512 | 6a145c0ba87f9a98d69c68bb1f6f16eb85e1f10019e75241fe3ca77010cae4ec4fadc6625b11a8725a0f7c48a0df57062adf01f74ea5156bbf5fb76e83e8c4d4 |
C:\Users\Admin\AppData\Local\TempNJXWI.bat
| MD5 | f3b8ddc4d4fad0bc32f84eac08e8b5bf |
| SHA1 | e01268ff601b676b24a9523067c804a7acd5685e |
| SHA256 | 645541f0f595c8bd565536eac2333a00019fdb7cb74fe9ffa313dc4c64ed881b |
| SHA512 | d0ca064e5ade826aa3a5e80f30dab95565ff2e7ed104edbdd2e036412559cc78c9ef5090705e95f079c0ad6bee1386f5a4beb75b2b5bed282dee5762a27ef865 |
C:\Users\Admin\AppData\Local\TempUFEIV.bat
| MD5 | 80fcdb7f0d083ecadec5420f5524c4df |
| SHA1 | 04f86b3afa07b6fbe7e2591bdb3799cc2e78750b |
| SHA256 | 743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa |
| SHA512 | 7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04 |
C:\Users\Admin\AppData\Local\TempGPBHM.bat
| MD5 | acab14ba87bf9ddb2147ace156e97372 |
| SHA1 | 6e0cf4c039c56b02039ac63b61028dfc21b416e5 |
| SHA256 | 5f4492ded316fb712b9a15073e74b254b12d79c6b08846dd6fa29422c6197ed2 |
| SHA512 | b55629884b3b98d998c7c1761d43e6c01d3aa45a43580e8d8f32044394aa0185722515393e370153c7c01170aaebfa0c2e2170beb804f186d271a21804100188 |
C:\Users\Admin\AppData\Local\TempPVLJN.bat
| MD5 | 577f5996f783f890ba33c6040c10977c |
| SHA1 | d1915aefdd08072f2e106d8b9542286c8a5fa759 |
| SHA256 | d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f |
| SHA512 | a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e |
C:\Users\Admin\AppData\Local\TempNOXTA.bat
| MD5 | 4febd0c69ee4be6773ca67e0e845b982 |
| SHA1 | 176496a4a3d6cb0371deeba7367c63d290169c9d |
| SHA256 | 0a869712ea250aa0f1512fd5feef21044ff2b2b78bf1173adfac70039415706c |
| SHA512 | f3574c2afeb12abc3fc528fa09e2786e4e3b41dc0aea0e351df3f5005536981e947753df9c3de78e06a6f9892d34cd7c33cf404ea5a1bdd205936fcad310049a |
C:\Users\Admin\AppData\Local\TempPPYAT.bat
| MD5 | 8017c40b3b87f358920ddc3a7822801d |
| SHA1 | d1707ebb4875777b38e09531e15d0cc1bb133731 |
| SHA256 | ae1c8c15c6aa20d60fc888d7e2067bfcee9d767bfe85da8c6922e998f4c2ed5a |
| SHA512 | b9f5f59b6d2d8e5250737c461625785dd78e697c9abf87e5f94751aa0f07e1f62fca270c00202ec6af2b18afc052de611eba4cd126b5ce78c913b0d518ca9354 |
C:\Users\Admin\AppData\Local\TempYXTTU.bat
| MD5 | b02893b7e1264e03427657ad7e8d60cc |
| SHA1 | 67a83d11cabb1a5b009643c45f8dd03f84b36b69 |
| SHA256 | b23e099f605d205a37e7d6817808f1fe52c00187c831f87488f66936efab9ac0 |
| SHA512 | 17ee8dedf20937b83758dc7dff8fcb0d03468d724923870c49be71c25e5382e9521fd35b744d0481ea3920e1af36f851f60b46ce3b15f39a51adfa963152b187 |
C:\Users\Admin\AppData\Local\TempEOKYX.bat
| MD5 | 13fc67cd31ffeff8ff68bcb3338f3759 |
| SHA1 | c8deca1940e43b5e3ece21d56196eeb6e765b671 |
| SHA256 | 086ba7ec0ac1b7daa0b72a2247f392c20244eb218562f4894dd0afca268fed4a |
| SHA512 | d26880b67eaf33300b4b62533af01a80efe00bb233ae3edcd6068d8548cddd4a13a4c85af9fa404307126776b22bde1dee871c49143ab07af6bbd1e4066c81ae |
C:\Users\Admin\AppData\Local\TempDMDXB.bat
| MD5 | f4bcee1dd00530f989ef44bc06d800ea |
| SHA1 | 96efeccae00723e1510681acd4ca9812ecf34070 |
| SHA256 | a3f12075725eb1e4f59ac358217eb8abf0bf93321ddf9c5302f7c072749460c2 |
| SHA512 | 8376bb982210ccc7ecbf4ad36aa46c841c98834751f76b1395e04d5f7a2c9f1d23097aeec3842e7dc106efa3ffcab08a8c74023b7a42817ea3f9dd590f137c65 |
C:\Users\Admin\AppData\Local\TempWIOTF.bat
| MD5 | 652f407aec6e62db91f8dceaeb49bb33 |
| SHA1 | 0eeded2abdfe0fb8c0eeab654b062b4bf3030bfe |
| SHA256 | 9a073162fd314d1076ec3bd0432a678aa65b00df5414ade34a9f5fb716951e5e |
| SHA512 | 7ccb3fc2c29cc1257bb2eb0d163e07204c476d0c26a2208a38bef33ad45781d50738b8c356d29f478bc467efd4d767cc406ea26035dc010e6672de293d228960 |
C:\Users\Admin\AppData\Local\TempOULJN.bat
| MD5 | 1031de00fb12877ca1ea3a3c30e9c1d8 |
| SHA1 | 9d7f12c6855696eef7c341525b06b4b3ed3a55eb |
| SHA256 | bd33a9c2689e3f7798a532cb2d7212a91bf702112aad1bd0785cf1fb5139a6e4 |
| SHA512 | 144624c0fa8a42299345c68fe6f8fcf9e4a74dcab009d69039fc24d12c22a35484bf5f28d270bc50eb15351e99c16c9d3376fd27d3b6a5b9e632a06dad9ef2db |
C:\Users\Admin\AppData\Local\TempMHQHF.bat
| MD5 | 5a25b81aed74b167ea51919cf873d2fc |
| SHA1 | 56b2f2e5184300b74b0e947721dd445ab94b5fc1 |
| SHA256 | c94980ad5bb0ce23cd44cd7ec3580a7fc7f4104201304ab657e3506921f5c05d |
| SHA512 | a96b1a46f7957df8ea087efaaf0fbb2b6045df6b371cd56e5b4f475e0c0adfbc2c3dfb3d2fc85041202874bc4a58d6e28eb98f8dd08ea2203dc1cda217d3f0b1 |
C:\Users\Admin\AppData\Local\TempMNXTA.bat
| MD5 | b5f1dbdd61899b01889ca36394bfbcd0 |
| SHA1 | b7d45fdbf9502664c05df2c24fff6e7c9dfa8550 |
| SHA256 | e4dd63554ef451959bd56b71673a60f004decfcc5a7270cf39832964288cfc45 |
| SHA512 | 8c8472ce9959299f4878a84ef0d667f0efd367fdb40e90da3e1f651cfadd0477a4bd0f906dff1ddf1b1a6b3207623bac0b4a9b6d48e81a6764a7200851158458 |
C:\Users\Admin\AppData\Local\TempMIQHF.bat
| MD5 | b1d806a91b70ca83c060d89048cdb273 |
| SHA1 | 0865d2932c37142a30971e2d143e1e5c74657934 |
| SHA256 | cf11fc51fe8d86044f4c0023027a0608655684e11db86884295c0427ab5a3b81 |
| SHA512 | ba3ea12c4bc3857bf241eeda86de6cb6d45f9820e84fa90e6b89be5f2257800779414dadf34ac6709590a437d1ed79bb69459614646822f29b72152af656f7ba |
C:\Users\Admin\AppData\Local\TempGYXUU.bat
| MD5 | 580b41089b57db8a6c700604e3950814 |
| SHA1 | ad40f4de6e646bfbb845bed835dccf60c30c2c9e |
| SHA256 | 0ab38778cc72a8cec5b9954bb5043c04da77550a00e508919f5b41208e892e44 |
| SHA512 | 28f72cac31fa657b415f221e2bd06bab74324484cee1cce39cfe05d681dc4afba69ca801521b575943473534103c924ec996b1e8ea5d9bf3762ae607751bad0d |
C:\Users\Admin\AppData\Local\TempCAJXF.bat
| MD5 | dd9b85c1af6e757ed070222ec926d5fa |
| SHA1 | 3a3315571ea00bc351bcb25f1771fb38de381a6c |
| SHA256 | cc1528e64456e553119a25e753b1f1bf04ff3006b4c32805d0607193f2a840ec |
| SHA512 | c7f1f4c75a3211f0a023c7a8a5040415545a676b7b183a4814de9f7b305809285fcdf789f27f3f9a0b7b139ccd488eb17bf3a7183e32e084f1310488dd8038a3 |
C:\Users\Admin\AppData\Local\TempMWSFC.bat
| MD5 | d436191c50229e232e217c85c462aa77 |
| SHA1 | b2aa8f91e2a09897c42675400e041b62bf538101 |
| SHA256 | 9ffcad743b0bbc3436f3b164eeb4a24245c1cbc77f61b527e918a3d31e2485a6 |
| SHA512 | 12a6358d4d810873c33b140f50c7ae47ea0eba0d9ce26c3b37b8a24a52c1c06d2b68aeaed032fde2fee3fa4e836baca9e144d9b56062ee1ee7733718dacac5ce |
C:\Users\Admin\AppData\Local\TempKXIGL.bat
| MD5 | ab03218c7bc1990e61ce6d03bd6b272b |
| SHA1 | 9eef00ec9f1e78c08fdc054d860c351f31030a07 |
| SHA256 | 5d861be2c28e0c100dcaf688357b1541f2cdd40e62921da3528ec2fde5a4ddf4 |
| SHA512 | 46298481ed75c80951bfeffdcd2bf2222fff93f9643e90dedf70a0df8ddd921719995ad65ed352fbfe9b59ebaac3a9f990355b1897da94d25ebbe36ddd70c3ac |
C:\Users\Admin\AppData\Local\TempEHISO.bat
| MD5 | 817581e4cfe28bab2be4f4b73f7ab372 |
| SHA1 | ae99ec7f67ac23fae736086d22defc4434e1b7af |
| SHA256 | e516494166781a16fa09d61ab2d51fc1b2205c7ad04f4c0b58cdb160915a8b59 |
| SHA512 | f74af482a46e730970d30bb87096b69d1e0c9409a51ac6ba0cdebc973e088aa43c67992460e076bfd0c12374b267e2515eb2f62435727e0ab1c5d82da02db39d |
C:\Users\Admin\AppData\Local\TempGUCQP.bat
| MD5 | 9d8c823aa9d6fc3f009d667a0b5c2aeb |
| SHA1 | 9cc26bc83d1c543b737c4880b73e40a6ed254bce |
| SHA256 | 980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4 |
| SHA512 | 66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42 |
C:\Users\Admin\AppData\Local\TempUASWR.bat
| MD5 | 61101519a3da1228d0e0498cf23f87f5 |
| SHA1 | 23984750bbaf6fceb0c0fbeb529e99639b05e8be |
| SHA256 | 9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac |
| SHA512 | 26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71 |
C:\Users\Admin\AppData\Local\TempKTPCO.bat
| MD5 | e19b90bfba2c69d2c21ac3776c877917 |
| SHA1 | 85d70a13fc6e4842be8e175522d24be6bd879a9e |
| SHA256 | f26d0a66680e921a772d938e06bdbf148c6c8cf1d28d0e2d6f33b202f4fd55c5 |
| SHA512 | 3473e5d438d56038f4cde527e74c8ea478621af9702f4e6f18d1041f45da675dbece582c6157a46fe76c79a6445d3f8833830ea6d2e717263cccbb563b90b46f |
C:\Users\Admin\AppData\Local\TempAHVDR.bat
| MD5 | 67268169a450d00a136aeb8064928cf6 |
| SHA1 | 2ff1c026bb20b5f389c3be97e1d371ffa9fda84c |
| SHA256 | fa60dc9662fd2feb711d924c44f9a5b09b975c5d5694037ffb38aaeaf25555ae |
| SHA512 | 43ede016de0bad1a5cf6c85bee13503e7ba215de4e3e9e38a0b2015b0a318984a460500da0946727ecc94d188ac7365f2a120ba15c1d62e986ae4ea8718c3466 |
memory/2700-1482-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2700-1487-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2700-1490-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2700-1491-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2700-1492-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2700-1494-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-23 22:02
Reported
2025-02-23 22:04
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFOFXOLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQEFABWREMGLYIT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNWIOT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUUHJECEUIPKOLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWXLQVCDAIB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGGSYPNRMTIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEEAVQDKF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRQEFABWRELGLYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCDOULJNIQEFYWF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAVARMGBGVW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXENWUFBMFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQIOVGHAUBROYOK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQEIDBSXQGGIDBK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\URPTOWKLDLLUPYP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEESXPXLWMI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYQEOEAXVNDQMKP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQSNLODRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJREKP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBABWCSNBIC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVSRVIMIGWULLN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGPG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3156 set thread context of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe | C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe
"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOSNV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQEFABWREMGLYIT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENYAW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URPTOWKLDLLUPYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCPRMF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYQEOEAXVNDQMKP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHJECEUIPKOLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRNWN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGGSYPNRMTIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
"C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLODRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTQOSN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRQEFABWRELGLYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCDOULJNIQEFYWF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe
"C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe
"C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe
"C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIBEFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KAVSRVIMIGWULLN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQEIDBSXQGGIDBK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXOLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempQOSNV.txt
| MD5 | 3d1d4cc9ac30133d38400ce48f853715 |
| SHA1 | 2761e55d0326738fd3c9acf1211942cb24f94095 |
| SHA256 | 71638fb1743e447142677089779d8945573e8e2e8b5eedd779047568158fa390 |
| SHA512 | fcb33344037ec7b1005d0a87f9f198a15b64707b9977b12ef295e1c30a5e07157fd9ddfa4fb341b30db8eb91c53b9dfa195be0e0fb9414be64b683f24b6bcfce |
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.txt
| MD5 | be6675220d2463bab5e6113cb9675360 |
| SHA1 | 834ba1d38f0c5942cf559f2a0134247c8b660f0b |
| SHA256 | 361d2cbfeb6a72f96de13379215650f7c4ef2d90b9f9199d955d924a276784e4 |
| SHA512 | 0d0b623c2bdd592940c780f3599c635c04bb94aed81c88a7228db993832662454df76e76b71d300211aaba556c6867932dfbc0f7cfa90c81b021aff8b33e25d1 |
C:\Users\Admin\AppData\Local\TempPVLJN.txt
| MD5 | 577f5996f783f890ba33c6040c10977c |
| SHA1 | d1915aefdd08072f2e106d8b9542286c8a5fa759 |
| SHA256 | d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f |
| SHA512 | a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e |
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
| MD5 | b4fc05aa924f1555b4f718c218490043 |
| SHA1 | 759e00aad17d3362fd8baa75284e974f5e388dcd |
| SHA256 | 55f1931d874cb4bf56396bb4f116e67be644c2835560b0a66b882fa25fd58884 |
| SHA512 | 13a93fa8175add6685d1c198e9b299a2a6547cbc0aeba3fdcf3ab82cfd5e2ae6f9271a3f63873e95c0b74808013f8c083e068d5731b919425a599790d55553ab |
C:\Users\Admin\AppData\Local\TempENYAW.txt
| MD5 | f4f1eb33c618809fcc1a5e7efd3ee647 |
| SHA1 | 7555e3e3d1ed1644baeea31bc2606914149b7558 |
| SHA256 | 974fd4a357e27412e97677938a520a00d64fb2841c59ebf7bb5fb0589a0833b8 |
| SHA512 | 0bd2cbcaf16f5f9f6d79981f50fad1192c50eef8be047afe3d692c959e1c7161e972fb48286c23b741650ff1912016e39dd36c7d9ae93ed3b5dc8452a0bb906b |
C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe
| MD5 | c31a447fbb37522e259a0b183f827fba |
| SHA1 | 5528f12e49e258abd7f7f4c3e09199732d4b9117 |
| SHA256 | f49a992974c308d619efc70a8c1ee3cad3a72c4ef41b64643bdb6ed421c799ea |
| SHA512 | a137ec5a28c6b34062fa0dd4a1fd16a99f2eedb7adcfc6c945d6261ba7136a373643449d4dff21b77b875057a6f180983fd0be20581debe5863ba09a0ee74446 |
C:\Users\Admin\AppData\Local\TempCPRMF.txt
| MD5 | c39bc0d04600b23543c168ab5e493954 |
| SHA1 | 90d5fd1968bd4a36d533e1a33df65f0d974d3875 |
| SHA256 | a84d6ed78bba9e913ba15f198aa9c3408dab195d36d79185d212038f27264218 |
| SHA512 | b7eea376127c82dccc97b1b10653ff567f5a6e4523865bd06edb5059b05be00a42da95d8089748e5d6e230baed46cdc10d1dbc891af31ae3d3d2b2c0c7f17dd1 |
C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
| MD5 | e3be5cd48bae3705db82b9b2cf45529a |
| SHA1 | 0659c2991686d0934ad1384fb6873c45330199e4 |
| SHA256 | 8e1ed9f3f6e1362bfc2c3677255933923bada3c7665b77537873c41559fa6793 |
| SHA512 | 6d89aa9e59ac54c9bea05d80f87964fb34702e261f4f228ea5e223a21905b3a66bb12ae9a84697d2546906d88ca36a8a85647ca95e404448598fefa064597cc7 |
C:\Users\Admin\AppData\Local\TempTRVQY.txt
| MD5 | cc2281b5290761dd2186c3350cc6f4a4 |
| SHA1 | 17624a63b7d755f01bbbfe2898ad67b1d2a1a24f |
| SHA256 | f03902729551f314f17f2ebd714aa5f186553d3c0f666017dbebd151cd4fc2c5 |
| SHA512 | 444e26b2253d5bfe51b3d12faab6d56ab5fbcad19333b9a5c6e0ab645af918df3f789a32816ee438bebba76357c0df4dfb969d7f9fa9adcac29c49307f1991b2 |
C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
| MD5 | 70d64863b06154b39a108f9fbe7543af |
| SHA1 | 663a50de48afd491f0e2e1c7e53eb421049437d3 |
| SHA256 | 99bca21d3ef5746aead4362fff32c7778b44016d173d1ba76e2f7b5d41427074 |
| SHA512 | 961cafd10bce7f97497b380ea66d0970c937dc9efa12c472f6d3bdb281313aefa06e277ba4b6acdfd5fca55b21a61e6c43e06c2863868b8aab1624cdff912c59 |
C:\Users\Admin\AppData\Local\TempJRNWN.txt
| MD5 | 2d380cc3f146925fe44172c92e910e8d |
| SHA1 | b1d5e5101f8cefe9172abf49268d8fd88b97f14f |
| SHA256 | 5666808151f654bad0d5af7dfb6f63834031767bb0b58df3e40ad50acda00e09 |
| SHA512 | 81192ebba1983d6a9174040f6e8ad0f3412a78d4836c016a1840d273ca0b48dcc64e4b74b9efd6251c7ce18b4347fa87df56f9e9e9894ce0fdd6fb7dd845b5e2 |
C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
| MD5 | eab890278c681f557845efb0f78ee70f |
| SHA1 | a9d57329916c3bcc5fa5f8055faaeea4eea8ced4 |
| SHA256 | c32346487218149bb112c6e60c5fc5ad6d1bf28ae8f285af54b3a32a07113260 |
| SHA512 | b0ceddbf7d57d7f99dcf6b96a17639bba58c5b799cdc44d1590cadeb6931da7ba9c08d7926cc149a2d02b4aecd436dc1141f58cbf265b042a5913798ad502752 |
C:\Users\Admin\AppData\Local\TempUFEIW.txt
| MD5 | 1f5b0a440773b1dbb89d3187b7e32108 |
| SHA1 | 2bd09f5cb3ab6a3beb077b4848607654414f011b |
| SHA256 | ec4fa25a78ce38848c382b67057b80ab4e045d3704bfd33b4973a8203b147336 |
| SHA512 | 86dea559c5744a01dcb7744151f57c5fc11cb42ff0ec3c203518abb470d7101bfd7e4bd6f689721367069b4ba29f488c632539d3c1f5caeb043e993430241c3f |
C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe
| MD5 | 8d7c9c9d8a21f45a03015dea0581313d |
| SHA1 | 76e94d59882c16a453b00cbd96eacdc9df2fc7c6 |
| SHA256 | 9968f0e1a41e2bc903b0fa1e738be4fd4a7b45d8a82f81968966d76327473e91 |
| SHA512 | 48c0cff28929f269a28b2eaa9157f64e48e58c8f74cb993750f568c19616e91d3cdf3e667124048997d7f58c0a8c9d20afc6855ba8a6b8c41b0a24bd49321f60 |
C:\Users\Admin\AppData\Local\TempTQOSN.txt
| MD5 | 2d778d21e9529cae1b0ef11236939a9f |
| SHA1 | 874b84a286703d6d55c7fda23e7c332a83d35708 |
| SHA256 | af57e6e302018e7881a8dab372695443a67bf24904bf09043c1d7f6df2c9a21f |
| SHA512 | f7ead2790c88a47965b49eca28709717070bae22fd2759a4b1fffe4babe883eb2d9748c0c7e26cf099018a9125c9e10f399fbd63263d5d0012027a68628fb548 |
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
| MD5 | 1c83d86b90032d468781f4cbbd01d423 |
| SHA1 | 7058b802f0afc1678426551b4edc247f5f411509 |
| SHA256 | a4b5ec1e3690660b11a1feb6d2f361291e2cff72c123d6b51f26a8ac036f8716 |
| SHA512 | 1d4e2d4821a636c0b1e9da98af5de2fa22f148a59603dccff0487cb5b2215291f0a1431aa98e831a043aa784ec07e2a903bd30e1eccc154ec0c1d2937babf049 |
C:\Users\Admin\AppData\Local\TempFYOJS.txt
| MD5 | fea3c7b3ae3cabaaf93ad02ba3fd3d93 |
| SHA1 | 5056b9c08d9ced49a83b56b6cbf839ff890d2bd6 |
| SHA256 | c1891b16a57528b5c2379900dac7f471a2d8e59285cb6a81dfdba776124fddb5 |
| SHA512 | 4bd117741577e9370597f06bc0e8dc2f25d609cd85a3a5b4ee6c6e7f13fdd3d260a8a05792a8f3acb821656c167366e48ba6bcd6ded8aaa3cd6718659a6a7fff |
C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe
| MD5 | 15e4593b1bc1c9f4c03a317d0eac655c |
| SHA1 | 37545f2340876b5a7d2813664fc4ac98cbde1675 |
| SHA256 | 3a8a76b03637b48d3c66d540e401485717de06d27000855c0e2b6832aab4b2d1 |
| SHA512 | 4a2e882d0ecdb0283e8c30954310517fe882d73d400c20f9d4e32baf3462910214555cedae354b6c807032d614f5746bf875f81898faa3b158d3eeba1c2a2ac6 |
C:\Users\Admin\AppData\Local\TempYFGDM.txt
| MD5 | e6e6da5ea023ba4c6496bbb070a9c7ee |
| SHA1 | 37130ee4905b289db4c1f553b07bb77150dd3297 |
| SHA256 | 5087cf2626fb2a96482b0464e09e5a779cf355263109ec1fe4c8c963be2635ea |
| SHA512 | 017a188e466c677b3ceb39f59a73f35ad690f0ed8a65e268f90b6d62bb05d062aa7a4dd4e24abc1d490a4650473c09e678a09e968f658b587c725d53e00bb482 |
C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe
| MD5 | e4e8283f710123c27c0819f6146babea |
| SHA1 | 0f1940b8111db7fae400a8f2bc853db2e2329174 |
| SHA256 | 0009e4c04a084eca6b7a5f87427d8e2808de5b5474795ee2423588b1c0497211 |
| SHA512 | 5e43fdc83f3918c2d703ebd3dea80f56464bf3ef0d8c6826c2b493568127e2e6c9e75c34818455afa1b430b9c90f99fc6c537532b78355fdb68bfbecc434fcd1 |
C:\Users\Admin\AppData\Local\TempXGGPL.txt
| MD5 | 89513005f9143b990d479cac195289c5 |
| SHA1 | e07a5766d9d51b746317a52f3fc033dbf64604b2 |
| SHA256 | 8f58e225a0302a9795f77a7db14e811edf7ce1b2cb6ef3682d0996532ab03307 |
| SHA512 | 3c0533cb70f027f7373999cd71e6e708f8519bfa9d13e303acae6c921270933a4ba16fa32994ba7f54875324ee1aaad8e67c123e52c783d5a97ebe0b5fb849b3 |
C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe
| MD5 | 3fb337747a520e6d171e4debf9cdd668 |
| SHA1 | e4615d8f6555c849e157bebf7557746f70a1cd04 |
| SHA256 | fe9b260f5a4e714a19b0c741550a0f1e363780d5bf4a46d19747686308a811a0 |
| SHA512 | a589bf13412e9f43f80012917db5b3682d763f893d5830c50154edae352c0e718a8457706fff4cda9080b71e4bb227024d8879f730b91fbf60e1f058fa6ea86b |
C:\Users\Admin\AppData\Local\TempIBEFO.txt
| MD5 | 72b4575a7e487b928a7720741c22ad4f |
| SHA1 | ab913f3839d4f22ee33d62a0c00e0dfb1d456d05 |
| SHA256 | f38a9e1a3288e171ae8ccc9cf9fea9fb81bd4c6509fbd789d58f349209176d2a |
| SHA512 | f582ee3a512f26844187ce371af9d197b8c561e7812cf543c35e8ea420c318a33f0cbd15c2b35da0235e56a6d62b63f2680225e460ab7e20e057a44337bea6f3 |
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe
| MD5 | 3b55c16776a41a047115b24374d319fd |
| SHA1 | 0c4fb627dc31c1b2005ca2fec9831fb5f33c4507 |
| SHA256 | 6c3552ff1bd29c259e27a36ea1bbb83d6e513ffaadbfe511918cf05dce06e0f7 |
| SHA512 | 1e853220ab488f1e407453b8b5558deeaba6414667fecc0315446cdf46c32ae5e02c1c7ab2483a7c6b34e73749a340e533a77c955932caabf14b987b89145797 |
C:\Users\Admin\AppData\Local\TempYGUTF.txt
| MD5 | e65cb9e897fc570d7094a3666ff08b69 |
| SHA1 | 6d96f008bbd2008094276acd382d00262e8817a9 |
| SHA256 | 53df98660cfff8f32a7535b54600cc34463616c4aac3cb4b7c53b403c5395c8d |
| SHA512 | ae43186fe4b4ab8338a4943d973b2b74f8e8d080ed39ff6479035ff3882dabb32d7510ef9f5291d02047ff68344ea5f7a8a2194230f5818e2a5632199727b73d |
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
| MD5 | c6b0ab7f38a55fd1bb0faca8a51faaaa |
| SHA1 | 29aad5301e5061251fdaa0ac8915fa461429d252 |
| SHA256 | a26d0b206cab0445cdebd067adf4a65e962c4d6bc4b6d226e7e729310468d018 |
| SHA512 | 89c1981c79dd5669b59a9f297adc27a2564887df1f67623f6d6e836c3e13da0a479d8ff2c4939bfb596bb4a28d52e999afab45f04eedb0fda449038baf3dadff |
C:\Users\Admin\AppData\Local\TempNWIOT.txt
| MD5 | 80375619bac59e9bd5393853d6684257 |
| SHA1 | ac34026c601191e680b9e86b11e15f4d727edf52 |
| SHA256 | 6d6305816bdf8869557c5b5f3dc4aa633ddb6bc82bb12dce45ca606b547b2f89 |
| SHA512 | a72507aa375f4231759f1f56bb83c6fc88325c7538087059669b96add3be309c31d9a3b4aaa417f1ed152248e72564096faf525224698bc7edef82c1daf0dd48 |
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
| MD5 | 1600ffe587376e62c10298b8ff339681 |
| SHA1 | 9b257afb5d6c3bc22fb709a0c6096c9aa3be5e33 |
| SHA256 | 86240765a74df36c712448a09515ba4935a79d84c8852907960f8ccb1d8c1867 |
| SHA512 | 2d7c20431104db8abd27ab757e10619efc13fea300dc5a335b668fd5db91798b46f4758ebb81dc5bb7c1737c4c3c2bb74aa5df0fd910adf0f5e0fa79ef8df8e4 |
memory/2604-382-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-380-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-387-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-388-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-390-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-391-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-392-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-394-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-395-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-396-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-398-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-399-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-400-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2604-401-0x0000000000400000-0x0000000000471000-memory.dmp