Analysis Overview
SHA256
919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437
Threat Level: Known bad
The file 919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437 was found to be: Known bad.
Malicious Activity Summary
Blackshades
Modifies firewall policy service
Blackshades family
Blackshades payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-24 03:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-24 03:28
Reported
2025-02-24 03:30
Platform
win7-20241023-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUGP\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSETDSTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMHFIYLSCNSCPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWEBPTYFGDMEJX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGIYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WXUDDPVLJNIQFGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKIKAOVEPUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWHIGOAHLCN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOUKIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSDERXOWLVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAAVQDLFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTORVTWHMREBQYP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTOESAI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKECJTJOGXOCND\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJEDJFVIQK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUTXKAOKIYWNMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDBISINFWNBMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMQLTIJBIJRNWNC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAPQNWIO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWTHTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\IVCMVTDAYKEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VOHNUFGTAQYNXNJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QIRNIYSDTCSTQYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRWGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVUYLBPLJXOAOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OWOBDXTOCYJEIYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QHFQOMREIDBSXQG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDDEYEAVQDK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJKDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEFBGBWRFMG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNPFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNNLTFMQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMTIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEEAVQDKF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTVHNUUFYNWJI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYPPNVHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQNBNYVBTXSOQCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ODNDYVUYLCPLJXO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQVIMHFWUKKMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPGLDULJAU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXHEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QCLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXPVNEOHGIVVDR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVUGOGXPLGWPBQA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SUKECJSJOGXOCMD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNFXOLGVPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MNJHJMUDOTEQBAY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVGHFNFKBY\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXBYMYJIMDNTLCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFABVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRECQYQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\FXWTUGMTUFYYNVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\KTQKUFVAFUVSBNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\JNKKVSQUPXLNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAWUMCQMJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKUKPHYPDNE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVWKWHGKXBLRYYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSUPNUPFTBJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QCKBTLHCSLMVYLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIGJVWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTXYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJIKFCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFXWEYOEJBSJIS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TGHDBDYTHOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHET\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKPWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNLSODRYI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBULMJRDKO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AWVNDQMKPCPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LEUDLAVARMGBGVW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTNLNDIWVIQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNEWOKFVOAPYPP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TXUIUFEIVXJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSNDRYH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\FXWSTGMTTEYXMVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUGP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRTOMOESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMNKSELP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DQHUQOTFTVAQJMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTSTPNUPFTAJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\THSIEDQGUQOTFSV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTDPPQLKQMCPWG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXTVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMGPWHDOHIYRVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQXJJDXBEUQR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe
"C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLWUSX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMQLTIJBIJRNWNC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEWVRS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MNJHJMUDOTEQBAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe
"C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWTHTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
"C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDKFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
"C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIPUFD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWQBQAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe
"C:\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJAACD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe
"C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQJMNW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "THSIEDQGUQOTFSV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe
"C:\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYHTQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe
"C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUFYAN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXTVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
"C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQSIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIGOAH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPWHDOHIYRVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe
"C:\Users\Admin\AppData\Local\Temp\YBSLQXJJDXBEUQR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIYLSCNSCPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENWEBPTYFGDMEJX\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKIQCJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQUGEI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXQCRBRSPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAOQLE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ODNDYVUYLCPLJXO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGIDBK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QHFQOMREIDBSXQG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PIXHPDDEYEAVQDK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJSEKP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QCKBTLHCSLMVYLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIGJVWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJTOCO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVNDQMKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe
"C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IVCMVTDAYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\VOHNUFGTAQYNXNJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEFTBP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXBYMYJIMDNTLCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGNIMJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTABGESSFHCADYS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe
"C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAAVQDLFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
"C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JTPKTFUETURBMSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBFLYKS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIBCQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe
"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTOESAI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMOESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMNKSELP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMNKSELP\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMNKSELP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJSWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQVIMIFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBXGPGLDULJAU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PRHBXGPGLDULJAU\service.exe
"C:\Users\Admin\AppData\Local\Temp\PRHBXGPGLDULJAU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRMUJJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFABVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRECQYQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQVIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe
"C:\Users\Admin\AppData\Local\Temp\ORHBXGPGLDULJAU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIPKOL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VCDAIBFUUHJECFU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe
"C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFXWEYOEJBSJIS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQFXWEYOEJBSJIS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQFXWEYOEJBSJIS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXHEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe
"C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe
"C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQROWI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVUGOGXPLGWPBQA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe
"C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TGHDBDYTHOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe
"C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJKDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFEFBGBWRFMG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBEGPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVTRWJNIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSICYAHQHMEVMAK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHVCYS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FXWTUGMTUFYYNVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNNLTFMQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQFGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe
"C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNVHOS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNEWOKFVOAPYPP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "USRVIMIGWULKMIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe
"C:\Users\Admin\AppData\Local\Temp\SVKECJTJOGXOCND\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKPWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe
"C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSODRYI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLJRDJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJASKGBRKLUYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJBRJHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMTIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
"C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRWHFJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QIRNIYSDTCSTQYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVHOSE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVOAPPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKIKAOVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPHDRWHIGOAHLCN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBTXSP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEHWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe
"C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDIW\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QCLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBXPVNEOHGIVVDR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYJHLG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTQKUFVAFUVSBNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVLJNI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGWXUDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXNXRPSDINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXNXRPSDINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXNXRPSDINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRWGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNKKVSQUPXLNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWUMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe
"C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDNE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TXUIUFEIVXJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSNDRYH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWSAGD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQHUQOTFTVAQJMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAACDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVWKWHGKXBLRYYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YEXHTSUPNUPFTBJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEHIRN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYLBPLJXOAOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
"C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFXOLGVPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHUBYY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FXWSTGMTTEYXMVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVGEID.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HQNHXRCSBRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOUKIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
"C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVCTMR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTVHNUUFYNWJI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCGHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUTXKAOKIYWNMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUJDBISINFWNBMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFRXNL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OWOBDXTOCYJEIYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNYVBTXSOQCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WYOIBGNWNSKSGQH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJBDQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJXYAKQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe
"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe
"C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe"
C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe
C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempLWUSX.bat
| MD5 | 7204a06fe4c6af19025e3a135074f1e8 |
| SHA1 | 31d92260801824878df2959de00647fdb527793b |
| SHA256 | 64197a5604ac9ef13a04f026aa1bea63c7c4e34be7d4c621e5538dccc7a0784c |
| SHA512 | e6dce1d0c6ed3a6ac593ff0014dbfd370aca9d2b45e4c8bc682a5a7c14ba0b109ecae3c7957de1a53b2ccff14b4cbf3219bedffc2cfa1edf7f0291360bf5a987 |
C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
| MD5 | b112a9d3c829e0dc8ad5259759656f95 |
| SHA1 | 0600bba1825eafd7167b0c3489342dd9a6bb1a81 |
| SHA256 | b9027b4a8b2fefc511a4cc5968baac8de4ccd5ca92411ae6cacd93f12ee1f55f |
| SHA512 | 4231812e73632a83eac07ffcaae1cedc8eea160ae154b08e1ce5db666a05ece9cd86c2d503b6eac7a42a04d136067d9dcd86d84da65b042fab0f1831766741cb |
C:\Users\Admin\AppData\Local\TempEWVRS.bat
| MD5 | a8c790d48273ec251fc548986269eeb3 |
| SHA1 | 823d2c1b96f84bcf0912ff21c16d6cb5f28823b3 |
| SHA256 | df6697f31385e066027adff47c4812c34a42ae634e64e91361d2ab02cf1a05f8 |
| SHA512 | d000de68f2830ee7f5d6e38dc2b129d3ffeaaa81334667480eb6a17188df60fe0981900ca5438eb03a1a4981e763895dd0b9295f05d863943aa36fbbe4e1fdf9 |
\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNFKBY\service.exe
| MD5 | 2f0f179d5d4a6393e556ff628fd52091 |
| SHA1 | 580bcd3d93bdd5ba8a90627742a4e4820630026d |
| SHA256 | fd2948cbf24fe68163c6f160100d92ac03c160747d751aad55a55f7a591b2d22 |
| SHA512 | d3ad904860a40bf3da900ee1b8db88c342b71345ab18a146082b5298447aac2c3da49d2aac2d55893777a0ec7809a05139fe4fac8cd875904da110beaeeccb39 |
C:\Users\Admin\AppData\Local\TempGAOXK.bat
| MD5 | 64aecd88bb524016da30b286f950baed |
| SHA1 | 92f8ae67f2fd1ace58b19015a0d36a4e29e54f2c |
| SHA256 | 730103496361a09411f6a6156540068057782a81ebe5d57bb77027f27861669a |
| SHA512 | 12346be4c23e9f7f762d7b1162540a6f868a919e72ba9c739929d9a43f7d1b7d3b5c15f41f8a64a61f89fc3e1bc5beeb2484c1a1dd37cdc691dbb54d71f67a9c |
\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
| MD5 | a0ca8e9fe438154e003b2e3f16d1071e |
| SHA1 | 5e965d5ce968f6f60de0f692c132ce3b9d69172d |
| SHA256 | 71ceed5b0e8d2ced114ef295419e090f14d4c8e1b76363bbf2a13d5170e242c7 |
| SHA512 | 51c2a3b5b46a5430543afc8192bfa604a581db6700400b02ec8b7e5a7b0c6b5b06b47a4ba2af5d121f049eb5ed33d2e5028fd075a90bb2cfe7daddd3ca514d7e |
C:\Users\Admin\AppData\Local\TempRMUIJ.bat
| MD5 | 971080fcbe388252dffb632abd9025a6 |
| SHA1 | 6b789100b910512d73566a0a8b2e29392aaa67c6 |
| SHA256 | b5817365eb96edda168a8c0fab6876ff593363dea6017b2573ef231fbf5d0971 |
| SHA512 | 9202b0ea9ff52e8e45ce2690ff672b81fc4ed470b127aa0346c75aa4fe686edfaf7e3e36aa96090f5f73efe2a9dcee37e0ac8b23fe0af00d56a0fd8edc5cad9e |
\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
| MD5 | 1ffafd6e51740674a7f97c1c87374a39 |
| SHA1 | 278dc22062bf94adf47c53c609e695f5ddcbdba4 |
| SHA256 | 9072bc8d318d0ee0fe917b72e75f4b251a29340128467736269ae8474fbe1a65 |
| SHA512 | 7e0ddef2add4e260a19add746702cfd7bebad1352d39fd258fdb89c6b8b77d6b082e10a8f8a3b4b04bfb3c07d5a53815d06d8dd718ab8279537ff118e8934bfc |
C:\Users\Admin\AppData\Local\TempWIGKF.bat
| MD5 | 4f57139833f2bf4d8e96fba71da04256 |
| SHA1 | 412f72ef752e48c15e1235fa306e9954f868c4b5 |
| SHA256 | 7a189248f7e6c57e7d5a0fe3a88434801377f62ef56e62d01266a3f2eb04f970 |
| SHA512 | 1c02ca52fffc8f84b3f95238df55b56dc94edb5b9f4647594ff0c4c059ff7b55f2ac3bbc8e8aad28dfc636ab449f4cce8b4858b1926b4be21cf498cb3a82472d |
\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
| MD5 | 45353d02c58c62a006c1593b9afdb2d3 |
| SHA1 | 9e6e28fd994b0baab3053a6b46b1246df17ea15b |
| SHA256 | 172dc8985fa2b003c782594351be4312cbc9c93c650644369f3cb2dc9891c22e |
| SHA512 | 0aebb7dae97f72793a4b41a83a08bdb6ad6ffa6ec5f9d4e2126d566fdca7e77780156129f48f7ffef33825b99fb4fa35f09f006c831b540346c62ec6bea5e1f6 |
C:\Users\Admin\AppData\Local\TempIPUFD.bat
| MD5 | 784a5098d84059764c71be0f253fcd67 |
| SHA1 | a2798ebf53f4b0e163bee7cde37a17e3a53fd9f2 |
| SHA256 | ab5aecabdf1ed8d35319c4da21727a26fa53da3a7fb12149385947a7c1e13194 |
| SHA512 | 1fd5a3615cdba9028b13ca7d3ea0f4287a9adbeec3d6e7f599e3cb873909468043cb2fe2026baef78249a78d906d785dbb90e5d431d5a5ac23e733fab2d5b498 |
\Users\Admin\AppData\Local\Temp\JFTRISLJMYCHVUG\service.exe
| MD5 | 001a2cbc1805cab4de4a53ffd2446e4a |
| SHA1 | e8fe4d70504be85822f252f05ecccb07f47bb165 |
| SHA256 | 63206817ac18f74f8bf5bcee7c7ac076ac8c29252a7435e4b2183f31bddaf5da |
| SHA512 | c9c78dedd6002ddee8f8db683e94eeaea40f9dc708fd5d5acb55cd76dae9d54a770f29af088567c4a1bf24333c2fea24c964fc3180e4e95eb8214d952e54e984 |
C:\Users\Admin\AppData\Local\TempJAACD.bat
| MD5 | 85f05e2ed586d3c54ef99c98cdf179b0 |
| SHA1 | a0ddb1cc87337f7304d699c11ec6a8968266f310 |
| SHA256 | 896fd5e3c02531fcf6ebe92ab3917d08e6589d80ee3fffe0111a1a72ae6b37a8 |
| SHA512 | c597464fbef18cd4966f1d60f8003588c2de222700ca45cdde2dc6292c67d6099b0d904861bdfc5b892ce114ed5726f34113543084d370537d68335e91e83f28 |
\Users\Admin\AppData\Local\Temp\YEXHTSTPNUPFTAJ\service.exe
| MD5 | 7d31dbb8e82689041d3174ea9621ea1e |
| SHA1 | b992f45a36c1a850c31b43a1bc886f2fc4ed7698 |
| SHA256 | c497f7fa94fc0f8a8be1986f3e64c95a97980a4c298c028ce6aadbf5a65a0d68 |
| SHA512 | 310582fe923ca2327de1d599553fbf524dc89bef4fa5c4669025e6c4b96b069f329abd6f66c213f3be76b2666710674ebe3061ff6be9f2f99e75ff38b547d9bb |
C:\Users\Admin\AppData\Local\TempPUGEI.bat
| MD5 | b5f8ec269fc0de7aa996551d56670248 |
| SHA1 | 5f6260e975556b01ac76c759652236f3bdaeeee7 |
| SHA256 | c0071f2d226621e6583ddd77410564cc3f46d4b8000bdaa47825f866559de898 |
| SHA512 | d4b337b0b7477992be9f4f968a19c15fdc7aeec744f9a2829fdd2477798208a581da78e702316fe98238a8e7b2c5bbc3a0bb4b7dd8b4dd1d1430da2f4b390d9b |
\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe
| MD5 | 26a7d884562746d629dc8e7a6e4f6b11 |
| SHA1 | 650621527f8221d3beab1e8cad2b97af28a5105c |
| SHA256 | 503da3ed8febcc412e8c442f0359ae2f2d93819f23f5f0820870ac08c8b71ee5 |
| SHA512 | b12730817df2ccc980181e73515eb5167f8b932cc6eafdc5cb306a98abee4faf5108c604e4d6c2b120c0a864426b5ee9455d4bd29f1912530a15efd0ee66463b |
C:\Users\Admin\AppData\Local\TempQJMNW.bat
| MD5 | 4e607ef53e94c32c8f2432f78f628537 |
| SHA1 | 2404c8b5a4c6520fc8dfd7a9e5020b4637e5ab72 |
| SHA256 | 9e2468b7eb9e98e3c2ccfae790044fe6aa337cd186c99e4ab1d06939ca402f89 |
| SHA512 | e1c7bf394a5290d54746ee0fa934e5170c42b8bb17c850fe4ec3451c82cbf45f28d74fba6f53a2ad3c48944beb60111383e0140b0e7c82246f7059c45ea0152c |
\Users\Admin\AppData\Local\Temp\UBTDPPQLKQMCPWG\service.exe
| MD5 | 77949d6ea4b7536c4dc86afecd6813cf |
| SHA1 | cfd8af3689d40e134d3915960833894f85704505 |
| SHA256 | c517036bc3a4e83d2cb60526b934e555952417ad70c135ceaf639c7eb76c886d |
| SHA512 | 0eb84a8cabb5d52bfac81352337036467e420b0a419ef5dddbeac88a2dc33954ea00701499c642c7d0be45915718b53aa8c1038c623e8a7e7b1a276a46251cda |
C:\Users\Admin\AppData\Local\TempNUJJK.bat
| MD5 | 946143a6b6c3e705ef6dcd819920831a |
| SHA1 | 9efa98ad100f0964331bc437d5cc9dfdc01f5004 |
| SHA256 | fcfe190704ca20233df417b476b75a0c7c1614c512fb34f286b3804e55bbc77d |
| SHA512 | 9e7b8b9c7434937ef5dd499dbd3e441e739a930d4f6e63ca84ec22b41e91b0fe8f68c0345d9f6afaf3ec0069467347d823b92b1532ce8014a5aa506366c723c4 |
\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe
| MD5 | 9abb8a0358753e6ea8ceb81d38ff1826 |
| SHA1 | 03fe2ed5d15760a0b50a4de0b279715a88e79f3c |
| SHA256 | 8dd9ca66cda8f3197af5782e61171f0026b674ac4d4abe4ff99dcb4b6ee33449 |
| SHA512 | acdeb5a5eef8d8ecf4e4b10723c6d87ff631f758888bc5e063e2dd06b6eba4811573d2c7fc9e9c0bf760d20883b390c21e290bfd0f8cd789e49dc90faba44013 |
C:\Users\Admin\AppData\Local\TempKSELP.bat
| MD5 | 4f207b885baf9e448056f22a9f985300 |
| SHA1 | 77cf487181fbde7f793471965aab814cd164ff97 |
| SHA256 | 3c89444a399680346c4c1f11626796d63e184258654ad3958472248bb7fd5e8b |
| SHA512 | 6ea41e75444a6bee919c282ec7bf2335740a6f986bedfe265ecf2ca56d76cf634ae318759f7cc65cc1c9cfd091c750b6390db1395a4b400cdf2a4bd87796f212 |
\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
| MD5 | f52a110a053914f0ae5a4971dea7ec55 |
| SHA1 | 74e8d3089ffe9faf1783916a50a53a9c88db83e9 |
| SHA256 | c4e126729341062173d36f1200e2f60b9f098e98954e3696fd5b684e439eb869 |
| SHA512 | cb99fc9b69d17c9416adcd7488c67dd02a27d85443bbf67c0230c54e4fdf3641ddbf2b2fd640f0226bde774981148b53f28bdbd7f83716bff9057a67cd4a02f3 |
C:\Users\Admin\AppData\Local\TempUFYAN.bat
| MD5 | 10e58ac500f28d3bd87a6b66ad6b337a |
| SHA1 | c88155419d3fa93423c816a6ab34e355c7be02d3 |
| SHA256 | f4073b688587e96e1eef3fafc77db30f70aba207a4c2636f5183e4f3609b4994 |
| SHA512 | b8b96bfc26895cc16a0756d73e8651eed5bd8b4cc8de19603619692ed46d58c3f8dfb42edac606c51b803cc8c38322d5356de8df370924a043be53ccdb2acea3 |
\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
| MD5 | 55fcb8a8dbab7da3400fff8e99da070b |
| SHA1 | 4b97f55128a97c96d9799352c44824fdf419c455 |
| SHA256 | 86b2b3f679eaea8899127bff01ce2e1e766605947dd155e7607588e115cf28f5 |
| SHA512 | 38de0ed28e11073a9f66717e343fc5eb5fd40a0193ab5e92f9be7098bb3b043b49728c21c0eb9c8523e1efcf42289e4efe1bea314d681415265c02dcb7f160e1 |
C:\Users\Admin\AppData\Local\TempTFLQC.bat
| MD5 | f9620b4e3bfef932da8d86aea1eea86f |
| SHA1 | b19dd6b7e9af0e21e40518f57e0f3a715b6d0f3d |
| SHA256 | d517e4b6f837d440ce3d2e529fae19272b13a1e45a20fcba586e7d8f54937ef4 |
| SHA512 | 10ddefed0fc5c0b0173d2fcd21f4fa44d60829132c4de6c08e61d4d58a0199706ecaef7bd311288251ad0148c89edc5814173b9d08bd4a435d068cb928385dc1 |
\Users\Admin\AppData\Local\Temp\TNFLSDERXOWLVLH\service.exe
| MD5 | 95c22c5a81a68b01310fdbb2018a3581 |
| SHA1 | bd13213746b2444b645635f64e805e7bb01b17da |
| SHA256 | 286213b6eb32a24e7b7186cff263ebf9baadf824f58e1cb4db39b7a70343ccd2 |
| SHA512 | 7362b1ab900ba296f8ea4dea205956812036d051ca8a21d5dac6483c6951e4ab65479bbb837f4641c21f4048b055f90770023f74c25bc572c1f5918f9f3a3223 |
C:\Users\Admin\AppData\Local\TempUFEIV.bat
| MD5 | a7f29c655c9872138c89aa16608f66aa |
| SHA1 | 364b20abb1c8efe0f64a7932826c5fee409efb43 |
| SHA256 | 89f6ff4a0bd1ca5da799ceea4b9a8ceb42a59ae14d2bc65752258168e3e5328b |
| SHA512 | d0d8f36ad9eeb6c6bdf5dd125675afbda7ab6cd62e01f5dfa8fed25dbae730ddf00fbd0bed29436d5c92aebc93cc58244bccbcae4974a8109a037d29adc2e8ec |
C:\Users\Admin\AppData\Local\TempDYBNK.bat
| MD5 | 5c4c29a410bd00bbacd2611f885a013e |
| SHA1 | aefca89f9eae0e39d6b8c72f03268ed6fc908092 |
| SHA256 | 1f481099fa4b0c87b95a68a86c643ff38f4840353624b518904e42b634869c83 |
| SHA512 | e4b7b19b4cfd65140b315b5c8ff204c0919e4af50febc215e3a5d67c780ccfa157e78f891cc1f44c928bd472aa1d749ec2a6b46d8e0da13baa707b1220ed4195 |
C:\Users\Admin\AppData\Local\TempIGOAH.bat
| MD5 | d444a6fb241be59c9386b458c5373e0a |
| SHA1 | 489d163efb1d24891bf637a394adca3dcd939065 |
| SHA256 | 20c702e4cdbb34ecab6987513fb0333593f1cd9d159e76ae8b725e1f6ccde625 |
| SHA512 | a330aa7aa5d865eba1a5982f99f6b61d4e1da6606190c02c8358662688bf655a3ffc90679720ae346475670487b597c0dbc1ee1cef2a4c160818c34fa50d9fd9 |
C:\Users\Admin\AppData\Local\TempXDVUQ.bat
| MD5 | 95bf0370ba3bdb7b0fa364f5bf2ab3ef |
| SHA1 | 338c6eeecf2fb46c3b1b62083a36f4ae33d63152 |
| SHA256 | 7d44e969d4ed020cea05983130b6ad674434e653db97922db2a0bf1c1d6aab21 |
| SHA512 | db8144a3c097a5c856b4ed03a266b9ef5da7a14f0db9dafbf1dca411a707b43960aa58eedcb6d5d6036e35957a0a042b7e4f6185b61f746fc768821b41c9d9a6 |
C:\Users\Admin\AppData\Local\TempVHFJE.bat
| MD5 | 9a0414306f49570c1a3daba50b7f6ed4 |
| SHA1 | 3f75f0e817c0b8a10b1aa313dd3e018c032da9a2 |
| SHA256 | e9547f8817316bf3638ef7f267b063fb0333554c69bca2405cee471db5f1aba8 |
| SHA512 | a723373a2abb4a8b1512af8abe44813a080605e2453a98b664d5a6f72626415fe13562c0d5a4ef923cc177eed4eb9bbf08549afaef82f9027f8ec77c4fee8ca4 |
C:\Users\Admin\AppData\Local\TempKIQCJ.bat
| MD5 | 3bf0ca3ba9863d35e7db3e7b2cd31b7a |
| SHA1 | ea10955b351348e554138f493d3a22c60c44c2cf |
| SHA256 | c4c93341d1268d21ddea7d6132776d3ae6d2cbe38c232579852cd2138a68a764 |
| SHA512 | d062c276cf111712a5cdc8a6ea648b1bf4d2e2ce312be4235dec436112234f61e43693e9dbb8850e35a050b9fd978517c1ec2bc6e7b8fcb4ad03f490d50355fb |
C:\Users\Admin\AppData\Local\TempQUGEI.bat
| MD5 | 762176b93392d3fa185d87beae5d603a |
| SHA1 | 661f80428f4c1d317155659a2063b5454e059ea7 |
| SHA256 | d90e1600d1aca150e396b865ba705281910a05f294ec56037f762927bced96ef |
| SHA512 | 7570c290aae23c81bcec7ede20e85811e4dd31168dc4f5eb992aff042d4a3ec7ea4687680003cdece0d53c142f6cdeac50f89d29cf28d1c82099be6c50277f97 |
C:\Users\Admin\AppData\Local\TempAOQLE.bat
| MD5 | 9827306e45d8201111a07c3d6d285439 |
| SHA1 | 5c3dc8cf8d650c89fca2d3a9df3c9c4edb5689b5 |
| SHA256 | ad0c844d6300522d84d2b5d1a15b188e2641fb691a30734a136191e927e3729a |
| SHA512 | 95abdf35094d340aa1cbe5655a2c71bbf7e3138297f75cc8d57b4471ade178bafe429f74c6aa0484dd0ef3a101f060a58ed2de0344c11add31362c85f6e1fac9 |
C:\Users\Admin\AppData\Local\TempGIDBK.bat
| MD5 | b87f04949524c96380854cc191411d2c |
| SHA1 | c3684ad7564eef2ffa3cb442862d92e1f57378f7 |
| SHA256 | 0e8157ec74be925f55302249ad4bb918188abdae91f0a57374706d98335c7f1d |
| SHA512 | a8b96f198dc3470bfc435d063d5659189b1417670a42399aea2fcf00bbdbb1a107c63c9aef6834cf885139e33ba891875323f6b81e18e6eee7940d9dab77176a |
C:\Users\Admin\AppData\Local\TempJSEKP.bat
| MD5 | 1b1b156967efefdb78590a7a3e9d33c2 |
| SHA1 | 6c5ac7e08e39ea82ad36dcabe55069a3dadd93fb |
| SHA256 | 31ad5718b34dc88ae54c4b7c4fe6c35852c23a06310d70e49330b13e93660af3 |
| SHA512 | 91b4438b80a9602bedacabebf6f8b7a64d44f707f0aed47149ee5ff23de398ea0cde88617382ee637e2abdf41797405d130e14419e633e9a76de3eaf0979ce83 |
C:\Users\Admin\AppData\Local\TempJTOCO.bat
| MD5 | e0497800c1b80049d3642ad31dcd80cf |
| SHA1 | e4dc9869864494ca7607efae678d21dfe1b7bc15 |
| SHA256 | 92a404d3a5a3a8c544677ba414d63130b90c7b0cfa566622989d3b70d99751a3 |
| SHA512 | 46aeb2e41230fcfb25cd6f82e6d1d0f66a29de2761cb9d092193cfa5a9c373f172024ded62a64abf0bc25c3e373ef00a3cd686a8dbadacaa9abb054541fbc1c8 |
C:\Users\Admin\AppData\Local\TempRSXEF.bat
| MD5 | ac9362774f31bfcbdf296a632796a031 |
| SHA1 | 89c4abdea1a3bda18daf6491a8c4240bf98f85ec |
| SHA256 | 0a46f62bd7f2ba4920dc453683e3b5ed846ec42f3bcb5055063e2566eea2a5bc |
| SHA512 | e0cba2caddb0a65db420b6fe063d9eb0950f2837a02c34f404e6e299e6dfb75a4dc4c63bf10dcecb7de7e230de64122d23c6c873e52ac11e8b70e46b7e15d9a5 |
C:\Users\Admin\AppData\Local\TempKTFLQ.bat
| MD5 | 0bc34522074ea2d31f8e5445c63094bb |
| SHA1 | a7ce9571ffeda237166b3a6d4f48b63e1221e4ce |
| SHA256 | 3ccdbb8ce9609efc9687b0f4b65223c8d89eea635bde407ad59653546412bd80 |
| SHA512 | 5ff8abaced041a55b47fca5b03f3b1d598a37aa19d2d1a1223ccad4817d225bc036215fc2140bde4fa2affcda762ff7f5bb3301b286d70fd577225abe82fc3d1 |
C:\Users\Admin\AppData\Local\TempEFTBP.bat
| MD5 | e19535076b2764dd2bcf5f9d43999888 |
| SHA1 | 06baa5de8576045fbfd5692037f8699d10edf18d |
| SHA256 | 807bc9a407c0063c5a2eac7a644977bfc1a2da7388d3f1176dadf4aa67fcf514 |
| SHA512 | f2f5a3fb014240a9d2258dd7e1da02c19ffe5a987a84c14baf337b3a066b72acab3f33f46ecbb88b5fe8157cea87724c1e8b8a18430b14ea711634f5d0828a15 |
C:\Users\Admin\AppData\Local\TempGNIMJ.bat
| MD5 | 56deaf5efa7034a9aeeeef8ecac570f9 |
| SHA1 | 61a795a400653e5b488fd93f857b6a2db89a6fbd |
| SHA256 | 3068027529b2f08866359874e1a04df41d740b0bb5ea449e4050cf390f9decc0 |
| SHA512 | 3dfd46578f5ffc87036037dd50af094211bec7095c2b8cf77d4ff54f1a2dc77898e2a6429cf5f8d9f8915a0ccd4dc79512e3f3a1afd8130ca96300165e44b13d |
C:\Users\Admin\AppData\Local\TempRMUIJ.bat
| MD5 | a4963aba3ce95dbdbc2a8b355d15db70 |
| SHA1 | 6381c3fddf31277e3a643371d13707bcc036b5c0 |
| SHA256 | 14acce0c2ba59b3163b863693b8832963e8ae5896d90f754a4c71215cbab6683 |
| SHA512 | 6a9826e06a2574fbd4e2fb230605e8bce06012cf2bdbc8ec2f2dc7c7a31173588a916d853d35266c124748b9ac7f0044893fd9d6635cf05153b68171d6cc3795 |
C:\Users\Admin\AppData\Local\TempJHLGO.bat
| MD5 | b556063fbaf72f5dbb158ca5c57ecbff |
| SHA1 | 84cd6f33827f7995c88ace6f113925edef71a807 |
| SHA256 | ef57c5853a912880adfa9da35a20040252c31e5e3e5ee5649bf0c445d38c9d22 |
| SHA512 | 357188a3e417c449ab98c1eafd838a66ec19f561a8bad9d58e6615986df8c221e4f9c74f7d74f3f4b5362f8fd036fa22451b9f92ed6558211aefa7ece9a8bdea |
C:\Users\Admin\AppData\Local\TempIBCQM.bat
| MD5 | 491982678e14c3b5fa503db0dba2df7c |
| SHA1 | 1bc48e8167f7714d767f1af4efba0771021d9b6d |
| SHA256 | 2c853fd13cb3c53b10edeabd658c5ea6e567ee0d38188fe982dfca8e7d367690 |
| SHA512 | eb7253b623ccdaaf550a76a359d6f3cf81950870ce901f7976e97dad0b7879d2f335b755084acb69497ca5642b8c88dbd6c692babac42cd2b1f085874662dd89 |
C:\Users\Admin\AppData\Local\TempVGFJW.bat
| MD5 | 54263e5e8d78297a772ca72eb1ba180e |
| SHA1 | 9d9eb42faf004df8509be0024d888f9c19043bc1 |
| SHA256 | 621da8a4a14a22ff931b379377912737c6f60417026915ad8ec9dbae621f39e6 |
| SHA512 | 56e725385d9e134c3f0b38209075c308fe0190749e848caaae3f56591def8b444bc3e9a115a1a9b4ad690d462e0d79d1cb47dd34e26b78af269b2034f95d2acf |
C:\Users\Admin\AppData\Local\TempHPBIM.bat
| MD5 | bd951f1c6a38f77d89a6e210c545ec05 |
| SHA1 | 1b9742f97a8e8e9756b3e433703fb80251f2db8b |
| SHA256 | 553f07d385678d45388686d91740f9602e6112b51c124909bedd9ad9758937b8 |
| SHA512 | e39cf3456cdf8631c73422bf4e9d9a2589916742941ee5c0051cb5f7c1e8cf8c90ea6aa74142219e687da6e59a61e9d2c5f9309bdae0513527f0258763b29489 |
C:\Users\Admin\AppData\Local\TempVHIFO.bat
| MD5 | dbfd9b6db7038be035b143a5c27f6de5 |
| SHA1 | 4ea42c16695201dcc20a48815f3af93c59c892d7 |
| SHA256 | b90b026d1eb0eba3c20292a65232d3beeb08b012d29063d427879b455366a2cc |
| SHA512 | 03b713d9248e078de7c3d2262e504d7454076bbffce59f94bb8dad5e394a0eeecacec6eba35a8f5f67972225c20873e4f17affe70d573a7d57ae0a952f958403 |
C:\Users\Admin\AppData\Local\TempFOKYX.bat
| MD5 | 22cfcc62d6150661c22818b593a63d42 |
| SHA1 | 08d01779440243562449a09463443b7d49d79c6d |
| SHA256 | c984dcb81881477e6fedf68d637bc1e6992f2264d9e88d6d0a3fcf4e016ed682 |
| SHA512 | bae90905e83dc9c2c485d06e5158e7869833c8d9ddf2a3a9d00f956f20f95033f4b7598f607042d9ed6bfe9a8aac3fe59524b9198d4e90676c0bb92ff6879c10 |
C:\Users\Admin\AppData\Local\TempRMUJJ.bat
| MD5 | 6b593fb8b415368de797469134d8e26b |
| SHA1 | e36562ad8159eab7a0293a7905bcf8624b4c7926 |
| SHA256 | 6ecdafaebf46ff72ff0a02b3f735655eed5adb5bbe77c9f653df8837c540d86b |
| SHA512 | 5492a0b04df54f969c9ea6b0aa799eff83083794dc52277259c3cfe22d8136e3a06adb425dcf49459f70b34a32557d0af0e5c07d55dc9badc51ae6342b8e21c2 |
C:\Users\Admin\AppData\Local\TempFOKYX.bat
| MD5 | 918d95f0ca208449a1cf6f3f326bdc29 |
| SHA1 | 67f6e06e60958a451016a8cd88aa23433b402155 |
| SHA256 | 7a5bc9b0f7c9b56aabd6b1457849a5f30869d75f29999f3da83908120d6035f8 |
| SHA512 | 2d5cd38353299cf78a04129ffb471e4d318748aee647c6d4ae2e3e0e68141acb457b23b90fbc9e3bb4ca8815b48a3dc7bf76d19ba6a62d6d8c6f22cb78179f57 |
C:\Users\Admin\AppData\Local\TempWCUYT.bat
| MD5 | 797a05802a5f3d6699024252559afe38 |
| SHA1 | ab85f1b33d35de1a5d5f55187c816bb4237eeca1 |
| SHA256 | 16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074 |
| SHA512 | 73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d |
C:\Users\Admin\AppData\Local\TempIPKOL.bat
| MD5 | 01583f8b98cc3ae847afd4b82eeb6e8d |
| SHA1 | fcf0f81713f3c03378741ae6a5f20928e1ad2a78 |
| SHA256 | dd13cf7fed83aeff2d5b188f67fe641a6ff2858ca9e6808ea5e6d1d04a776c35 |
| SHA512 | a70d2d208115964f7d5a3911b52fd947bf6a3a27fdfc3ee5a43e815b87499f0fdaccb0d2c6259539ca76cc84548e2335245268e2e5c11da02ea4ad35ea9ee772 |
C:\Users\Admin\AppData\Local\TempMIWVH.bat
| MD5 | d348108fe1b716f19b8478b425946873 |
| SHA1 | d3de529e1cd41de3cdf6e461827a4f6304efe03c |
| SHA256 | b6b95ea8e55d45e08d43a7fce4d070c7cd81d1cda6dab173f0595fc6343ef952 |
| SHA512 | 68623cb1a08a1061af3729f36d7564f5e9aeb62c9d443de85c57979dbb5e6c6668c01c3417e85e7380e61480debe4aa89496e08750108eaea42aeb8604d25fd2 |
C:\Users\Admin\AppData\Local\TempGPBHM.bat
| MD5 | 95b07cbc2ecad69c090b9cceb0aa64af |
| SHA1 | 31070e7730af64389cc7e95c6eddaef0b1c8cd93 |
| SHA256 | 39605831d4de19322cc5edd1074327d27d606cebf932849f3194cfbb6df33d6f |
| SHA512 | 4b0d2eadce301e2e1bcac8ef6c495ec4f141ba326313e89c3f2fea717eb7f66c41920e4d31324bc62b50ee30bf23be2631a92c5f44e58a11dae9fcb365c3c0fd |
C:\Users\Admin\AppData\Local\TempEIJSO.bat
| MD5 | ce316d102fe17369fb900df03386151d |
| SHA1 | 8bab2bd5df4620f24b14caeaecddbc6bba4ce07d |
| SHA256 | c502884dc7a51d0501e9a4a09c9d1e53cc78d826c4fd7d4d57971ccc381da2f8 |
| SHA512 | 0b64df1de5c1c846f0f0a1297eed4fb5ba0e1c096f106ae220a2082f33fb653195afd09d702e7b11db7f6260bf631d00091ac044ebb6a4158714f494c8786576 |
C:\Users\Admin\AppData\Local\TempQROWI.bat
| MD5 | c72db4196fe4198889ed8f8d1f5b39b1 |
| SHA1 | 1e6c4f0153c996ba7dcc00be31025279ee724d1a |
| SHA256 | 85a46bb4cd77037244dfb97db88e3c13f52a951f93f1b6d9a2992ecd48949dbc |
| SHA512 | 7c2a82fd224387282664dc4429fd720cef56ab9e7157cbcf6f30ee8c8b0fc016f0451e2598bf6bf897fecbc86e81912359b77932d691409c332e43d57f6a8569 |
C:\Users\Admin\AppData\Local\TempQUPXL.bat
| MD5 | 59d327baa0ff8c74dcb35b3998618181 |
| SHA1 | 7a66982e8f03a700c5e8ff3464160b70839b9af9 |
| SHA256 | f6912cd49e60d0e2eed5dd9984c03af39f298cb781b2acbe0261657b9cae4e08 |
| SHA512 | 747d61e9f2763c2910262a26e9965403d71f738f151171eceb0552758b259218a79b90a9a2c6f3eba28926ec1f0bfa92316875016240421980c5c3cbd6d9d36d |
C:\Users\Admin\AppData\Local\TempXDVUQ.bat
| MD5 | 81c2b4bd205f871786b827e245262761 |
| SHA1 | 50d8621b2787aed3678a9be9b307cfabe28c614a |
| SHA256 | 91b75c7bf1d4d605fa5dba628c7ef67e3abf828024c280565dd74c34c6bf45e2 |
| SHA512 | 75fd1f6291f802cf9c71a7f8e57a75d08d84785d3385b9da5fc4420487fbdf916adc9002db3304db919ac4b6e7683dc38cdcdb07d25135b0969bf8be1c7bdf3d |
C:\Users\Admin\AppData\Local\TempPXODM.bat
| MD5 | 473dc30ed03f9d3c35194a3ec215d3d3 |
| SHA1 | 66c1d2e60445720577b60f40c1c85cfcb79e5852 |
| SHA256 | 5584ab2bd7a45c9a98c32c9d7b295d49a5f38ab4915509858e8d385bdf0ab030 |
| SHA512 | 473732fd7d5893e6d619b64e41f3f203758b4f6f1355e2488ab0517546dc1acaa08ed3d0cda540bd53312ec3c0052c0bbc6dc7696ac5b951e08a0afe8345df01 |
memory/2384-1159-0x0000000077720000-0x000000007781A000-memory.dmp
memory/2384-1158-0x0000000077820000-0x000000007793F000-memory.dmp
C:\Users\Admin\AppData\Local\TempBEGPL.bat
| MD5 | 8135d0c245179f01704fad424c3ad348 |
| SHA1 | 8714ed9aa1431ac1c26d64b8de7319bafd5c2c83 |
| SHA256 | b35b8dfefc68ed48bd79fb108a68beba65453bd78e84cfdcbd14ddfd23f42427 |
| SHA512 | eb77dcc94520c5e8cadbe84147c434cce64de264c1e2192fecd2aff80b7a90237d6786044b0ff97d4df5e21e1733e527cab024f3aca62d1e2d66f857fd1ec801 |
C:\Users\Admin\AppData\Local\TempLHVUG.bat
| MD5 | de69c25118df8838f32524d5b65053ba |
| SHA1 | d79b8934dab391b2f85b02ec96a6cf696e23d29b |
| SHA256 | 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921 |
| SHA512 | 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe |
C:\Users\Admin\AppData\Local\TempHVCYS.bat
| MD5 | 92936224a7bdc858ccd08ef026ce048c |
| SHA1 | 0fc8c92f82d8f2788a604082794c0b4296f4b3a9 |
| SHA256 | 440b3f6edcb7c061a0a57c967778e8c3ec75b49b172f8fdcc0165b4fa21e8d53 |
| SHA512 | 54cbb0d48722b76fc5655abfb02ee20d46e6732a8f7f971fb45c538c1daa210cf4b99843967ae468fe9ab7a1cc8d9e0d4a5057ade553bfccd621c44f023e0986 |
C:\Users\Admin\AppData\Local\TempKWHGK.bat
| MD5 | 3b37b9199941ad74aec53cd9f49bdb4e |
| SHA1 | acec10ae5e04fbc48b1ffcb98848b0fb70eb1e52 |
| SHA256 | d594ecd54df094dbc8e3f030c04446f32d5278eef9a7821ce9ef1ef6098c5553 |
| SHA512 | 30718d29de125892304d1657c9fd2464dc446b5bd778fd015453d7158503f62de11bb2c55b6f1c76528f1e9a4b2477622e05579d7a54535c241fc15be264cb14 |
C:\Users\Admin\AppData\Local\TempWFFOK.bat
| MD5 | 1f16c8669e2500574c94e9f513bd365b |
| SHA1 | 087ad6d732f71bd8e9e0b5dfdf5a519e0a9c2e7b |
| SHA256 | 8d9cd321758599bab82b0ae17c21ece06abeb3df5c64f388b8e83ec56e10ef84 |
| SHA512 | 6c0107df33e649ba0142999038a56b55125c7a75706ee9c02e3d9f4ec81d0969c880046c1d89753788a17b591c9c4736fc472e9a40c496141d3e74bd40a68fe2 |
C:\Users\Admin\AppData\Local\TempNVHOS.bat
| MD5 | fe72326b3a174bcff560600751c53971 |
| SHA1 | 184d49b39de1e9a1abd3015e3981144db6917076 |
| SHA256 | c538538b47345374ccf2c2a6e0786b5b6816f61668d507c1c6964e53e958034f |
| SHA512 | 0266ccd90a4c6d135b2b7b6d3b42ccc31ad777f5b31a6abf4d5c4325fd4b90da9dbb468784c160c44bee09414317486c2df0d0a70a0495918afd57d85525ec5e |
C:\Users\Admin\AppData\Local\TempEFOKY.bat
| MD5 | be2600f1c2f5ee6248d753f686da8554 |
| SHA1 | e17fe9cbb92ba24423e7f88eddda95735326798b |
| SHA256 | 5398278f90e6cc018cb19ab7c4b3313fcd7919eafa17bacb99e00eddf9f68cb4 |
| SHA512 | 31d556c6b5ad916b51e2453b8cd52e6146b5ae8916f6bc884186a21d120394950463817e4c0f0e59023431c610918bc93c4356dd611b33a81ab28c9f81807b40 |
C:\Users\Admin\AppData\Local\TempDHIRN.bat
| MD5 | 39155584e2b8ed62256c099635192f49 |
| SHA1 | 7908f00c5bc96c3e7b353703f0dd6e9317a45d01 |
| SHA256 | da32662de3aec1658009eec8c9659e0d63dea881056f5dca9140698beb502434 |
| SHA512 | 8f7b29d8fe7e93614701734818390c04ed1a3e36be4d96baaa7ca4211089efc27389ad34e60ce1377ed417551d87b598dfe5afd4038feb8e97b0323934c29291 |
C:\Users\Admin\AppData\Local\TempXSSHQ.bat
| MD5 | 269e8e32c43f5bdb4bf236afecfa3353 |
| SHA1 | 7bfa229d641730eb33fbc0f3f67b2703a31e4181 |
| SHA256 | 1fb16865cfe5308ea628a2cb692a24b67db6984594cea6e9061b3fffd88bab64 |
| SHA512 | 8e9ed380d4b0fe9d311ab2c17c6db70ada1bf463c511778c3dfcf24f1cb6d9910535caf464ab6cfc1df834ea1201022dd33036a378b6d4b2036461a92b8e7bb2 |
C:\Users\Admin\AppData\Local\TempIACQM.bat
| MD5 | 62cfc60834f769a371fada18b08451a2 |
| SHA1 | 8b63116ab394f5e7ac46162ee0f393aacf397d8b |
| SHA256 | cb9b2a30ec6f9f9bae09eb7216d61b25d57857f9ab0563899fbd9578a132abd1 |
| SHA512 | 8040655d207064d98c1682521e1ab913f57615d609203482d286bc157a2cf6833a20bc0549cca44063bcfa98d950138487217438595891b087f46eada8217fd8 |
C:\Users\Admin\AppData\Local\TempLJRDJ.bat
| MD5 | 7818c0bc178278b0dcd8295585bf3e6d |
| SHA1 | c5f27a34fdbc9094577ca52740c3ec95bef3c03d |
| SHA256 | 1ae4f788dfafe54c0229d78f5b17a72263956b794878d9c49a4f3dca03480b33 |
| SHA512 | 7a286c1a9d23089a60bfcbb64f92918091a8eff19cdf246260399517619be43bebdb767da1faa41c147e6433f968a648234965d686e4be8158a2b6dd95099392 |
C:\Users\Admin\AppData\Local\TempJSNWN.bat
| MD5 | 15285851233d61e2a688de9c160730fd |
| SHA1 | 06b9b3802c61ba94d8828729ff9d7aba3da7e27d |
| SHA256 | 60bf2801ea6c831308a9257254fec51748f911dd5a3f1f384f31f1515ef6afce |
| SHA512 | 90a29fdefa94fab43a002dee8ab95449b626f3db30189662f5ebbc5aba313f3d63e9dfb7687b067e766f4193f72f4d5155c68302c34c7759e92c6e52c7326c31 |
C:\Users\Admin\AppData\Local\TempRWHFJ.bat
| MD5 | d3a52b120e78d8888484887d939191d5 |
| SHA1 | fbf132bfa4d749d008479683b90bdd0f0e69c108 |
| SHA256 | 19f9175f5b52b9e8ea57e58f32ac7fc5972e90a5b223832e57aed76c8240a091 |
| SHA512 | 1c2d10a1c43fbb54180a60016d69788bea913c6ff0490f049e78a990c07727d7dbae1441a991301d6acdbe214b6e98b290cb0abfa02dbdbaa435ff1fbba145a8 |
C:\Users\Admin\AppData\Local\TempVHOSE.bat
| MD5 | bd6ef03451e88caaeed81bf9d7823359 |
| SHA1 | 62809a2376a8a11b5fc13c8be32396c6078efccf |
| SHA256 | 5e8268494d3c001d1ed6eaeccf7ab3724d016fde8d7ea75ecbff7f63f6281ae2 |
| SHA512 | 9f6255bde0d7d40a546237a6d62a83d6210c20c1fd9a89e82e7f89d550e42f4119f56c7afa7d8e4c4b7fc3a55fe1408bc12c23df9b52f6aa953f9e974a4a7be3 |
C:\Users\Admin\AppData\Local\TempKLUQE.bat
| MD5 | 7d45cdc80375c5f3de4f93c29f836de4 |
| SHA1 | 2a8d2e36e0bc939663044d0bc07abadf4c4ca1c2 |
| SHA256 | 9a6da83ea8053446d3fa4c4648d6e2cf8cd866a7b7c1340e8812dc0f4b5b1cab |
| SHA512 | 8efacfd15a6cf31949ddadaebc8ed69f685cddd3f2152ae7469b31b837a91c7bc7a48a9bbd889d8620438ecb675a3f4fb4fc8ac70b9cdf14f14f262979a7cdad |
C:\Users\Admin\AppData\Local\TempXWSTT.bat
| MD5 | e0b6d59035146efe9a219489de4b188f |
| SHA1 | 7ce686fb1eaa3cef69ea834e1bdf0bb19520c9c1 |
| SHA256 | f76614bf2a512d3fbc7197d726bfa512fcef70049cdb49aee2dab66df891074e |
| SHA512 | 4d7519081b7fcf6f11d549776162d92466e70a2fd9aa7d80675917ec2f856c098d4513f44ebcbbebf40ec5034f75fd4d12c1df4cb7bd5454355ce7b026ae345e |
C:\Users\Admin\AppData\Local\TempBTXSP.bat
| MD5 | 2c697172bdfa07db7b67cfe434c5d485 |
| SHA1 | 980edb9d879a4faf10012aa7bf70135a37bc2c8b |
| SHA256 | 4cd11d6a426684082d44d06b7b5e59f8ec06df066986e46f8817f8257bd16959 |
| SHA512 | d0a63928d7cf5b7789fa00c979d64efd09c6f629975bb2af7841baa889c420e3de3643352d822c408fc27331118360aa392da5ca3f7a5deb0b256e6657928534 |
C:\Users\Admin\AppData\Local\TempWSRGP.bat
| MD5 | a7a9469e62d5b3bcdb8fe4f112b2f283 |
| SHA1 | 2fb9d8be356e204d48ae1f11185da02851471b1e |
| SHA256 | 23d0cb4705754b0fef2e1c11d05232ddbb1f6f3134a2f9f36fbf430f76fb48ff |
| SHA512 | c27ab92f0aabe4a7e608341737fa558b6b1bf7abf4a3457ce76829e62adfe477dffc7d55094c15bf8ae4aae329585c31c577013821fe188be8e6e3424780bdd5 |
C:\Users\Admin\AppData\Local\TempTFLQC.bat
| MD5 | f4ecb1100a1a3004491f21629be3ef86 |
| SHA1 | cf268cd395372e58bc0b877cfe5484cf1cb459ed |
| SHA256 | 5b42cc6707b41204cb786f0e2e459fdc3b8adca488f7a244cc2b26788e19d4b2 |
| SHA512 | 75dcbd7bf21b9352216f58d2fe3d406bae48158ad0a360035179c823a8d15f9f7ce0a5be2b9dc6fcaddb5c443fc952d5eb9eec730b681fca65a0e7e2cd9d02e8 |
C:\Users\Admin\AppData\Local\TempYJHLG.bat
| MD5 | 50983d56f0303ab497d85683ca9b9fff |
| SHA1 | 78ddfc5d32c826c13ddf43cc04cca5f1426c9459 |
| SHA256 | 7281fab97faa9c054f49750b9af56996b11ecf1fddfd8b6308221191e15ea206 |
| SHA512 | c355ea232f71b39b986465e7003da035b63e3c78a69987d77394982ff58a19105592ddb7bc08729123cae54ac44cfeaf3e78a112fad8e56cba06d10a625bdad9 |
memory/2384-1640-0x0000000077820000-0x000000007793F000-memory.dmp
C:\Users\Admin\AppData\Local\TempDXWLU.bat
| MD5 | dfd4cab5f88961f37b56f920f0a3bb11 |
| SHA1 | 20ff1258fc401b7bc515f6d7718123bc2fbae639 |
| SHA256 | 9cd237b7606401f31ec6b1f136480b59cee627b1c57c6aa16c8dcfb01240fe6c |
| SHA512 | 2ea225c72ce94447d6a204a98ee8038a03e8d043f81a4f2f66ab930592dd984923e272342a08e2ac08e02b713dd4d948ff931fe8df6646058a71d6ab9f69e06c |
C:\Users\Admin\AppData\Local\TempVLJNI.bat
| MD5 | 015b92f720d4718bb32f87e8456104e8 |
| SHA1 | aacbff0d817ca68266f70aa626f3a4e4b9b7e689 |
| SHA256 | 29930625740a6ccfd888c57e7e07350cf3ef60248bfcaf241980302370c3c3e8 |
| SHA512 | 2b7843bd34f60d96745a3fa961de4e478ef2c4e7e48f0e98862118117dc31711b611366552e780a8c47a6270acf051ca6874a0c6c1114f9914d80049f60498e2 |
C:\Users\Admin\AppData\Local\TempGYXUU.bat
| MD5 | 5e98485a26e1d29174a71fd2ce5f7060 |
| SHA1 | 57656c90ba820f35a9d3717a22e2f99df3a550a6 |
| SHA256 | c4a119b3c3d3527eab9c6606aa9eacef2145cd952e4c61fbc33713f85776eb3f |
| SHA512 | eab70f15bded304d8a4fbce9ff3d3c0a55683fe7130ce34ef5126c0840b7d7121ef130b0d2a9edbaab1a146bb4a1f351649a94d89943371e6db5708f7e49dd81 |
C:\Users\Admin\AppData\Local\TempVRQFO.bat
| MD5 | fe450ebf632a09f4f66111d45d141749 |
| SHA1 | 34912ec81767af2e85aedc4cd1075178b053710b |
| SHA256 | 33ba3c1f094e807384e3955c19f080d01b3e523808cdbd6a42c5771ae25d6122 |
| SHA512 | 5e064f2439d0d2f1014acd935f0c054e2aa01720656cb067b60dfdd36bdd17d4633cdda34a0c5d9df2d0e465f48865a8abc462a1f828ab63265e9199a44d0bb0 |
C:\Users\Admin\AppData\Local\TempEIJSO.bat
| MD5 | 604f9a349912404b79f36a00ff580e44 |
| SHA1 | 44695701694f6859082fda33380e97c86543e0f4 |
| SHA256 | 8238fb6f37bb7fad279bfdb835e296bbd9dd92e8a340c4cc58b6d7a80d1633ef |
| SHA512 | d9f803b15736c45dfb654eeafc4ff303bb3b0d43557042db6dc08b2134cb45d5eacafbe576947d62276b0552b5383f2b2d177b01bf40aa71ec98b3fb1febde18 |
C:\Users\Admin\AppData\Local\TempUGMRD.bat
| MD5 | 1ca27e0a1f0f18dea3c0f00f033fd5cc |
| SHA1 | abffc848fac94857bed8e6bbd0a0005f0ef661d7 |
| SHA256 | 58c273c5ec65966bad04002ae6aa87dd384bffb231627f3f4b5bf6fd5b07d7bb |
| SHA512 | c3f16d7193bb66da530d78093132be70b8323763e860feb6f33acc34c9004a051540a8437b1a6530988d687c9ec1378c63fd97cd6ac7858b29529950a2c790e4 |
C:\Users\Admin\AppData\Local\TempABPYL.bat
| MD5 | 07eac661d1b577e5b372b206c824c2d5 |
| SHA1 | 5e31c3f675be31225f7fe90c39b52161b503a7ee |
| SHA256 | a42445b8898e0d4dfb54b8bc5d5e14c56ee52930c88e113112e0dce363d4f36d |
| SHA512 | b17da091c3f5075e2fe629252281c160e439bd3e64aed6fb5bcd147076b9c083f5e2e9615d66651b0595d4e74049b4c5b1ed51d6f608069a49a554453abcc579 |
C:\Users\Admin\AppData\Local\TempWSAGD.bat
| MD5 | 422a0444105ca7ae4fb0edfa0c9475f0 |
| SHA1 | 62258d641c74403bb56c5d4f68e3ccf26d7bda74 |
| SHA256 | 35a945832a1601251c30da928d68011a034cb4c3572970aa01076003c5fbc3e0 |
| SHA512 | 7243ed5bf14c1da13855cdf27e8f710107991ae54e9a34be4f416f33fc47475ff9e523c6c2c8e5ac26b0cb05e504b0d95a10d3b113bf2d2dc2208dcee8de34f1 |
C:\Users\Admin\AppData\Local\TempAACDR.bat
| MD5 | a4e0810c98b777c5cf1a24c7c263c697 |
| SHA1 | d5cfda46b318196a5023f4f50a3a23afe9cfd856 |
| SHA256 | b60d3e45f1ce42452509c5496958ca661af93704311d0e674c5f8d9f95901756 |
| SHA512 | 38e95cb787025e08d4af45ba3c3c4d9ed281525af5e6c60e57c5dd8ac1c36a06daed18ca1837c25a889d13215e99d94b1c5470d0e8ded9eaf23195e74d28619a |
C:\Users\Admin\AppData\Local\TempEHIRN.bat
| MD5 | a1b8c40bb88a786c6001601d1ee0d05f |
| SHA1 | d69809bbe4406c24fa2464fc487848fe75dbd85a |
| SHA256 | c339f5fddb844ed2de03e8e3795ca5bee76a30694531f08eb6e9a2566f2d3f9d |
| SHA512 | 2471e79706d59f0f0a363f750b3b7ac682edbbfcb03270360bcb07e6c876c89d58ddd8c03efb2f9b708aa4ac7c8a6693f8a8b265c4568f710462483bc277b781 |
C:\Users\Admin\AppData\Local\TempNWIOT.bat
| MD5 | 33a26b61c58238cba285178b1486bf0f |
| SHA1 | 2d3b7a32f2a42cee421e21f3de45b3a03cc39ed0 |
| SHA256 | 3efeafa7f4646e7d578508b083347d25526ff443c2dc47d8f426a0963da4d7be |
| SHA512 | a9070731533573c35a3639d595f72153dab4b59d3dfffafb455784c25f502962f945686ec728451412fe826bfe4f3ee37a5edab9d1688e58736354b7d4aa300c |
C:\Users\Admin\AppData\Local\TempHUBYY.bat
| MD5 | 45a37016efa2f9e37b42aed0a4726c99 |
| SHA1 | 394ce87cc05ee3fd6599af8779ef5afebfd2c106 |
| SHA256 | b85390cea841e03ee2ce4127690de0edf31afa2ebe485aad6a7d318d608c9129 |
| SHA512 | 2f46fbf8e8b5074d5318a9fea0c4f871a16d6e47a74256a75956dcbb6038c03ce9a826a807c3cf143e8e353ee8d9f4e4a3e60a6dfc65b928888cf3486117a297 |
C:\Users\Admin\AppData\Local\TempVGEID.bat
| MD5 | 544ea437cd0d9ea6723d78a6053b8df1 |
| SHA1 | ff3cf28f2289dda4f486bd0087bd37dc58748458 |
| SHA256 | a168808f799128b67a718ce0a0610c3b3027ae8a96588e96b30bc3bd0dfc13ba |
| SHA512 | 66409d88d6f4da083e615053241220cd55c24233c8b57e76cc14938d14a03cb6fa4465c7ba18982b792b7e6363debf33a8ba25af9317cf6c42926231969d5fde |
C:\Users\Admin\AppData\Local\TempEYNJR.bat
| MD5 | 5a2d7d2fdf8d93d974d5b1e5e9e8b3ab |
| SHA1 | b73cae44242128fcf54c491ac6d0e9a8fcc0b95a |
| SHA256 | 1a61b4e919fd369fb247a817b852f0a7bd734baaecf59f66651740439822c7d8 |
| SHA512 | 8e701b26d3c19db47f9d86cfe05df722218d706b3c258557c240d2c6e9b5ea528a241eb7c4eb1be11606e9379d0ef2884839f0d4f9b591d9457e37443471a37f |
C:\Users\Admin\AppData\Local\TempVCTMR.bat
| MD5 | e522ef6e90effcd867091232dd811330 |
| SHA1 | bc49e18d948bac5f62d742cebea31a4e25086971 |
| SHA256 | b6af6611a08e65045326aa360906362e279e119d2036e8da2dbb0fee3088781b |
| SHA512 | 97ea1d8ca86b9b5917eac9fe3a636a6a38f331c3d490e6c9fce145fbd19478f2067a21d0015ef36ea37f68c751fd32dba44a26c1c968311d154693f26191094f |
C:\Users\Admin\AppData\Local\TempCGHQM.bat
| MD5 | af3bc0b9d7de11e60125789863d1bc4e |
| SHA1 | 95fec6cd34b10072f384ce4f1ed44e62908113cf |
| SHA256 | c305e16af56500c386c409310743b41c44e74ec8d9f086f95df595f2db6b0642 |
| SHA512 | fa9b0f6dc1322f37ecc397d4b263a66ec0c0135e1d783a60aa5d8f48f81f7910450ca0289898441e942ff9b2a546d2735c0d790b54f9128221919edd89b6a7e1 |
C:\Users\Admin\AppData\Local\TempFRXNL.bat
| MD5 | eb4ec3f54b91d5fd06a506adf95420d4 |
| SHA1 | 1179e3bd3e314f04e92d5da5433b627fedd66912 |
| SHA256 | 46fe1a677e0e641c657819690047da1375edfb0cea39561eb5dfb4b480755d0b |
| SHA512 | b410967072d5562a72a9289797927fa81cb2ced38d0d8d2b77209d3d0ac558a46a2458da4b926b2a4ce310f4161aa5c2e36832d3be54921174b4ded0950a639e |
C:\Users\Admin\AppData\Local\TempPVLJN.bat
| MD5 | 577f5996f783f890ba33c6040c10977c |
| SHA1 | d1915aefdd08072f2e106d8b9542286c8a5fa759 |
| SHA256 | d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f |
| SHA512 | a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e |
C:\Users\Admin\AppData\Local\TempPPYAU.bat
| MD5 | b6e7e717427b9a2a0cb73db79e705a84 |
| SHA1 | 27812bd748e98425f675803b8f176a4256f194ed |
| SHA256 | b504483495d7dc2be123b22b234915a5fe61a07a357a00b56f2b57222e3a63ce |
| SHA512 | 47677f7e8dfbb53cff8c626d252772dc3910b82133864bba34838c246bcf1050751a5ea87fc5f46d8d7068109c8d1d09dbf1fefbadd163c2d97f9f7d6fc299d7 |
C:\Users\Admin\AppData\Local\TempMVREB.bat
| MD5 | cfcab4ce7b33fe47d4a2fbd0db1cf6bf |
| SHA1 | e6184239342f634b181e0ec242c106cc24d2ebbf |
| SHA256 | 10cb6c5370b11b8ecb9648dba6bcc01798433f19c98c4853e2397b6ecbbe8261 |
| SHA512 | 0f926cfef3df33006e03ad58ba3c94395de2a20ddbb0fe49ac04a02ecd18ea10081efb480d883f587a02cedcf3bed0817a0fa6008361a87eb1ce4cde9f0a5574 |
C:\Users\Admin\AppData\Local\TempUGMRD.bat
| MD5 | 1ec7e3ccc363d8da29003f6ca9f20bcb |
| SHA1 | 0f0f489d7aa81ef3940691225309146a6831f60c |
| SHA256 | abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c |
| SHA512 | bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2 |
C:\Users\Admin\AppData\Local\TempJBDQM.bat
| MD5 | 7943f1314bd997f07c8d719fc152e4d1 |
| SHA1 | 2a90fec7bcef94dc5b7afec09346a22d684bae92 |
| SHA256 | e8caf17ca88b271aa0575f08217fbf7d375d0dcfe83582179be6ba2934e6fce4 |
| SHA512 | 545716afb8c98ff890fb3cb81a1e782ecc5ca59aff5277969e8445278f532076b22f9062d6dae0cc5131bfc179b2873590a3ed624759076373cecc1b166115db |
C:\Users\Admin\AppData\Local\TempPUGEI.bat
| MD5 | bd3265b33a7a2565da521c9c3a486153 |
| SHA1 | 4c7164dc5142483ce424a84793f43c158053e0a4 |
| SHA256 | 612043966a179f96b5ff883b465f352b6380e0cb0cece327cddd9aba34bfb6e0 |
| SHA512 | 40dbcf6f63a893ccd243a58ca79df2447e7a8dec864ee394fb46b289fbf794d071ab59383e080d83918ff859bf1ae4d94bc4a27cb4d2581c94a0afa4f5988b01 |
memory/3068-2207-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3068-2212-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-24 03:28
Reported
2025-02-24 03:30
Platform
win10v2004-20250217-en
Max time kernel
137s
Max time network
136s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NFMMVRQFOBYWAOR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNGKBM\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FQSNLNDRYHTXIUF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSISMKNDIWVHP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKCTKIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGBQVOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IOTFDHCKVWSQSIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXNSKSGRHD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRLLVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XOKJWDMWTEAYLEY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDLDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PTOVKLDKLUPYPEN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DNWEBPTYFGDMEJX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SFHCACXSGNIMJUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXVYJOTABGDS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OTECGBJVWRPSHVD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPYK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHCKVAXSQTIWEMD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMGPXHDOHIYRVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLQYJJDXBEUQR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSXKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRINFWNBLC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKKRGFGCAHCXSFN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONHQYIEPIJTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKALEYCFVRSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DEYAVQDKFKXGSYP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBPYP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YMNIGJMTDOTDQBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EOXFCQUGHENFKYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QUILHFWUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTLJUS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCNTYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUAQLGAFUVT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXJKHPBIMAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KUQLUGVAFUVTCNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOJYWMWQORCHMLT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJEUIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMYKIMAEOTMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CXTOBXIYDIXYVFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRUFJPCOWNB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYJHLGODEWUDD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFAEUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUVJWHFKXYBLQYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWGSSTOMTPESAJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DNSLBBDFTBPOAID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSUGKPDAPXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXJRJSPJTEUDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOJIOKANVEP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXBYTRABUJXFOFC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBDUQR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PFBXWANDRNLQCQS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRDSCSTQYKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJTNLOEJXWIQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NHQXIEPIJSWXIJH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMNJHOJNUDOT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFAAVQELFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPRVTWHMREBQYQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FRSNLODRYITYIUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4468 set thread context of 2932 | N/A | C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe | C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe
"C:\Users\Admin\AppData\Local\Temp\919497a87896b6ce49bab06f2c2a55eb97dff7fdd2995aff5832fa2b5b500437.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFDHCKVWSQSIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe
"C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOKXXJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXIYDIXYVFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
"C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRLEKC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NFMMVRQFOBYWAOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe
"C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIQH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYJHLGODEWUDD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSPJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIVWW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FQSNLNDRYHTXIUF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBIMA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NHQXIEPIJSWXIJH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNIR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCNTYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe
"C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYBNKJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DHCKVAXSQTIWEMD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJREK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRLLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMKOC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXBYTRABUJXFOFC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSEKP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVORT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XOKJWDMWTEAYLEY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIESXJKHPBIMAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe
"C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBDUQR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNGJKT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PFBXWANDRNLQCQS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe
"C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAWVM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PTOVKLDKLUPYPEN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe
"C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMRMTI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEYAVQDKFKXGSYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe
"C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJGOAH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGPXHDOHIYRVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe
"C:\Users\Admin\AppData\Local\Temp\YBSLQYJJDXBEUQR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLQYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe
"C:\Users\Admin\AppData\Local\Temp\QTJDBIRINFWNBLC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRXJFP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNSLBBDFTBPOAID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRDSCSTQYKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\LHVTJTNLOEJXWIQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFHCACXSGNIMJUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe
"C:\Users\Admin\AppData\Local\Temp\HVRUXVYJOTABGDS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUGVAFUVTCNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe
"C:\Users\Admin\AppData\Local\Temp\AOJYWMWQORCHMLT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLDXAM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTECGBJVWRPSHVD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe
"C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPYK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEIWAW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FRSNLODRYITYIUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGBQVOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVRR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJMTDOTDQBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYKIMAEOTMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 2.18.66.41:443 | www.bing.com | tcp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempDMDXB.txt
| MD5 | 959ce2dc63c9a8dc415ada7620c0e6c1 |
| SHA1 | f14ea8fd1fce52814e7e2a466fabf5657bd29237 |
| SHA256 | 540cc3fabbada66cb2a48e9dfefa10552f7f808fbad3e5ded47a9298c46db431 |
| SHA512 | d14fb69c2f904b73517475d1452fa01c8fffc705974e45fd19fd59a3d0d5b9c22161f4ef1ff82c981075c85566a897d4ae498583e3f9993d1b4a198d4386358f |
C:\Users\Admin\AppData\Local\Temp\WOIBHOXNSKSGRHD\service.txt
| MD5 | c95ec7ae7c806ed9f9c7f91d1dc8aeb6 |
| SHA1 | 674c9f0f3f069f968e427d073c2b8b8d2ceaa126 |
| SHA256 | ad460348b4b1dd463ebc75bf45d859bb61ed8947199f239f055758100bb00056 |
| SHA512 | fb999ac1cda132930b990a4e074432c5da7732724b3290ea4e1540d6cb628448bd102f18181b163f619e61ec6ed11dee97034816f5f8562ff3bc52bfe2fc2d9f |
C:\Users\Admin\AppData\Local\TempOKXXJ.txt
| MD5 | bbcba080f74aa2b1f066df621ba2c56e |
| SHA1 | 7f4d7e934406ff949e209ef6df6e1c79ef62b360 |
| SHA256 | dd38ce5046cdc489852a85feae011b6b3c2c33a6ac39496248e7a6c377b63d2e |
| SHA512 | 40d2e31125ba8aa042ebbefa850c34fc3f78023a0772677acabadc82867c2aec1c32703f2d806b680dc4f09c04ffe8983af86b2dbcb4972a9f7eb89832a74cd1 |
C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJUS\service.exe
| MD5 | b23b456ae177ce9559b34ec58d095ceb |
| SHA1 | e3ec3913e03cbb29fb72fa078242f6c0f870b50f |
| SHA256 | 4136c6928b7b39f74575e9971d4dee8a47d7f21c4c48eb3e65f23e2cf6e317a7 |
| SHA512 | 835803601b36101ece706086bcd88bf4961ca46c520c611dc9a73bba250b550b88cf5eb21d83959ca816ccd01a36f2348e1c179b105149432ebb04b747fdb9f6 |
C:\Users\Admin\AppData\Local\TempWNLPK.txt
| MD5 | ff8ddf6bf9e22f19b440a0e65f61325f |
| SHA1 | 53331dec6261ef73acac458313d465931ee3550f |
| SHA256 | 1160ec43828e119e2e55a60e06399eb0f0306ca90f26d2a460e41cb53c5cccef |
| SHA512 | 1ccfc853c063d1badb315031ba3852095e033142a62d79a2bf0ca8bc817e7aeeb23900689c51df694ed340da803eaae03cc56e4effcb3c53919f60c912a5ce31 |
C:\Users\Admin\AppData\Local\Temp\DQMPTRUFJPCOWNB\service.exe
| MD5 | 9b69f248bb1dc5bea6fc49fd2da3aca0 |
| SHA1 | 336a9cd92c85bfd2a65a64840c501b5c41f0bd48 |
| SHA256 | 194257ccb099e597d91f74391f883dec45269e6064334cdcbe9ac33feaa7d801 |
| SHA512 | 9ec7b64462548e0bdc4c67827788707463236745e173234b91b54cc20aadfffaaa082abfbe400a37de0d3eeb43c834d11a13e5db072cb8523549992d17e25dec |
C:\Users\Admin\AppData\Local\TempRLEKC.txt
| MD5 | 99658831b7bc15a4bbd6b90b0013d9f0 |
| SHA1 | 20ec38a3cd81de3e92d2e25df16064c02a235e5b |
| SHA256 | d2f57ec35695ca2c404ab5ba4580b9a28c1e97e6325b0f3770f42721613ef691 |
| SHA512 | b883bf1b115c6a280bbf38acb393d28813bbe3d7c31ff09cc8c8a701cf24133e91ce2afaa734c533e83d2d7cf7c79c0cb470f8362c4b8758e942879aca77e4a8 |
C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNGKBM\service.exe
| MD5 | da4783f7e40a5f4e1c2951bc6a5a4bc8 |
| SHA1 | cb9f47c801f7961646a5be5de80f907841448a5d |
| SHA256 | 7ec5507c0f63da0d7f8e024c13b32fc4bc9651c41b67b48e2c6c08dda20d6e9c |
| SHA512 | 16aacf4b3938a61dced58bad76c5f1b766349fb0f4a29ca5cd0f71e1e5fc72c9dacb9141e16d71097c5a21b5f162d966a3c837af3da118b49918f2cb1c3ffcaa |
C:\Users\Admin\AppData\Local\TempXMIQH.txt
| MD5 | 4dd66c5c23dfd0cbf76b6949f432cba3 |
| SHA1 | 0640c41d299e9a8be37c82ace59f023e274ebbfa |
| SHA256 | 6461d3a95e8f479223d3187d5d31ef721d0cfcdbbfbe02335cab7f29fb4967de |
| SHA512 | 9769ce048e1718616ee73fa6cce70f39b9082e8dced33ca56df8a3d25a49dcf5751f1d58c2c2e33fb47f1ebb11aa26c35a31650bca90ac30f9186305c83c6522 |
C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
| MD5 | ef84280b377dafe63e545b3e8e943579 |
| SHA1 | 36b24bdb42d047b1bfa745fc72b91bfa918d8a3a |
| SHA256 | 175d429ce0412c7ba74fd0cb27df7f25730b3b33cdb9bfbc55e2e426c2a44d60 |
| SHA512 | 99aa2c335e9c8fa6250d54ba838b5da822c8e2ddc6da9682d872bcfc9da1e22b340e31275f66a28ee02058249d3e31b267b0f71838657c0544dca6b75352f9b4 |
C:\Users\Admin\AppData\Local\TempURAMS.txt
| MD5 | 6652a702ed3f149e8256d04da6c7cc1c |
| SHA1 | 4570b6fb92a5ef85813ca21f35a2943e88f5df97 |
| SHA256 | 6d00705de5d3db9ba7510cf597efa322255d19a0a47417cd74a5197c1450a5de |
| SHA512 | b4c4eed12082d619278a3f64c90e18a7b0689df31b40ad2b4789556225deb4e535db732606709b9604e6673d1f820a9fe6163f0b07ad038b9a911a5a0a246a99 |
C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
| MD5 | 78a917f100cac8087321d4dfa1546403 |
| SHA1 | 4067e3a73a3d0eb6a8f2a76d6e7e88192f3121f9 |
| SHA256 | 167d07cc5b092ec82631ec39995378365922f7a0e666e7e3d4e0cab2434c9c19 |
| SHA512 | 029be9ae44adcaf9fd0cf9faf9508c52691c5a29bf1c9f38047c7ee44db85470c4e5f1e7a5f6f6649248fe102722a203e36e07174756fd7be4b963889c5e710b |
C:\Users\Admin\AppData\Local\TempUQYPE.txt
| MD5 | 001fda6fb81f59f183629491e07d6ea5 |
| SHA1 | 887172a96b984ce68a23ad449c1bee0ccc89b206 |
| SHA256 | 17b05c2bfa9a136278b1df9bdf7f8549ccca141d2e1dbf7d385386d3da0f7e49 |
| SHA512 | 308218b3a94a67cb0c4f3a96e79a9210cb02bbc4458ce6603dacf72d2d21a6580d15496e8b26565f82bcc144cabdad17cf1649eb9e277a7b4b4fff0ff6723fde |
C:\Users\Admin\AppData\Local\Temp\SKKRGFGCAHCXSFN\service.exe
| MD5 | 0dcb1974588ea208e76b7589b7e47ab0 |
| SHA1 | 957bba3eeb2a868af4a9dc887aeda4114878d8da |
| SHA256 | 9aded40a697916d504cd898861bd19f923cacbaea11ce25dded3c607d4ca672e |
| SHA512 | 441192d037e7bdaaa83c20ec962b19d214359746831bf4bdb71c4427f11ae8671cd2fda25b7a76a703cb6f4415a8200504475edd7a577832a5f65710cf4ca38f |
C:\Users\Admin\AppData\Local\TempEIVWW.txt
| MD5 | 01b156184077e3a7661d9b6102b60c2b |
| SHA1 | abf0c9868b54e26bbbbd202111a3c137dff532f8 |
| SHA256 | 1c575544825aa0d84f634b9149f0ddde314ab52f5f5139580aaad205b8c8fca6 |
| SHA512 | 70e17a11c3ec25ab07de16cdb495b40b3e709a5fc85655404fcfc3c91eb3ec0fc49e997d1be434ecc2470209651162e8d1a551f4d6991f99d28dfb11b3d3695a |
C:\Users\Admin\AppData\Local\Temp\KGUSISMKNDIWVHP\service.exe
| MD5 | 58496010951d3961fe5a13425ea0cd79 |
| SHA1 | f80fc7d9c52300f54ddaaf286ecfec5f4b8a719e |
| SHA256 | b1d2400c468a7dbeedb78110cfa949e95b0c06b9a675ef0c8a5235c30176faa5 |
| SHA512 | e4012b34b91c37220fc178a9ea1ef491e93d2908bea82c6851221797a5177529fe403c30e30f361f4d6387fb17a809ecbfb3de85226911f3d39d35185c10bfff |
C:\Users\Admin\AppData\Local\TempPBIMA.txt
| MD5 | 71ca6c13396be7214beb9e6c654b16a4 |
| SHA1 | adfbf6baec6d6ea41b1ff8bdb7b82d4a08b6a168 |
| SHA256 | f943ba200105c11907211f135a4bb85000cd15e80b7cf6171d7f326f67a75775 |
| SHA512 | 657b0085988f93afabeaac89ad8897e4f77acbc1d32cde409f30ec00ee7729c8b2b5f1c05ef7be8d9602556d5ddeedc9df3450154f7ddcb0e52cc4c82ff919a8 |
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
| MD5 | ee55ca908f97384c270e61566fe47167 |
| SHA1 | 0770c3f56c1a47a7f699bc0a4a98150aaa5a6d4d |
| SHA256 | 498af80d63ff4c0a5fe7fd8d32b37fb747bb92a97b528d91edacb1c4d75d673d |
| SHA512 | 0a7f54c15668d7b8137bd0476d5100c38994525a6c8967175b1d07b15fbd7f86f5d0be0f6c6050efca4db894f0c2b2b69632e976e87fb407df8cdf3a21aa646d |
C:\Users\Admin\AppData\Local\TempDXWLU.txt
| MD5 | 68bb6bc802f1cb81be567c87ac56bca8 |
| SHA1 | 9bc6bb11c94e6ec822daed9904abb0a4b26a005f |
| SHA256 | 4d6bbef93b89d492b646a5f0420bd7836969ff291563b879d87466166261a824 |
| SHA512 | 1522799df12c6f32f3441034a71b3b1f67cf4e8c6eaf3d5de6a7585f9b118891627c2d3dde4af82cb81b9766be9871f82e8557fa3f558b2267e5151e6d026335 |
C:\Users\Admin\AppData\Local\Temp\SRBNMNJHOJNUDOT\service.exe
| MD5 | b21357ddf5d2d3379f33ac9f06ccb225 |
| SHA1 | fa6de056faf5e909447d82a94c4c8e932ea37c59 |
| SHA256 | d10f30a84fe4f465378242ded05e595b25c866e4434c1671db71408edee34715 |
| SHA512 | 83cbb0507207175ad09f474f5edf876e4bc846f6cdab227f90b02602f5a8f4e1dd0e4b5d3b44b44fd7bc45407fce83703d5d02a2d5f73b93c4eb3e502025a88c |
C:\Users\Admin\AppData\Local\TempKSELP.txt
| MD5 | 4f207b885baf9e448056f22a9f985300 |
| SHA1 | 77cf487181fbde7f793471965aab814cd164ff97 |
| SHA256 | 3c89444a399680346c4c1f11626796d63e184258654ad3958472248bb7fd5e8b |
| SHA512 | 6ea41e75444a6bee919c282ec7bf2335740a6f986bedfe265ecf2ca56d76cf634ae318759f7cc65cc1c9cfd091c750b6390db1395a4b400cdf2a4bd87796f212 |
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe
| MD5 | 8acae0a4b156ee7296ec93b36a7f2eb5 |
| SHA1 | 7b9b3233b37ecc6f54bf49531447c8ac3940496a |
| SHA256 | a6f77dbac1039f19b2fc63cdb22751ffa3b48d313da8f55e6e3a4087c58afb25 |
| SHA512 | 8d808f637e73de1a0c7f862a3915a563a2ecb3f903de9686deee21ae8a3356c3d1cbc4543cf523ec74762d279cee46bbd0956dee8b60934a00e08fff89a87d7c |
C:\Users\Admin\AppData\Local\TempEXNIR.txt
| MD5 | dc9dc289aef72df1c62144393c3a9dd7 |
| SHA1 | 48b3ce4f7c50e7a4efaa91c0507693b65e30767a |
| SHA256 | 0e8072edfd6c45b33dddcb971d0f18d0746d07a0b9982a207905de63e7746a48 |
| SHA512 | 43e47abef516d4926a493320c7f1783877a6722dc46679d791e603f1865fb8c212cd80a31f846719e8e6614ec48f5bddccee914c6d1464e9325be1661ad17f92 |
C:\Users\Admin\AppData\Local\Temp\LDTCKUAQLGAFUVT\service.exe
| MD5 | 491464eca58b4a4c0e34f70701a44dea |
| SHA1 | 2cd375c7ce380780c94a4075045b9e2a9fcfabcb |
| SHA256 | 415313b39e389aa06ada027b05f36a80833f67555858de971dcafb0f08cba61b |
| SHA512 | 9b9d622c856bb2a41be1f9890d16b61a32d4a668d672559b9ef6a6de405fac0ab98f5136b1390358d6bf49c9785b8eaa69e9057b20b9c703ffda4a8b51f48f39 |
C:\Users\Admin\AppData\Local\TempNWIOT.txt
| MD5 | 3fa377d490e135358ff8715b7130b57c |
| SHA1 | 90826df37fef897b8d9b2a225d23b581e87e5e71 |
| SHA256 | 07652d1b9830b4d5d201dd0a67c88e979c0a47fa940c7cb638286e51b638b7f0 |
| SHA512 | cb99c54fc5345e204f70433c41f232e80d8893ee4447f152781f9b7a07b24319ccc47805fc35669ed599fbdce7c0c58ddd70bd6b3b0878716368f0bee0c1b61d |
C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
| MD5 | 64ce9d48b6fbad040386360f87f90ab4 |
| SHA1 | 59c77726575168b218690701b9f88d92f1345a21 |
| SHA256 | 112d9af8228cd32820bea4eb4b0d21701eb06e1308f3c8460ad46c21f76794ae |
| SHA512 | 6615da3f8feec15932d8dbf8d8eea1a666ee66d0fa23274987ef08cc2b3c01191d611a1305a56ddaa894aab068f53b02bced80a07cf7bb8c2b4c1723d1c0ccec |
C:\Users\Admin\AppData\Local\TempCIWES.txt
| MD5 | ba429fd56ff7582c4de4880c49452a09 |
| SHA1 | f39ab13e597a4092461eb550a4a343404828677d |
| SHA256 | 15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf |
| SHA512 | 83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a |
C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe
| MD5 | 7f527620d43c47c728dffb7dd45ef911 |
| SHA1 | c23f6c4715156fc8a70e68864f0044c3d3c49f29 |
| SHA256 | 46fc1e0e61e36b1cedb050551c2a3f31367a34ccf7b8b27cd8ca1a87a498882c |
| SHA512 | 723663d3006532d4eb479c8350395e7384f63b389e65db267d9ef6d7499a37062078d57e76f308ba56ef7195c8dd59f089805c60362831114a7778918fa1e533 |
C:\Users\Admin\AppData\Local\TempYBNKJ.txt
| MD5 | d27cc0987d99fd5301cb67a34fc30006 |
| SHA1 | 3d355ba8d723f056eb6b12b53ae0c07cc3c5dcbf |
| SHA256 | 0872f2c1eb629375c6e191a9ce77c50112dcc8cba1a94f657a49457459c9dcf8 |
| SHA512 | 28de00d1d0b9e11c31535f82b6f76d898034cda2e7a5a3475729a3f3a8e1cbfcfa6868261ff359aa0438bc5da6ce188c9bb1e420fbe57c5a9cd21280c456d61a |
C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
| MD5 | 869e554ed4fb03b75c5227cd2523d625 |
| SHA1 | 181347516b9aa8ab3bc7f06d4c35acff5781195a |
| SHA256 | 773cbbbc658a9776db23ea4e7332fae4fd028a30985cf64c1c2cbc6bdee1daec |
| SHA512 | ed090872b716db29f761771af423b815728886d287815a416a02f66294260a5f91213a37bbe200525db00ee0c2eb001f63fa140d5cf1c37b0392d256cee2cfa9 |
C:\Users\Admin\AppData\Local\TempMJREK.txt
| MD5 | e61b23312b437cd266bcbbf5f594c849 |
| SHA1 | 4dfbefc30ff7d89390859c2f016808e83ca963ce |
| SHA256 | 4b1fbe9b6a793dc190efdf97661c34ce1dfa5392b60b0378dc21cffc6affb967 |
| SHA512 | da2725a20ef1a07436bcdde8aac24991327b049f6d9f953be35ddf32170bc94963c62ced72b0db32ba105d82ee17b20107edd9f22c89a363efa953b0ef4b26a1 |
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIS\service.exe
| MD5 | 7539c37de101bc6cf785e71548678222 |
| SHA1 | 182516bb09650b9600d2a26a2dd58a8c24fdae6d |
| SHA256 | d4b8eb2c486b0118c9c7a5f2cd5843e4f853efd52a95c3db80d899f70a3a0cab |
| SHA512 | aeafdf802f70e6317c63c44cd3f2c251a6a832577ad905c63cadd18dd7b0f79483b0c92db54cc5843235a2cde20a2d8b555f41c59adce8772cdcd521969cbd3f |
C:\Users\Admin\AppData\Local\TempQRWDE.txt
| MD5 | 5f86bd202bfcd38eb1df9dc3f99b3f2d |
| SHA1 | 20eb5c3c335c0ae536940a2687e7a4b19f36ce56 |
| SHA256 | d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84 |
| SHA512 | 4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c |
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
| MD5 | 86e09bae83fd7941691f3b7aa41491e4 |
| SHA1 | c3d5f729382447ea27fbeffafec849faef8c2c70 |
| SHA256 | 60ce106d68502dc574550f9f03c738db1cfd01312b0c69baf6e1865ba31e454d |
| SHA512 | 0c24df5b4d2f2574601359ef86e1259a2858bf0047c035c089c331379df07f046cdfa3b2c4e0a4195633a64df78cca1be582432470bdc9200e9779964f0bff47 |
C:\Users\Admin\AppData\Local\TempHPBIM.txt
| MD5 | 0e852e3f3893578dbbc3348986595242 |
| SHA1 | 1580d7f1669b5d72ff048009acaa40bc9c6b6a8d |
| SHA256 | acd2d8f85b9f16d5dcfae0a940261a752c0954fbd0e24794e9e62d2bdca9c012 |
| SHA512 | e601e7804202f35f98195848574164f11adfadd8685594bd764566a14917fe746a8f2fe9a8ce6e6c2ec86b2ef84c4b45ae1624fd58398631d265ce029bb79ed1 |
C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe
| MD5 | 46e694eb820a645f62a62b17e00ff8e6 |
| SHA1 | 2e461e1fb68b2b4522891b9118069236e5b8c5a1 |
| SHA256 | 52f03a93b95252d41292084f3b7015a66a261d273c4fae998ea1776b5c7f6cb6 |
| SHA512 | 6d7ca3205fbcf045853723b1a2434f50f068e4851021562f21e9952636e332cf74900680a522ed51c80d81fcc4c6013432d33a7979e4364f40ecba7e136645e3 |
C:\Users\Admin\AppData\Local\TempOMKOC.txt
| MD5 | 02b0cbfc4742667bd2e66679a91f5359 |
| SHA1 | b3a28d1593d027cc14844d1c46e02b317c6c474a |
| SHA256 | 767a3f58d48b0f987b0766f6c82f3861cacd29dc65f1bb0e2e87306bf88d709b |
| SHA512 | 0be8c095da302354cda62ce302dc0a41aef296ee93c0ef8d476078208d8532f61ed7aa0cd11269a02c8c4320a76df5757b93d9af43fd03b522f12717659872dd |
C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
| MD5 | b572e8faa9cefd41fc8df2fe55d586c7 |
| SHA1 | 5702ad2ca31b33fc0da9ac4a55bf91f825868633 |
| SHA256 | 1afe9998326cc03b6ff2a3a29d8cbae88b9c54717cc7c62e7b28c64e968d7f1f |
| SHA512 | 3f3052b2a60a4f2b60b331615430339be5c796e8b4b6207ac3df095ec9e6f6575ca4904218b9977e8e7512329db4bdf81446a1655741666a6e094d224958cc9e |
C:\Users\Admin\AppData\Local\TempKSEKP.txt
| MD5 | 32675ebc3e0872654680aa78682110bf |
| SHA1 | ca1a6f1f4395f7044f1a4f5c861c1237d518fc85 |
| SHA256 | ab34abff316d3f92176f82c011f36556c5e2ffbaef3a0d9192c4f300fd7eba68 |
| SHA512 | d830e160e2a6ae056d51bca0068dd39ecd4a4e51469f338164d92032fde91b4ae7d19c91cb2a59fca4c56e6c9654f7f42c9db8575e7ebb34fe2499f066f66438 |
C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCTKIT\service.exe
| MD5 | 55661ab1cb2ccc7b34a19f8bb0639198 |
| SHA1 | c5f9baea44468c3a0bda18b509069c3c71286cea |
| SHA256 | 66fb4f593c7560d6e3e6a289d77d452b3be80813cacb2eae9e2506409320b365 |
| SHA512 | 3ba2a34726a9e23f01305a6b83e8c58967f95ed5db8149027530341e667b092e068c49cae0bcda1e8bd6c1c8d9057f70b7dd4220da25073a65c3c68676e11dde |
C:\Users\Admin\AppData\Local\TempFVORT.txt
| MD5 | 3ee0fab3312f08a89991b7ca8765c4e4 |
| SHA1 | ed596f47ace0db160d6db2908960ca3d3b6396ce |
| SHA256 | 463bebfae6e65d180c36077d35a8249f59b25c354fc7d769e89cbc408fd7c817 |
| SHA512 | 19e639999512618e35c97d08c94e9555733d7c66a1442a7846dd0cd62b3c6377c531653cf32215f21c3eda870b3ced5518dd044377d4fbad7756b6105dc2bfa9 |
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe
| MD5 | eef150af89d89dcb283e6977aac0c84b |
| SHA1 | 8035e6a6fbf5dd2650ff48904b0f2f936b1be707 |
| SHA256 | 7ebf39d536e9f65a38df4294ee3de3457d702ece12fd974ebdaa77b2fa094795 |
| SHA512 | 890cdfe7ace3479da7dd41e5e92fad0a2f3886c8d908c245c8ad3f5b810ecca977802104e3a125f5df0a7407632da5fb46ea6ceac1ad9fdfc94c3e02f6940855 |
C:\Users\Admin\AppData\Local\TempGYXTU.txt
| MD5 | 077975505ee313d4d0f5595fc6eb7155 |
| SHA1 | 4744ed31f9d8fd37b77625e24c415c98e78676bc |
| SHA256 | 21b75430c8b79e9ff7d13b3fa09f99870a5c47655d6a627624ef09cfe94a269a |
| SHA512 | f4f3f1a0fb493a99b27fadcc00201ff92311563f272eb7ddc1455b7293004feb2f14d9db9cf140e42b473ff136bd725ae952866a07bc9ce899eb98cff0fe7f8e |
C:\Users\Admin\AppData\Local\TempHIFOA.txt
| MD5 | b1e246ba770058be2c311a757b3bd63d |
| SHA1 | d911296ad714a3357ab09687fdb3c6d679249a99 |
| SHA256 | b27120533de4153beb1365a5154c28f013238763589f04015ad068646441b8b8 |
| SHA512 | 208126c01f598ab8c7acfd9950813d7fba88d612ede86c4fe042b702dd507520c9d3f561aebd837f5a725c6f0da0dc313b25f066116401983f8256f656de1f29 |
C:\Users\Admin\AppData\Local\TempNGJKT.txt
| MD5 | 6387e55751abb7e5fd1b6a77317bfee8 |
| SHA1 | 6fdb737213d86060a52ec7e55235cbfda16bb949 |
| SHA256 | c7223419320b28eb3f21d63ba0dfca8f0f4ab203ed82460ce14ce17af93c4cd1 |
| SHA512 | 33a7102db83ea529735ddda12cbf77e7b65491c28f9f41338b72eed475d371c1cf48244641d361c0d61c9c61e13a870cb1504efebc4c011d66be7c3ae332691b |
C:\Users\Admin\AppData\Local\TempYAWVM.txt
| MD5 | 912bf90f23999205f2e6c4e79d85e825 |
| SHA1 | b7d9328d0fa01538d1184e0c8bed1478879d6676 |
| SHA256 | c094bfc3d194bbf154adfe98bc4d2f7372886f405e269ab9a287a78f3890cb6b |
| SHA512 | 7476c78368204af845409adb4d9961bc414bf6920583d955d7050aa99ab57e33f58599a9e12087909b2759e3a997db32e7063b447871b41c21beb71bb1368495 |
C:\Users\Admin\AppData\Local\TempMRMTI.txt
| MD5 | 07a565dd42cc529ae297201564fed066 |
| SHA1 | debd8da45505fc92ca6008a28ac13208342a2500 |
| SHA256 | 435043dd6d2fa4b82c88b0875027effe379b3facbe9aff3b6d7b3ba36fe71cbe |
| SHA512 | 87a8ac8956bdc6b6ceb892a4b1f9f16bf17fbff83bb0afaf99d617ad96670cb90eef7f42d6868b78f85d4e5a2c22dc517397faba50b8a82668a59756876c4946 |
C:\Users\Admin\AppData\Local\TempJGOAH.txt
| MD5 | ff8bcd6b43fb782cdb379b14b5df3b3a |
| SHA1 | 38255e5ef3b3a6d8efe0b92c57f4da182b2475de |
| SHA256 | 67ac74809d00522e7a606b960029548c9a7a54c756c4b8950c675b3c47329a9a |
| SHA512 | 8eb3e6cd129c99710d34dab4c11f3c1df2d498a8ed229e4ae993b5a9443bc1280c40ad3646532c9dcc485803b32071d91bef8472c328c7eacdc914f6bf880b59 |
C:\Users\Admin\AppData\Local\TempCFHQM.txt
| MD5 | fb1de3a686fc82769c21e956f8bfe308 |
| SHA1 | dd9540427d08c3d0f3320ae1d5c27b4e5da57797 |
| SHA256 | b40600d10f1253acdc01df0a6905790b804b30e3d5fa0de4c74ed3feebf5056b |
| SHA512 | 093f6930977bfad5bf575d1b11965532099c51a05070c221f6f77714de110998c6e0fd2d141980cf99ab9f1b4fd7083be9053c2410ab9578325866952a2d3633 |
C:\Users\Admin\AppData\Local\TempRXJFP.txt
| MD5 | 98b653c709ac78d8d529ebe27c71d8b5 |
| SHA1 | bdad6f8189f16ad3bff1140ea557e1ea947f867c |
| SHA256 | 2544aeda712671d52192e04aab62d947ccbc0dad24fd2a05ce5e18128f8113a1 |
| SHA512 | 7e08d56091d1ded058cd56cde8bf5295928058c85bcda4a41c1460a390537e45b316145baeacbc9d840b4d35967408902747acfa27b2960cf0b7e22dc0c6243c |
C:\Users\Admin\AppData\Local\TempVHFJE.txt
| MD5 | 6c0c0682818e396dd2f8d9cc3b15a377 |
| SHA1 | a7eef2f27232378b934bab9619f061106b788aa8 |
| SHA256 | 67b5558d7dcd6bbba6bb4af5c56c29ac8051add17ef2e9f8e2f1881230ff9492 |
| SHA512 | 3a31d50d9a6c59aa3e3d742a5bbd6d4f7a5eaf40e8d3120ec43d088be209e321f8e9efd3497c408bd1f639dd0dab0bfb1b9525b80d50e09774bda341a3e16bb0 |
C:\Users\Admin\AppData\Local\TempPTOWK.txt
| MD5 | c1d77ca7bfdc8a6c406081f85955c2c5 |
| SHA1 | 91099f3b0c7bf5cc14745adf2d54323ad23dce84 |
| SHA256 | 32a9ed729e9be02a1b51f5029093df81d37fcb77750dd6f3980bebbc70ee2aa5 |
| SHA512 | 196dc34f912a0d9f636b181cabc8e61e1f9fc45af90d6ada44a3355d9fb5e356941260c0236bf8e8c306f88b44183a090ca4d884f76b0ffda62e3e78505125c9 |
C:\Users\Admin\AppData\Local\TempYKIMH.txt
| MD5 | ffc855aff102d74ae673fe8eac8c2e70 |
| SHA1 | d68a015334a2510a13d74d7d7391d88fccc0a141 |
| SHA256 | eb798d686427248292fb0d88fdd4d552666ff67f5e040f078cca0cd33485cbf0 |
| SHA512 | 1f257e4af2b78838845681020a1f8e91cdac1889f4b87fcd68b8cceeb115873ded4d32bdb6db3eefb94c8f8422be3f45d018db558bb003cb09815c35f0aa8d44 |
C:\Users\Admin\AppData\Local\TempRMUIJ.txt
| MD5 | 219d0228ed8fcb79b8cc0eacf85b8fa0 |
| SHA1 | 85b7c06eda42db1d613d6e13fe89c964a5d6cb98 |
| SHA256 | 9c42c45c317898cbc14f9ebbac4305370d4dee7a73fc508e32a481f7332bf5a6 |
| SHA512 | d9f389681dd4678ef2a187b1bfdf35956bf1a50cf90c27b9cde282310b6a94a20e8ed26461f1a0004054abb1eff7eb3bd6694d435a5fc6c44ecb773feb5b7c27 |
C:\Users\Admin\AppData\Local\TempDXWLU.txt
| MD5 | 40b9cf20109025ad75be3402cbdebbf7 |
| SHA1 | ae4cc8e0bccc77ba300ee93182c4e9394bd0a4b0 |
| SHA256 | 67d1420ef138770d14e70d0aeedcd6da05ec9b01b5a77bfc45119052ed524a5c |
| SHA512 | 9c3a5d3b20d84800a00c990ebeb2c07804baebbb270d75ed1f72ab86e56ec64d6af1f0c53d9bf130b5eb06c95fc569d3e172e3f7aa3b5a76d39d3a11caa301d6 |
C:\Users\Admin\AppData\Local\TempPXODM.txt
| MD5 | 064980d572e573e41cfb79e310369d69 |
| SHA1 | c48f752070a34a7bf790e1b3e2e95503275edd1f |
| SHA256 | 11f3448ed0674a7deb1db20a2eac212e743461d223c786c01b3e5d7472f46cbb |
| SHA512 | 59cab5247fdc3567b394bea3024d42d7f04672efd90f0014a4b53407c84a5c495a705105ed2e8b471344d2ada9b2b460a17707d76205290f9198658447f39a3a |
C:\Users\Admin\AppData\Local\TempLDXAM.txt
| MD5 | 76805ae08aa7076e34684eedc16773eb |
| SHA1 | a73ae860332954bbae7eda192e2c6331b903ad17 |
| SHA256 | 49be724f542a113b9f64041d7f139d38c88ab1694b6fe83b1416c555dcf8337c |
| SHA512 | be7389fc21d6fd83562e6c4b87cc86bd4d94c2cc6a4de677d63deb6875d169c26d7ca2161e90b2bba22d90b989cd412c67063a15962777fb9c295f6e2117b063 |
C:\Users\Admin\AppData\Local\TempWSRGP.txt
| MD5 | 3c54abc098fcb0c6f5868a26cd95d44d |
| SHA1 | ef4f63c77c4e794cefd7ac53e71a7f94b6cdf917 |
| SHA256 | f32e2472a9cbc20ed991e19e857513228fa1373253581dc79be85b9e3432594e |
| SHA512 | 3f222bc0dea422150b9d0170633e0b1a605a826dd9cf4e0e05ed5a36a171c3fc87173daafdb1d70d1b1703aa6f0dc52a66e1503f4aed22e7bb3addf730f14afd |
C:\Users\Admin\AppData\Local\TempOMQLT.txt
| MD5 | 9b8ddcb8a03dda0db854de76f0b97656 |
| SHA1 | 33e6cf7b482d51ef46095957b6c7757aeaf3fe6a |
| SHA256 | 4e81ba1a0b8e70dbfa0c5b77c2b2ba7e2a1e1842ddab305960de4d3f8422a368 |
| SHA512 | 967d33476d233c9f45d452247268ac5c03eeb104330a885bf6bfaf9143c19a67680ec766122a884aefeaf6375d2b9c4959cb7458ebca18443b5610a2a8223840 |
C:\Users\Admin\AppData\Local\TempEIWAW.txt
| MD5 | f458235acbd4401559e22043a5075847 |
| SHA1 | b229821c9497246b2d23158268c63bf67b93a031 |
| SHA256 | 4db71379845a52332a7230393122aeb3f5b834a80ebb01cdf04584839ba0aa98 |
| SHA512 | c62c105f1146bd7c956527c705f08ac2da9ca228813587a1899cc2cef894923ee4d280d2e50dca52f6176ce7ddc5dfefc1705d1161ecb44358b442f0184c78a1 |
C:\Users\Admin\AppData\Local\TempGBIWE.txt
| MD5 | ab76ecc74323655ff4be1c0400dfad48 |
| SHA1 | 44583f4e5b80dae8c8d7d1ba8f05d76e85373ea2 |
| SHA256 | 31957eafadff16021968a815a4b25af687105bb41a85d3b10536b8e304cacd9a |
| SHA512 | cd43dcbcd99ffbb54e5485304c6048f956edcf341c160a9817050cafb7173ff59ace51ad953c1c63441bd44e7c30f37a4a6526c9036bdd1d1e32248cefa1af34 |
C:\Users\Admin\AppData\Local\TempEWVRR.txt
| MD5 | b56045d1debc87654a818053068d8477 |
| SHA1 | faddf5cafce626a78ea4f6c8eda715020062a18d |
| SHA256 | 57c172e9eec5faa067a65717cbaa81f6f56199d9c729684acacca93a41847801 |
| SHA512 | 8258b9044f12e7dddb303879d04e4c774ba18018aa55811761bf0598d1dd2ff2ecffeb90f3597f70a44ed885967a4bc02766f12158f826d77ba0bff6ab638120 |
C:\Users\Admin\AppData\Local\TempGUCQP.txt
| MD5 | f1011e2ad9689a7cf42a9447ea0dc057 |
| SHA1 | 39411847e28ba728aa33b0bcc301498eaf5e52f3 |
| SHA256 | 55669f07ef4efb82b82c8a73655297efe72bff245e96e22b016f34880b720752 |
| SHA512 | fd56e5c98ac4d357f7d9b7bfa84011b336ad6ba226bc0f88f197a08f9c0279fe94a76a5646e64525c4b6fc6bbba476e50c060777ad4a1669bc2a24aa6c7cc6ee |
memory/2932-1074-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2932-1075-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2932-1080-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2932-1081-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2932-1083-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2932-1084-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2932-1085-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2932-1087-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2932-1088-0x0000000000400000-0x0000000000471000-memory.dmp