Analysis Overview
SHA256
3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e
Threat Level: Known bad
The file 3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Modifies firewall policy service
Blackshades family
Blackshades
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry key
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-25 22:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-25 22:01
Reported
2025-02-25 22:04
Platform
win7-20240903-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJEUIPK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLGAAPQNWIO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWTUGMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFEUVSBB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYFOXVGCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWIIBVACTPPL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKVOMPAFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGJYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWTHTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPQMKRMCQXG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YBLRYKAACESNMHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVQTXVYJNTAGDSR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WVHPGYQMHXQCRBQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBGPGFQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHBRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMDIARIGR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGIVWER\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHNUUFYANWJIWDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRTFJOCOWNB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SOCOXCUYTQRDJQR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTMRYKAKEYCFVRS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SRVIMIFWUKKMHAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULJAU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACESNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
"C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRPXJP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVHPGYQMHXQCRBQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMSEAK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHNUUFYANWJIWDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe
"C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHBRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCVVKS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SOCOXCUYTQRDJQR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe
"C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SRVIMIFWUKKMHAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe
"C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFYYNV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWTUGMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGJYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWTHTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVGCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe
"C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"
C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempXQWIE.bat
| MD5 | a563256e5b27640c5a670a6df0c4f257 |
| SHA1 | 815cbc4a223458f04c83ddf253b015d28a557279 |
| SHA256 | fbef3874bdcc41b2fbc097b0f0a90022535cfa3ea8f899e4dcbf482ffa193461 |
| SHA512 | a4c75a9cbc67071cc5feaff3990183fb08561305d95ee8fb76b231235fe5cfd7dcec356693e3c9de0987a3e2ea3a64934dde5907906c8f45f52433f5f52a8ea0 |
C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
| MD5 | 7175f38353d4109884ba30cf44819010 |
| SHA1 | 65cee5607680e5306273467f699edd424561b18c |
| SHA256 | b285d9cdf01ff78403680f29bba210f8c99ad09c1fcf973488a9288b06edde4b |
| SHA512 | fafeea4b30abef40336961cf83a11c60fcd00ae97e389d4a599609dce155d385e37aeaa465d16258aea3b8c44676a905b45884977a7edd98df29cd2e93b645f1 |
C:\Users\Admin\AppData\Local\TempWSRGP.bat
| MD5 | 37450be2103b6bd05f77ac81bd64999d |
| SHA1 | e6e0087e881ef57b93c85b257bf746ca289b4c43 |
| SHA256 | 7de2ec0d83e6453074123125a857167f8c16b00ea4a99bba49d9f1f4c6ebd838 |
| SHA512 | 4e5ac6cefc77d2db677b4f681166e21ea2bfdd525fcfbb04a2adcaf68735ffa2ff49b30df14955cb7a4187c541061f4593104350a653c8423d526a3054e1759f |
C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
| MD5 | 771947c66c6bf245695c6b1d98a601ac |
| SHA1 | 788f039663e5d045287c882cc9da88ad585319c1 |
| SHA256 | 6fc61f1b4368f145435a32bc3f3a9735d0d6505058972abf5dcbcde6a06d2650 |
| SHA512 | 35df06dc7f3cb5aed14a943fb0324359434c70d06caaef872a6737623558e67ecb295964769ae2a32e51fb995d03c6f6db3e69d3d50d5383c85b4c15de7c2a58 |
C:\Users\Admin\AppData\Local\TempRPXJP.bat
| MD5 | 37c862667a98ccfe62f37f7246d5f9ca |
| SHA1 | e89f151a97c536eaf1543a6d5ffb38938c434f57 |
| SHA256 | e71ca55cc24ebcf30c6cd17e758477294856ee373130cd0a6c258c749e6d8d62 |
| SHA512 | 19c5d50aae93e70b16cf2a7e64c9321f24b0895401848713641f0e9f8538c660bb31ca0719892d1f2c04a48dd2b3698e6097c0c5ee2f95269576e5639b0d5c4b |
\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
| MD5 | 57ba2ca6903f57be858b83fefc333c68 |
| SHA1 | 2b7f9a1be723e57db98868823a51816e5127ea2e |
| SHA256 | 1070643f5cc3e503fbbe98a81adbcb34ef5e80c8ca10c5af0e36465b1153340c |
| SHA512 | 1b37d3046194fe3cfd7db1c091bf51dc18e80a196739919f47dd13b6e8f9d275d1f77b6a4cf92001f40607dadd3eece8635abbc7ef0c0de567f91dc5defbce8d |
C:\Users\Admin\AppData\Local\TempMSEAK.bat
| MD5 | 9c319adb38135438ce4e189b1d1ca26c |
| SHA1 | a8f79ceedc291be87206849e55feb43bf9286818 |
| SHA256 | 2be86f1e707fc160c1481ba1d3927637a448f54aae306431819701e1001131b2 |
| SHA512 | 03bee7f6de91ecaeab48b7d5afd3e2af2a75ad497066209911450620f8d222fcc80e79a148c548676fb4d86d0836fc0e172095be20dbeae1114960799f8eef41 |
C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe
| MD5 | 397d2ffd10ce80ab4f735bfefc7adaf4 |
| SHA1 | 37b845b3c3118e7884c1a215ca246ab35cfb5974 |
| SHA256 | c898f402eccbae13bf8c7d34931bbf5ca311c5f59e1f9d6f076fd30e9655c72f |
| SHA512 | ed9ac60d959e198303e0e46dc39c490612efc1b26443ac83778a0ee40a13e792e2b86127bc55f21c8a74228f7933b31a042462d72a8222725d0a1d480c4cb64c |
C:\Users\Admin\AppData\Local\TempMJSEK.bat
| MD5 | e77159f9400b36307346f4e838d3548f |
| SHA1 | ea8e54a5773dcd1120a94024f3937219e6d18615 |
| SHA256 | 6d6b2cfe9cf7c84965ecc5807b8d8f8713ba7a47112b81da77e12d8373a78ea6 |
| SHA512 | c95bf5507d262f35b7f14f669a764db383d2e7a453f24a077ffb10449f8e7d399655b025f63e7db4afec1d2a3cdb747848dfdaf6bd8cd490847704724198b51e |
\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
| MD5 | 8fc5a2b5ea33ece96a07c2873d12ada4 |
| SHA1 | ce3966736e248575706f07b763ee46010401926b |
| SHA256 | 4e4c58c1b9ab0d5fd1f44f22202c8857a94fca769618aa2c4d165b0ef7fc162a |
| SHA512 | ebb00fe5ccd24b62c89a5744a305ed3f0742ad50ea2303a5bfed2941d656a0696727f5b5af044e52026e2d25aed10035aad81d25acd11bf9d29eeb0134153f22 |
C:\Users\Admin\AppData\Local\TempTFLQC.bat
| MD5 | 332be4124670305d4298ce7777bff4f5 |
| SHA1 | 32e7f0d04b0d74095b0d000cce9694b8c502cbbc |
| SHA256 | 59a598fa4e8fb77b311d695f3ad63850786546b35ba9e572b79ca00587f72c01 |
| SHA512 | ce0e32ff59f98461f51eb0196db1a6f551860aeaa67cb322be0337092353e2994b98c3eb12b033973c019f2079471e87f06f7ea8d24db890e05f112818dc2037 |
\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe
| MD5 | 9d9cfe2fe3aa67faaa2e105b960a7d21 |
| SHA1 | 5015781bc3a0eedf9093a4ed93136407900ed384 |
| SHA256 | 61a6380559a4a3b3b92167eb722e17b0edd284c8bcd6f2f066e6a23dcfa62c92 |
| SHA512 | 72f4daa9921a67b03e2eb7235d674e403f7ba16c6135d355bc1f14301dfe85811943a2a7e29d2f9bb6567024e53ad0506fed5518b455c2cf5a37a211486168a1 |
C:\Users\Admin\AppData\Local\TempDXBMK.bat
| MD5 | 0209111bbc2fcfef39fc6801f977e786 |
| SHA1 | b124af40f009e68cad8d58a1fca9dd3af83803e5 |
| SHA256 | 22b38c22966e0646cca356accc277a432c037478d4e4facdcadb1ec4184426fe |
| SHA512 | 42319942bc273dff4b2761e94e8389448b92a74beb3e35a1ca0468e8b8812a6f87f5f8e6c34e4d19f2622aa8c5d1f6564f0ec144cf8710336eb3907bb700a908 |
C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe
| MD5 | df8df4acf2e6ebeba85f0ac55c2615d2 |
| SHA1 | 322e7221b932b9cdbe5a1bbb587ae1d85e805297 |
| SHA256 | c736a8499ad18ee9124de261458892f9724ca5148e856e2595361acada7eedc3 |
| SHA512 | f1f96ab0acafab50eb629f1da91ee94de166a985a1d2d85e34b0d03a9321fef7e9a56d7809c5e94910a32b85fe44054c1961345e32316998a91cc4630b5756ac |
C:\Users\Admin\AppData\Local\TempCVVKS.bat
| MD5 | 133a3fb4656dc431e688c356c81636f0 |
| SHA1 | cf26a98bf339292c4a067fb6fdb278aa80d8d844 |
| SHA256 | 81cb9b68882f3b04e9674085f8799db74b4f0b7989e86f1eacb0ff4d21d6ffe1 |
| SHA512 | 9a61bc8ba2da3882e75c9063cf566c1f953d262d94c32cb8e883d3a8f23fb8e5e67def9851319fc05f86c036420d0a1bf83f4bc527bd171f8d30b9a075a699bb |
C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe
| MD5 | f397a0e699dc98c2bfb02b035b265496 |
| SHA1 | f6c86e59f700143eba89b964c2494c29a246baad |
| SHA256 | 837c9e0ac427f9964a156398f01d5f4ad6302942c49b6292ad24b20fc9f9ab25 |
| SHA512 | deff4df800b3245165d50ebc33da2d02dd2c2b88e498abb25b43098ffa0d28d21536148e0ab1f224d8052e2d92b39c9854651f3c6a0c85c3613877b3bea6582c |
C:\Users\Admin\AppData\Local\TempFOKYX.bat
| MD5 | 11b68cabe8569ca664245dab618b5c7e |
| SHA1 | 6ef2876d707696cfd3383c627c665b84b46b31fa |
| SHA256 | ffcb75f1142bf59e3cf6428ab7783a4a61460760f50a6f8e5af7199a5285d564 |
| SHA512 | e732b5b4d1a53e2f30ee349ee8076a95d2ddbe05f0e6ef11274dc471007ba3af841c22e9ce5bb64b931b4f9c9bf5c0a11219048e6d0853e83b5a29a342b3d528 |
C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe
| MD5 | ba7c27413e7d8f473266df139dd8ce10 |
| SHA1 | be44daaac74320a966d6bfe9541fca43e9ac6a91 |
| SHA256 | 96a5984c815a3f65f500962929f66ba5ec049e0feafaae9a1506edccb358dcf3 |
| SHA512 | 293a095fe95717a3d176d478eb2dfafc89373299b4989bbbfa3f7a34d20bf9d0dac733cce16cad14f83bb49f8d830a9821786c12860f5632184e256eac41b006 |
C:\Users\Admin\AppData\Local\TempFYYNV.bat
| MD5 | 839d1106e87898165df42f76a5fa9125 |
| SHA1 | d6660f08080bbf0d1ae87c33bad5343120123e7b |
| SHA256 | 810660990dd89f3d36ef8f7ca9e301e8187608885a36a6643a9a2a51130bcb61 |
| SHA512 | 5cfd7c2cdda1296769ed2c5d7e8e5936ca801216ce4ea7715e4b154f57e74ce7a7f6e3dce7771bf00cac0229b838671220f61ee9555752c9010de8f4b557681b |
\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
| MD5 | ef381899105c388cdd715cbd3a7d6372 |
| SHA1 | 0fb84a5b961b3f6914f40fe3a03adbb658ae3763 |
| SHA256 | 98ac10462e133d0f6c76d253928db434997ab53234c36bf9f36257f07639d37f |
| SHA512 | 09de0e890259095f654851426460f7eb660fdd54ad9fc9b2c7f30910e5dcb565734366df423753a83279c934fc0dafea11b3876300de11db71b3724479e8b232 |
C:\Users\Admin\AppData\Local\TempMIQHF.bat
| MD5 | d0599a1e9a892afe76f42cbe1bcf621c |
| SHA1 | ef751a540b9b623e2c20f82c4d24cb47e27b33e5 |
| SHA256 | 95db162aae0b0d9018face50a8affef69cc31f339c4dceecb5f7cad02364a436 |
| SHA512 | 6e71ddfb6486872377e67212b129d25ed46df1337bcc08734a9c8caa3f292d8ac73b1a4cfa962ccf9263946ecb6fe7b865faa7c075cee1dadee17a49854b9708 |
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe
| MD5 | a4db63f61e6a5d775468fc399f7a2c4c |
| SHA1 | 893adb5a90ede7ea76f4a3656ceca5a166974c7f |
| SHA256 | ba3207352710965eb65862f24173bdd008609c007d2dca538b9c6fd2e22ec16c |
| SHA512 | d3cb694f54e7806fab002e83c91211c0b7d1e3d402abd6de6a420c0d16cd2fd7a023c0d07646d6e6721cb7a18ede39e8c674615c40cc4794df194d9f4608d7cd |
C:\Users\Admin\AppData\Local\TempMHQHF.bat
| MD5 | a5414e97da952d040b48e8c396fea4d0 |
| SHA1 | 57fc81d07d933bc1abf80608360ee10ced574a07 |
| SHA256 | 852fdba6e9e396ef093c00a2e8149dba075859fe89e552cdb9dfd8d0bbea15b5 |
| SHA512 | edef55b41c1c6b61812ff93816e3b3e5d9ce1ac49089ce0fff8ba7a5f41f6416f3a912930f10e8a8d57d0b119d9d284064ecac614f152ff5c9d12c3667e0fdf4 |
\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
| MD5 | e6b80abae17686feac89d657953574ef |
| SHA1 | ec0525dfc4c7781dc72b379171a145ae9a9dff3b |
| SHA256 | 0b069f9d5faa8af91efb08a01980746efe6bcc4e705e5d041b38b091527786cf |
| SHA512 | e962eb789c6c3689b61ac0435667431b3a34482029942e688da06da1ccf52050e544504022447f6e226e208617ac39e0bd312814df13717d010e85315a03fb80 |
C:\Users\Admin\AppData\Local\TempXDVUQ.bat
| MD5 | 7c6b33b25d35867115c50b05fb15d28c |
| SHA1 | f5f68fa6d475b45caa2b11fdf94f3fb337076a67 |
| SHA256 | 065d97e5c0a93d56928136cc5a1e1bda166f3bb2d6d15edadafb7defa3897ab2 |
| SHA512 | 4664b3f2b417375889cd0f404be9f2771a261707e07c782299f90b0efef80cf43e6278a8faec5a69f303b588c0d49d7e9d71ba2b8ef6051c6f258ce735db8b93 |
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
| MD5 | 19e5069c7220126acfa99d3369955d98 |
| SHA1 | 7ffa07b5393e478b503d6bfd03b5b23712983f39 |
| SHA256 | 3a70c172ef7a551e7a588bed6b6a2d26f6cc0a268aace16a305ba3a8fccde69d |
| SHA512 | 376e75522dfa6e1d2e037f139e0185f0d8be5695fa0d9e1b8c017ca2876dd25c09c597789e07bd9bdaf905a631c915b9d01e19c0e0dfeea2ff4b8a299c42a562 |
C:\Users\Admin\AppData\Local\TempGAOXK.bat
| MD5 | 2300cb5af7e72558b1df29662f6ab94a |
| SHA1 | effadf47e13d552146544ba3057559caa0e2782b |
| SHA256 | 38cf66d051374eec243a0a680b5050ae5f46f836a0ad01f1916fcc26b9abed9f |
| SHA512 | 6c33bc25136836c2f41c51a773bb9a0a3974cfffb3b7a31e8f3f6179ca37cc79be37407f12bf6dc373d8b6e0ef98dbbcef5d788b778ef3250ec43b4ffeb553ec |
C:\Users\Admin\AppData\Local\TempGHENF.bat
| MD5 | d25fabf09ecb4d750d954b98c93d412f |
| SHA1 | ea8ed935ef4a91ec148719da3fd6c69a7084ae35 |
| SHA256 | 3019c2c297ace5e8c1d05be2be81148f5353268fda5b6dad38b1ae75aed45626 |
| SHA512 | 7bb49eaa8030633ea1b4573d0b53aa278d2ff5a51a2eb5d81c2e3504cad8b8e11f4ae54a07839c7db2a2bd5e39f66fc0b54a8f6dc5adaad4863f5c549019ff0d |
C:\Users\Admin\AppData\Local\TempWIGKF.bat
| MD5 | b96c1ebb8b5ae79aaf417f1571d5ca9d |
| SHA1 | 4c6aaa43c13cdaedfa9081a4b25ce410d9f7c22f |
| SHA256 | 5d01af8e8cfdfc694da1b87e6cf5e43d43c0ebd49c7683ad8bd1f7e6a3bdb85d |
| SHA512 | 63a1dc44375831ad55eb83976cdcfcbed3c69f6d6eae78802ec684e4c77dbb29d477e29cfff6d57c1916b43687d7180e4c4620abe20b5bcb611eef764fe3b60f |
C:\Users\Admin\AppData\Local\TempUQYPE.bat
| MD5 | e5f6bb61139965cb6eb667a51c1c94dc |
| SHA1 | 28029916e0b2629120efac44758bac285fe4288f |
| SHA256 | de653e425d22be0931c13a52d954bc15f722f65167d1e43906f7e363bb1e0e5e |
| SHA512 | b83b86d6fa5b8d1491834b09c9e811c38ed253423e275b069b7fc502d070bf72eb249ee8581d109096f9ba94539323f0ad669ef122c013b8b8cd0e35bed57952 |
C:\Users\Admin\AppData\Local\TempMPQVC.bat
| MD5 | 01005956b2e2f9618ee5d54677a17f9e |
| SHA1 | d06659adf8a2855ee3ad04156b940a9563c9dc64 |
| SHA256 | ee05376f2a67ea7274259ca95873248ea3ee11b830ec3c4337651ad369e0a20a |
| SHA512 | 56de6a0800e4b55ff3bc177e923cc78f83c3254a186d5b876c4085c203f4d4b40785e8609e44074873823e1fa2b6970c8c30d677f1701b53c77efd33daa125ba |
memory/2740-501-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-506-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-507-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-509-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-510-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-511-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-513-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-514-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-517-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-519-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2740-521-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-25 22:01
Reported
2025-02-25 22:04
Platform
win10v2004-20250217-en
Max time kernel
112s
Max time network
151s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAOTYFFDLEIX\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDMVTEAYLEYFVOR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGTARNXOJI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGRH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AWVMCQMKYPBPRMF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDQTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUCDOVLJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AFTTGIDBEYTHOJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIAQHGR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFSDBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYMKJNAEAOUMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HJVVWRQWSIVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGDHDKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPGYPMHBBQROXJP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KGDUSIIKFCDMIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLCPLJXOAOQLEHI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJEXNOLUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDXTOCYJEIYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XLMHFIXLSBNSCOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HODEWVDEXNIRIGR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTJUNLOEJXWIQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ITYUIVGFJWXAKQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNJYMT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMLYFPYWGDNHIYR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJIQEEFAFBWRELG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENXUFBMFGWPSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KQVGEIDLWBYTRAA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTFFSYQYMWMI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SKGBRKLUYKLJRDK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDRR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XKMHFHXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAOTYFFDLEIX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHPHYQMHXRCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUIVGFJWXAKQXXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGELUKQIYQEOE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MDNTLCBEFTBPOAI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCIAF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAEHTUPNQFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUBKXTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSDERXPWLVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNMPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4000 set thread context of 3816 | N/A | C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe | C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXIACQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ITYUIVGFJWXAKQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe
"C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMKJNAEAOUMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBRSPX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHPHYQMHXRCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUVHIF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMLYFPYWGDNHIYR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe
"C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGEME.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXUFBMFGWPSU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNMPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHTUPNQFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPQWC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUBKXTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUJXFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQVGEIDLWBYTRAA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLPQVC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFSDBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempADSXJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MDNTLCBEFTBPOAI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe
"C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRNBMV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLCPLJXOAOQLEHI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUCDOVLJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
"C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSFLQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOACFX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SKGBRKLUYKLJRDK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe
"C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXFGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJSOC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AWVMCQMKYPBPRMF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
"C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDXTOCYJEIYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENEYC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGDHDKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKWSQU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AFTTGIDBEYTHOJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe
"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIAQHGR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPHBK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KGDUSIIKFCDMIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe
"C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSYEFC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMVTEAYLEYFVOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe
"C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCUYTQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIXLSBNSCOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACQML.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUIVGFJWXAKQXXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe
"C:\Users\Admin\AppData\Local\Temp\TWMGELUKQIYQEOE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPNSFJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HODEWVDEXNIRIGR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\LHVTJUNLOEJXWIQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCUYTP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFHXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe"
C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe
C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAOTYFFDLEIX\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempXIACQ.txt
| MD5 | 471eb1050dfb01e7204011b0b79ad7fb |
| SHA1 | bbd6a22dce8422c708f486cfcca371c4830b364f |
| SHA256 | 7747882bb31496edb9a0f7954c9d6595d73e59b32c41d87de343e02be6a9f78e |
| SHA512 | 4ccf51e24882e4d99fed33ceec4390a3d7810ce19ab9869db7719cf68e917d52a26ec2fe44e52698bb652826de79b8d5eced1cf01e21d012a642ba041e837593 |
C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNJYMT\service.txt
| MD5 | 522709b336b58a34e63c7427529611b4 |
| SHA1 | 39a007de63f061b825f266cb59c25f994779f632 |
| SHA256 | 939c1c6fa74bc3b2de4c16de50a9494c4de0e45ef137cea975cc5cc599c3c96f |
| SHA512 | ae4f73933d5133d5505ee8a2e3cf5b272424206b396fa1ffdffcac40bb43fcc513d662b36a3a86493434f25e68a8d2ee215f576150c891fba277cd639effb752 |
C:\Users\Admin\AppData\Local\TempGUCQP.txt
| MD5 | da2da4db20b9c85b0ba6636edc06c00d |
| SHA1 | 92893883053fd258f00f4fbc5308e53fd3c785a7 |
| SHA256 | 8fcac993078b5faabc185c771380087092f93e72411ce0cbeada60351e0d598a |
| SHA512 | 14d1c25f6c74bf4b05bbce3c69c7463933d7d0fe9dab4cd022842b5c9623864cf8dab2be444f620024670d89dff16c13fd1a3a908532333778c49e33549a9474 |
C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe
| MD5 | 435b43d3d20243096dd1a7d4f369b0bc |
| SHA1 | cfdcb9ab7eca91c0ebd725fccc70cdc92424aa40 |
| SHA256 | 0bdb82f72927add44603343a8784ffdf8181dd892d849b3b092ff6a54462b2af |
| SHA512 | b02b9c3e4dc8b6860424e3115d50fb06ebe53d5e0d7eb0d0bfe4da58be7bf6567204cbaa0edc290374b3a125aed57a329cb7e62f41b41c7f8db12e58be202c85 |
C:\Users\Admin\AppData\Local\TempBRSPX.txt
| MD5 | d3213841806caceea777ff87e0167695 |
| SHA1 | 31bd92efa6ab0d27ad6cb690b425db8e167528b5 |
| SHA256 | e1ff61f68aaf669aedce7ec0f607bf6755ff98f3f7f0369a5dfe40b415281a2f |
| SHA512 | f49b894249b54b486d1a90402e5415621eb0a7c8eeff2c4d3bdc43166cbc2ddad0bbd969ebd6d67ddd9a33f38bff7d2ea997ecaa907e3e4e31a98571071127bf |
C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
| MD5 | 30ef6d6768187c02e21a7ad2d42f8d76 |
| SHA1 | 5b3ad781b4ea483b6e206ff180aa4e2030cc6746 |
| SHA256 | 018902ee3697b7b17e90f792477130e2f7d74f4d4cd121c224287dd1a78ea84e |
| SHA512 | 3b0475893da8848087301daf8b3269e3a8cb1fd08ec0fb7dfe4560842252c25f098c19e6ac88f6cf70d2ed7903d6a4979b9a55513186a1999197ec3060655c2a |
C:\Users\Admin\AppData\Local\TempUQYPE.txt
| MD5 | 5a4384ad153eee40e71481f1b84e2979 |
| SHA1 | c4f6eaf1a1a7e034ead8fb98d9f946ae66547733 |
| SHA256 | e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935 |
| SHA512 | 68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09 |
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
| MD5 | 8c181c308fa6eae229678f770f855f1a |
| SHA1 | 7f33131c9416a401947bf45b843b3e18dc914487 |
| SHA256 | 69f1f91363792e98166e762c7be6ed00c20e8c96956e8f1a6efafcb978fe1f3c |
| SHA512 | bd55d9316ce36e8d7c7318075844531d32e793c1e29a266700f471256012cce495a2ff329319c04da30623c2a60677d09aa6761fb63aa4d509dac46ae8e4b081 |
C:\Users\Admin\AppData\Local\TempUVHIF.txt
| MD5 | c612bdf9e59b062a01bc9550b67d4322 |
| SHA1 | 9b22839c78ba43f6d57e00a0aefba11edab91ceb |
| SHA256 | 084ee87bda829113625fd1087d234dd3e538187cc69780f6d0185659f67560b6 |
| SHA512 | aca3eb8da86bad82b12cf8a1ab06db5a82cfd4fc185fd329276268af7572b84de29d85648475ec17fe4ff66fd1c7172db78c1541c9e5cc339394927759851c9d |
C:\Users\Admin\AppData\Local\Temp\QJIQEEFAFBWRELG\service.exe
| MD5 | e9b600601a32ec1691bb6040fcae505b |
| SHA1 | f3c584e7ca5aa3b4a5138fc1bba663ca1fad669a |
| SHA256 | e7ac219dc75fe5ff0223a64469fe35cd848c56bb0302af7151555193821fb72f |
| SHA512 | dcee72575dddf8bc7607a83eea4029f2d3debb49fbefd25e5b9bbfef346b952d658824e45d9c1e601adb81ec7fe8c33e1977149586c4f39952a4ac5f2db3c4f9 |
C:\Users\Admin\AppData\Local\TempFGEME.txt
| MD5 | 9ad31f63c61d7346f4c43878045ffec2 |
| SHA1 | 3b1ec0a1d60a4088d6081308864f5e740159080e |
| SHA256 | 954d8e16ef3604f9bdd397b77cc9a44263164f591dc392d6490df2369fe79b2f |
| SHA512 | 4cfe6ca028a44e9d57ab0f192de5092c71dd06a5178c8887057d09f787c79d3c1f5a2065b75f71450d7eec70897ed47672b13bc5c771669764a2f640c71702f2 |
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe
| MD5 | 86c0003fffa0d4e849c58797a9c9f4d7 |
| SHA1 | be94afaf505810a858b7e32ce9b55b9ae33685bc |
| SHA256 | 374fcfd0c51055a0ff8e2828f6aa51a6953157e7a697a034846c47a02f32ff62 |
| SHA512 | 267af8189642299362c8cd5bb53e61a37e3431e8aed86d5a3ada89308b1e07ad1bcd9ae2cbe4e52bc1f2cd4f5bdff9c1cb7c38eb56b883152379f3d284949124 |
C:\Users\Admin\AppData\Local\TempDGHQM.txt
| MD5 | c1e9cc859b16b9aaf13c7abbc8695e56 |
| SHA1 | fb49c82be270cefd43f9154a833d9f1fd2b811dd |
| SHA256 | fd1db65b4c055373a0a760d16e5e68b96b8d83802200465c0c07a43eb6050027 |
| SHA512 | dd2803c4bb852df4f419bfd558036ab6503de0b5883719540b71b7d134fd9eae0e1d3fd61add84ae9203c08af3f3483d18e23c122af0f408e5382b0b831d2114 |
C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
| MD5 | 4e0ce3f9c984f34f64970e1ddad574b2 |
| SHA1 | 5f1c4d4b9cfd3c97ac84a14c7835de6b2f3d4770 |
| SHA256 | 1037e3681f816830de0506db70463b7c8ab6b5281d7a06fc8df39a28114c5a18 |
| SHA512 | a1b5b8c5fe5e220cb6fe72afeb00d034e634f86305debf710cd86ed334e4e3a05026b7f4d367cd3850b9f289e99f31eab7ac05628782243ddbfc539ad78f4a51 |
C:\Users\Admin\AppData\Local\TempKWHGK.txt
| MD5 | 7d91fbae34e3b22b8ecd08e9589faf4e |
| SHA1 | c0a663f1ed8b2c31fa3e07ff9ea2beb36b14d2b0 |
| SHA256 | c415e6c0545dbab68eb36e8ed2726658f1b06c18c2210c28cd87a5ea6c461590 |
| SHA512 | 3202b819a02005b4de6c990c4235904cddb05f3a20c3549ebdb7016ecd4bcdb4f9976ce24596c26154bac6f6e6133cdcffa4f468f67465507baf3e3eefefbae7 |
C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
| MD5 | 87df7ce0e57ccfe26c5fe4b5c5d6f979 |
| SHA1 | 5904a120a4df02e8625cf8202421dc757eaa6eeb |
| SHA256 | e50a5f809fd1ca0e5773f8c707e053406b53716a928d2f78c6c825645ea331a1 |
| SHA512 | ec59b8d3912fae70242bd5bda31730a81e082f28ff85bcf8d8269260dc233a9ca141714d847a8e2860cb09c48914c81606a933e05c9cf6c2da81778ac1438d5c |
C:\Users\Admin\AppData\Local\TempMPQWC.txt
| MD5 | 3aa66717fe1890e4085403eb810d29b3 |
| SHA1 | d8f2d0ac14c84a58a54d09adbb68a3d72df92bed |
| SHA256 | 13699c0be9d2040018c11108589b2be7a2bf877aec3fecdd015e92f5d1054671 |
| SHA512 | 6d44cd6fc744ee57c66f3905d463a3a6f4a9f21667d2c72fd50777aa56bb52d8632908558dc33c7d04ca56a052add1970b3caaaeb9d10fb08d3fa3edfad344b1 |
C:\Users\Admin\AppData\Local\Temp\TNFLSDERXPWLVLH\service.exe
| MD5 | a8def4b05200185b59a93d42e165f858 |
| SHA1 | ca9cae57932c97c724afb65808f2c8bd7adca387 |
| SHA256 | 46b1481a76f5d376158ab01aaf681847a38aac37b3030e02e046f5af3dddef46 |
| SHA512 | 93c70f6a12e21f69a819475a0d465a1e44c2d079d55df785756aac7e52bf69cfb873b3c4a1bb32d7de4a13c4fc1dc5ab5fb81c03a65285a69474c1b5341eb2a5 |
C:\Users\Admin\AppData\Local\TempUJXFN.txt
| MD5 | 5b7187ecd6398d75f46f2eca3fbcf074 |
| SHA1 | f92fc0f33830567906e6893c20a66e36ebe1d797 |
| SHA256 | d232b12818539833d1ba406d271601fbd78b61c0e50915595228586dc2a2e6a3 |
| SHA512 | a9daadc971328ccc826875a0b4bcf37a0f3aae40eaeede069fbf08e4ad3efb0083425610684499a70d721c01c1ddc0a7626e2cbaf9e0e1a7fedc63cc6c8afdb6 |
C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWMI\service.exe
| MD5 | 7a9081bcdb985be55b73862715ef5772 |
| SHA1 | aabb6363e9f40537e84b2dce934bdc2764da3ce1 |
| SHA256 | f539c48e3f79dc8f44e175d2d02c21afd689d4799b6ebdd0eadc9c7d9c9b3ccf |
| SHA512 | ccc8e5a9cf7fba2dc7c49d715b76a55f7a7e816cd9b04a7ad223a162cf3d345597c859af8f5279b136ee82ee703451ec216a8209de19dc96b71af633addc583f |
C:\Users\Admin\AppData\Local\TempLPQVC.txt
| MD5 | 2934c1cd715b076e4de9967cce3f9b17 |
| SHA1 | fdbb5daa0e7a39fda2dcffb164215a3b0e74f955 |
| SHA256 | bb12a4465fe3c466fba0b4ffcb70c46241616110351d90d4d750b28702148ac2 |
| SHA512 | 8ac735c8e6bf99d95fff5cd07bbef130a42d1bc4b4ece99f1413548e629a45563f6e16f6fa07574eb5d6dde60d1dd7f0208bf423b11359ab30ad529ede57fe42 |
C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
| MD5 | 2db7d74dc776ab997cbd297bae34e46f |
| SHA1 | 570751cf0afcc0c818e11fced0c7c9a25b6f71f7 |
| SHA256 | ed8513034ec171cd6a328c1b6af67c9fabe8ec95d76625ac78955dcfba1a6e49 |
| SHA512 | 9aa0ed1d9b86bc98219ba3b0c99efa1f8941a83805246638be6cf1455e0b632af13a3ac8a7f282dd25d1e3bf400d2625c00b624bd0ae0280b956f67c3780a8dd |
C:\Users\Admin\AppData\Local\TempYXTTU.txt
| MD5 | b02893b7e1264e03427657ad7e8d60cc |
| SHA1 | 67a83d11cabb1a5b009643c45f8dd03f84b36b69 |
| SHA256 | b23e099f605d205a37e7d6817808f1fe52c00187c831f87488f66936efab9ac0 |
| SHA512 | 17ee8dedf20937b83758dc7dff8fcb0d03468d724923870c49be71c25e5382e9521fd35b744d0481ea3920e1af36f851f60b46ce3b15f39a51adfa963152b187 |
C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
| MD5 | 796f3e1a5516af61fd19718a18e89203 |
| SHA1 | 7c9a0650a49a5d8d03fde8623ae0ed6dc4964339 |
| SHA256 | 606356ec049f50c020ffa672fedaabbec13fff7a9eb932b5a805aef5af86fe17 |
| SHA512 | 9d53600166c10729f798591525e59a126082f66b4c70aa645ec241536cf0b58e5e62927712669bbde9e61a6e979547c593fd50cfeacd0dafea9ceeed31890fe6 |
C:\Users\Admin\AppData\Local\TempADSXJ.txt
| MD5 | e8505431637028ceb2779f8bf990d7bf |
| SHA1 | 1827ff8626158e982611b8f53380f02266bb027c |
| SHA256 | cd0722ed86358f34386e1d5bb74c109db375a417387927fa795d342d4051136c |
| SHA512 | 4357587b94e2d23300bae114509a7964e68805f6b3fc8f026d3db19a93e6a46b772c9bc1a711b6cdcb52ee33758e78e95c5012c2c120339f7734508f5beb9cb0 |
C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCIAF\service.exe
| MD5 | 2217d85a853e5774d7a9af569454cb25 |
| SHA1 | 3ca641de270a0cf35a4045f34f441a621d84195c |
| SHA256 | 82ffd6b80de8a0648d4104962e07d70ae134dc2454aca3c0d4c81c76e48c7a2f |
| SHA512 | 3877f43c76b874467b9c2853abcd84c94940b7e6588d35231998a0afde190c17ddd1a88726c70c3b9d0526073ae91e5461e5b19d07646c1b4aa19780353f75e5 |
C:\Users\Admin\AppData\Local\TempRNBMV.txt
| MD5 | 0a66f3ef877543b735ac3975aac4f1d9 |
| SHA1 | 1cb758fa73bc7310712b319ced995011c213a8fd |
| SHA256 | d02abd7badf6a6feefd824e4d31afc5ca3ac90e520c25a33ac0e23bb2b099323 |
| SHA512 | 941224ec57e97301c9406d3184babe326d4d1c4232127a7d4eaf26a173f17c68f08a9e82059148394376e09b0efb155cf42130bbe865d7f65bbc57d5c4b00057 |
C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe
| MD5 | e9e33575cd86b258e0201ab2d3be44e4 |
| SHA1 | 3bdab4cbf3d6263696a0470964891336da2024bd |
| SHA256 | 8be60075706d3a441d3b42377f54ff2dcb9ca83000ab4d8dd19add740a4e3d15 |
| SHA512 | e715101d45df71e954ad4360893bd499028ddb598b949134abc809ce60c06fb3c52708920672c496757fc678dfcc3b1e7f8a76713f63fc33ae29b5f3ba9b6ce5 |
C:\Users\Admin\AppData\Local\TempFFYOJ.txt
| MD5 | f3719e263529fa662715cdd85fec8596 |
| SHA1 | 6148a2364029aa9781f6f2d6143ad2b060483be5 |
| SHA256 | ee5e309ba64eb2c3b5f807c6b026a982ffee23b8bc50a9e3184b80e04275c9fc |
| SHA512 | 749de53bc273ea7004970b838725bf7c612d34254ed1ab6d5af5bb83518865a34ab97cb0a47a9804b60ba8a18c0fcdddc19f8e679f940ea04a2c72b747dc609f |
C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
| MD5 | 4ffc0035013511f9b0ce1b03c2ad2d49 |
| SHA1 | 2142dcf2ab1758af505f3eabc6dc0a34e6f38f2e |
| SHA256 | 4be2776aed720479f939bd8db2894b3fd2a8954d52ebd8ed2ec4ae8d7d0f7085 |
| SHA512 | 93f267cfc96c93d69998101373729b2904887295bf71ead2c8b4bcbe59bc696bdcf5174248a5ef0fed1ed644b2a17d2a14d0e914bbcbc4cc06e882b949b6fbd7 |
C:\Users\Admin\AppData\Local\TempKSFLQ.txt
| MD5 | b26c8cc3ca5f915507cdbd939df6cd98 |
| SHA1 | 41df0368c5141d0135229e8b792c94bc18980b4f |
| SHA256 | f524ba0a509958fd34d65982d56b0c0da42676ed927bc88e19ac90a611b839a3 |
| SHA512 | 57278b1b8023f38c0da26b937adf984b850efc224b9a1f73731a80a69e3235bebff9ed8c5d1b6a725ff89aa887f2b13bf5af20a3dd6eec7efff4b3ca9afee655 |
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
| MD5 | e0f9dd8d5154117681e0b2939cc6c3ff |
| SHA1 | 71764232e07d0dd55c44b4b8197daa80d3fda326 |
| SHA256 | 172ee6d832c26b6b47bc2de0f6409e190b9a3570e7844930ca4f753a6912b06b |
| SHA512 | 7c99aea98b0e69f3b082c00dafd254ebae026ada7f7347206d1987be501d6fe2828df65538e695408c9da936dcf0009a4ef06945a99e32e3880b607c3da0d288 |
C:\Users\Admin\AppData\Local\TempOACFX.txt
| MD5 | 5409b5fe067eff7e02a38c3ce47ade86 |
| SHA1 | 206bd87521316ecad95022b5ffb09d19d19e28ee |
| SHA256 | 6bae98d721fdda2048e1b02261b9222fa249ce7f4c22f43ec4494af23b463414 |
| SHA512 | 388916143217cf5e7542ea7ccaa2472f17ea3c237eab059831b7073e8cd6b827f1e88c0bc98603d94b553c532b334ebb0438f4b881b6abea8fa59770feefa4f3 |
C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe
| MD5 | 6b08bfad03b4d985ea0b2a76212fb4ec |
| SHA1 | 38d688d3b46f80342e9ae08297c0a7eef16f919c |
| SHA256 | 9e54c0116517a2553e5334e8beb086e9fc745488090c40c7f81622de14e68126 |
| SHA512 | 8149eb0315ce90f9844894527074550c68c9683e10dd2e042f6c96f76839d64b4db31db26cc919c4a081eed89fe68573ef76a35103cddc25872b08afda408a2a |
C:\Users\Admin\AppData\Local\TempYXFGP.txt
| MD5 | 534a5a9a08499c8112430066acd3f32f |
| SHA1 | 5e4b2ea4b3c026d710cd862cedc58e9a4ad3235e |
| SHA256 | d7b2951ffac14cb21060566ccb4d395744b83685aadd1bd205355e119b68661c |
| SHA512 | a8c6612fce49e11b06dfdd30d712ab912505bf3fa6e270accca1f3b823ea87917afe04dfe7d843b202303d47bcb4a3b7e98a209ee83c99f4276e89e56725bfdd |
C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe
| MD5 | 7470ff458389b6bac4842a5066a538ef |
| SHA1 | 8349c47748dbdc6a17ec8e2438adc9bb9a7834b2 |
| SHA256 | f65603f09a1461ed00f4585a791419edc7058317493cca961f41c1bbc672a70d |
| SHA512 | c29a564f5df42e79c731686b4b7a7f5b7cef04dbeb3471d139c576eb6443cbb7461bbb9419b3de4de66ae630763f16eea0e6eda917b3bb62efb30b3c366fcd78 |
C:\Users\Admin\AppData\Local\TempIJSOC.txt
| MD5 | 053b51eae04a6363b9e65a4032cc7a28 |
| SHA1 | 23feb7c605b2844dc2fd81c3913a9f29e4729373 |
| SHA256 | a06777194667f0a0f210c26b5c9389bac9fcfdd76883de805d92aa5a05315b2f |
| SHA512 | 698597e9c0155dc5dec76f91de9a536c7f213b7c7383c6981b1804a899f9117943b16dbda3b0ecf531853332beab8a083431fcc44b251204692e12472f716ab2 |
C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe
| MD5 | 72e34f84232ad3759734de2131cc87ed |
| SHA1 | 8f109f2396e23a8095d242f252dbbabd255b65df |
| SHA256 | 99c2f08a59f8026ea527e55cb599e0b6effec5bbebc5eca636e2b76a4472816e |
| SHA512 | 95b1fd82b9225df38b9512e58dadda0ff04fa3239c1542e784ad7a6e5544a4e27605283a3011bdc32960bc6ce4773d1d16df2bf5b62cdc986787994e78f51b2e |
C:\Users\Admin\AppData\Local\TempNLPKS.txt
| MD5 | 7e488893ead94784cbfdb3cad2be1267 |
| SHA1 | e179fa18b240c727b240a45d068e0eefb474c166 |
| SHA256 | 4a63114693dfd3e67f87986e7bb37d64c885329c0817c3334b10ae87c5143cac |
| SHA512 | 2ecb16b534c6209b89d2f1cab3c7957d914228ac4c2bf9d3057150835c8b02638a25fa5350cc2d0059af153bffbf0743af9f08e0ded6418660079f0e9162ffa7 |
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe
| MD5 | 9691e005a8dd54141f6ec4fb0575c1b1 |
| SHA1 | 7c3e5aadc7a920de2225c2f433b665bb5cdce619 |
| SHA256 | a45d50eac7b75ed52efbecec930415d1dd2a6573519017d5bc3699ec77591a3c |
| SHA512 | a007618b87068f62f6d89aacd9e544ed016254ca1e7578bce44705aa94314fa29f888a5c16356bf59ca7da44197f1c987bbcf7c0ec576201a1cc828465a338c5 |
C:\Users\Admin\AppData\Local\TempENEYC.txt
| MD5 | 450df8792ce97b3b149ee477a338f126 |
| SHA1 | 5ed11369cc5067502ff2e23e0fba08508ac08e85 |
| SHA256 | 5bcbd88e62ecbb95519094c7fe1966d29d68cdce5c2ad72fb3ff427b4b598624 |
| SHA512 | cb16108bc5c8dfc4e092b71b448505353b2a5bd103f436a88bb7d0705b61717a1a38eac618927d27e61f62af07facde2bafe77d616950c29477968debbf870b6 |
C:\Users\Admin\AppData\Local\Temp\GPGYPMHBBQROXJP\service.exe
| MD5 | 9aad5cbb881327a1df7259beccb7f5dd |
| SHA1 | c441a3c6f05331944956fb661357fdbbf6e9c743 |
| SHA256 | 3ac6c49944591d88a80ef75c50d2b0105eace4f9f2d3426aec69dd8e56784f64 |
| SHA512 | 17a2b832c3f2e0da8e03400a0bde1b14ad9f568cb6614b8dab1e48b04f8dba12569948058a06e750acb34323a0f547cf39e53d3e5e251ecea882a04e6c1c3493 |
C:\Users\Admin\AppData\Local\TempKWSQU.txt
| MD5 | de91ea33ca4a8e1a874454fdfec5e312 |
| SHA1 | 3af287b5230dde3d44b6f32286fa8725d94ee00f |
| SHA256 | c349090f80247ec2a98b77cd05d50bfac2a05c22c29b8e3eb0d7dc256fe29f81 |
| SHA512 | 187f3de5ed575f9a96bffc908eaaffd25cc5731647a02290f005558baa43a744a85cc5ed142b45fb69403ace9f4b17a82ad6f2dcd568a0e27e38a8b397a85992 |
C:\Users\Admin\AppData\Local\TempKLUQD.txt
| MD5 | 6a401fac14448a283b090176a53a6b0a |
| SHA1 | d154a2cb98ece0bbe8a6f2d73a905132a15235a3 |
| SHA256 | 25b5dfefe526d611b4e691a065a0a720f6ff92ec69dfb886fa4120c3d224818f |
| SHA512 | 4c2308e6af81edcce42193761419bf3017336aa6858191b30bc2342128273deb45486b44874813e5182715b6b7e472874db8a4d3a9343ea3dce1c94c98434887 |
C:\Users\Admin\AppData\Local\TempHPHBK.txt
| MD5 | 8506c3afdc08f02c6faaf2a2db024105 |
| SHA1 | 131df5fa44be3c51c24326e0a7c24e894b78a053 |
| SHA256 | 0e56f8c609148994ddccfbef8ebc13b6453c83fcc1ed41638403b8c4d599ca37 |
| SHA512 | c13a347a4e2fd5936517a342a74f1019735c7bee46c2b74511a10d194a0bd452496ae3d536da233e957ddf9f2cb34e79ee425f2a4de2f13e6af1b70520b2ca5a |
C:\Users\Admin\AppData\Local\TempSYEFC.txt
| MD5 | 28c24a343f70d490fc8f69dbc2484456 |
| SHA1 | f68463620b1fd8d538c92ae77aeb8551ddf321a4 |
| SHA256 | 1f0da84ecad4d62c31518eca826c46fec9900f135c059c5e69f7573ba4fa1fae |
| SHA512 | 1781ea0c79a8510c2ed3af903c73455f3499f8ccf8a9ceff262ecb1f016d2035f8738419c4938cbdefffe5b59b9d0ac9d37b927fae4773a19537144eac321a5b |
C:\Users\Admin\AppData\Local\TempCUYTQ.txt
| MD5 | 46f19fd0c708b38dcea1eaf6a92f0c50 |
| SHA1 | c48b7c70aba151004bd4bfecd6888c3a7bf628e4 |
| SHA256 | 3ccc4288690f3ace49bfcfd1faaa011fc300f00cddedbba9004d1750e08fa966 |
| SHA512 | fe08992afbf445b47ab9c052c12bb75f6916b2ee6b28fa6af4668cec15afa0d484539f78ed01fa70a45084128e9401c1b216dd024afab0d70be8548be2bc7653 |
C:\Users\Admin\AppData\Local\TempACQML.txt
| MD5 | d31a68da3485c625bac4ed229893269d |
| SHA1 | 4ae2e3e3e724e2c9bb564ef2a79ac8951d0f9645 |
| SHA256 | 009657391d332655c29c95bb7af06c3190ba1d35a0870ba5b827b72167096574 |
| SHA512 | c99256691cb2bdea9dca38d1b168bc36e8bd3e309b5d44e0be236372816ba3c2028c3cc1cb5c51c9110520b0cd76f8ca8ec57055199035fc13f32d228205c83f |
C:\Users\Admin\AppData\Local\TempPNSFJ.txt
| MD5 | c0edc66b457ed702751323675f9e41c0 |
| SHA1 | 2afca3bd12c044a43da495258b677b4f6dde20be |
| SHA256 | ca31a05bbf0e08aec98dcad00e194198a3deec6bf2eb31d9d0f8b59aa1051281 |
| SHA512 | fba94087087be02529828d95455c3915d7f16e79ae715e754397b19bc12bf11cf0dfe1958411e35c76ec8ed015de29a9080a08f59231285b4c069be09f528069 |
C:\Users\Admin\AppData\Local\TempCUYTP.txt
| MD5 | 08ea9b0793b821c5dd895aac5ca0e326 |
| SHA1 | b9eac1ef591128a43725fd1d4f525b797b2cc2df |
| SHA256 | 41c44fd2715d67ffa4cab875cf4dcd75ca4b38abb402c26fe7d89458a4581293 |
| SHA512 | b77ff1a7904295fe98ec0b5173f9f766da7fa24efee8a64f119e660b5739e8a50f8bb0b15da1385804dfa754d493c54d8487cf0a2efbe885ba961251cc813d64 |
memory/3816-762-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-763-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-768-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-769-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-771-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-772-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-773-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-775-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-776-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-777-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3816-778-0x0000000000400000-0x0000000000471000-memory.dmp