Analysis Overview
SHA256
70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff
Threat Level: Known bad
The file 70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Blackshades
Blackshades payload
Blackshades family
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-05 03:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 03:39
Reported
2025-03-05 03:42
Platform
win7-20240729-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDSR\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QRNLNDQYHSXIUFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQVGHENFKBY\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JNKKWSQUPXMNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIEYTHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WCUYTPQDJQQBUUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKILXBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVVIKFDFVJQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWDDBJC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DRRFGBCXSFMHMJU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIOVGHAUBROYOK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMJURPT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDSR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTUHNUUFYYNWJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFYOPMVHNS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONHQYIEPIJSWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRKAKEYCFVRSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CSOPLKXENXVFBMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBPFSOMRERTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOIAGNWMSJRGQG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EGBCXRFMHLIUQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWVXJNSAFDRR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OACFQRMLNDQYHSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASKGBUYKLIRDJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQCAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FPYGDRVHIFOAGLB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXUIUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GBCXRFMHMIUROSN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSYPXMWMI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EQRMLNDQYHSXHUF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VMABWSNAWHXCHWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBLBWTSWKANJHXW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVJJKFDKGWJQA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMJNIQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMAABVBSMAHC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKXGGSYPMRMTIJB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEYEAVQDK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCOAXCVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LRWIGKFMBYCUTBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQEEFAFBWRELG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UITJFERHVRPUGAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRNCQXG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYDVTCCWLHPGEQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUSVGLQDAPXP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVTYLBPKIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSJOGXOCMD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDAJBGVUIJEDFVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYCFVRSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XYBLRYYJABDRNMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRAUYWKOUABHET\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MYJIMDNTLCBEFTB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTCKUQLGAFUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\REBQYQDFAAVQELF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMXN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AOWOCDXUPCYJEJY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OTPDQBYEWVRSFKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMMNIGNJMTD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDBRXPGFIDAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFKYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ABWSNBWIXCHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYOSQTEJOBNVN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKBMOJHJNUDOTEQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNOJHKNUDPUEQBA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWTUGMTTEYXMVIH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVUKUNMOAEJXWI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NCMCXUTXLBOKIYX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJWYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe
"C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBXPVH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJABDRNMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
"C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWBRKN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UITJFERHVRPUGAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWWSST.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQCAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
"C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPOAIA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MYJIMDNTLCBEFTB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIVWWB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QRNLNDQYHSXIUFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
"C:\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIJRNW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGGSYPMRMTIJB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempABPYL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXUIUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe
"C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVKKLT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GBCXRFMHMIUROSN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIVCTM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTUHNUUFYYNWJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBAYEW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKBMOJHJNUDOTEQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKYHSP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REBQYQDFAAVQELF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVRRFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNKKWSQUPXMNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHPBIM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHQYIEPIJSWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMRKAKEYCFVRSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWFRXO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOWOCDXUPCYJEJY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSFERV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCUYTPQDJQQBUUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQHRKILXBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMQEHH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYDVTCCWLHPGEQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe
"C:\Users\Admin\AppData\Local\Temp\ESORUSVGLQDAPXP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCOAXCVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGXQTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CSOPLKXENXVFBMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKLVQE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBPFSOMRERTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSJRGQG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNVKKL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EGBCXRFMHLIUQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe
"C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTPDQBYEWVRSFKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe
"C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIKFDFVJQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWDDBJC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDGIRN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVTYLBPKIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUKECJSJOGXOCMD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVHHFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHUFEI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OACFQRMLNDQYHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYEWVS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNOJHKNUDPUEQBA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRPTOV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRRFGBCXSFMHMJU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPIOVGHAUBROYOK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVCYYS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWTUGMTTEYXMVIH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe
"C:\Users\Admin\AppData\Local\Temp\LHVUKUNMOAEJXWI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSYPXMWMI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEIVWW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EQRMLNDQYHSXHUF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe
"C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe
"C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUEPVM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VMABWSNAWHXCHWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMMOJC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBLBWTSWKANJHXW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WONVJJKFDKGWJQA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYWFGO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMJNIQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe
"C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGFIDAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempPWMKO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ABWSNBWIXCHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe
"C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNANPK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NCMCXUTXLBOKIYX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVLYGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LRWIGKFMBYCUTBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQKPMX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDAJBGVUIJEDFVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIBDQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJWYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe
"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOWKKL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMJURPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe
"C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe"
C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe
C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDSR\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempBXPVH.bat
| MD5 | dbd202a0a46f375b0cc9300a8a9896e0 |
| SHA1 | 3eed14fb0f9ce2b361f53585ecd300637f8adac6 |
| SHA256 | 3e5078dac7c18b9008153c65dd7d2beeca586d81ef3987a820ecc6358c5f0c8c |
| SHA512 | a26ebdf65e36a2b6de8b911400072674f6efce1ada302fe084821e933b14ed809645a3435a469bcdf518548adc7abde0758f8144d5e1780ef71a40cdf85f0fb5 |
C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe
| MD5 | 349b9b2b48d503eb40362f7630674dea |
| SHA1 | cf9885cb05527485d752acbb1e3c109e0c95151e |
| SHA256 | f48e2dde3361c694d214fa604364d6ec1ca0e7e89c7e739a897024ec05b71d9d |
| SHA512 | c66fd86c7325cce19e628fe7b2947e8cd447c4ef59f329d4acc6a7766cd2e864e2155c6de134880f8556e48ae490ad8c47611326e93462306678c7e24312c6ba |
C:\Users\Admin\AppData\Local\TempWBRKN.bat
| MD5 | e59ce953f1cf4d1a3bf5be907c754838 |
| SHA1 | acdda153272a8111f5fb4872dad0e563ee80c181 |
| SHA256 | 6c05963ab5063b128c64d7bcb01939148c9c0765e09e632f4dddd86a807809b5 |
| SHA512 | 599238a6a9a462f6ac885dbe1921fc164fd7267a10378baaad6a67bb7a6096502c86a3641acf2f348a1764cbcc98339727aa29b4636a13075801c6d80ab59b0d |
C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRNCQXG\service.exe
| MD5 | ece19083d146eba21ea590ca916c10aa |
| SHA1 | 3fc6d63ffcb90f0a321bc97bbf8bcbf23f4faf93 |
| SHA256 | f5103eed05da68e0aa04daa8fc0a9f9c70d964f99d69631ecdd21daf84b80d74 |
| SHA512 | e42bdbcf9e9843d3178aa94f0f34d3d407e752f5140c9666bafa29aaac92a33745010281efbfdce2e1e228f1fad69d990b0e17ab1470fbb6417cec77adc872c4 |
C:\Users\Admin\AppData\Local\TempWWSST.bat
| MD5 | 38a5fe573d1748ef132978d7d67998b8 |
| SHA1 | 1d9107aae4c82cacccd0233998086f2e7f06a6c8 |
| SHA256 | daed0a467e7f95504773a6c6f4110e4c2d526e747e8cd3cc6296b007ded6a22b |
| SHA512 | 62459dd7e0b681ad8fc056394ca4e05791fc7c8ce5572253c031d89e3d8fe0a2da22791d894186509ad0a1f22af96ea35ec955eca91233e7fafaa1fe8a2078e4 |
\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
| MD5 | d3b2847087791a470efb45b620ff6082 |
| SHA1 | f9d50d7752a3191809227ce0314cf794fa8bddc1 |
| SHA256 | 03312d1179a4c53766d85675ec7134084c339f809fef64d3ec2c491b5288aa2d |
| SHA512 | 03df6fecfbe6926cf378cd594f5166e5de0bb9840b30ea09e4a280d4727471be0fe9da612f05aeb32235c606519eceb00df969cfa4a429a2dfab183e2923fd90 |
C:\Users\Admin\AppData\Local\TempPOAIA.bat
| MD5 | bc872a38e3b3f4a9a0f0a0baabe7bb6b |
| SHA1 | 5f6f40c801516aa68407c077d67b2514c5eb0b21 |
| SHA256 | 20af3177351967ecd1045641ad5885c241fbe9478c4b40dbb4d355b9a80ea110 |
| SHA512 | a9c835098e0b199a5d9656a28ff9085bec64e920f53b2ca64ad5b1e30d52abaf54026fa483c7de535a5bbc0f571c6e64ac061cde8f9a5b37af85dda813802e45 |
\Users\Admin\AppData\Local\Temp\LDTCKUQLGAFUVSB\service.exe
| MD5 | 24613a99c5803bc99e06a108e7031072 |
| SHA1 | 439253228669b47f04b2739d7ea9e583e0050533 |
| SHA256 | 590c11fc43cfb6e282dce0ab052b57db344d7e91b1faefd85c70588f98144290 |
| SHA512 | 491c078910628730de768effe144b7feb0fd1b674f53a876222d1dc75fa71bcaebb90d4ae2711b46afcdfec9568105deeecc5219252e6fd1091e2354b2efe9ab |
C:\Users\Admin\AppData\Local\TempIVWWB.bat
| MD5 | e4c63f9b31fa4b9517901cbd255f43aa |
| SHA1 | 24e146a68bb0d65c8ce6cb5acc28a37a35b9be2a |
| SHA256 | 5fa218fe5f519b435e36f27e1dd522ff97cf1481b8055f9b61b0b5926b8650c5 |
| SHA512 | 9e94f490d32b81d06690126e7efcc7a3c770bf1ccc991b1d221603c7ea071f0e24f58c6b00a5e12ac4588ca2f39524180bb13feb5a2dbe46114531dfab0b3dd8 |
\Users\Admin\AppData\Local\Temp\FOXGCQVGHENFKBY\service.exe
| MD5 | 445b14e12deb039520b4fe65e5f3945c |
| SHA1 | be876d566e21069bca420bb3232cc548d4ce03bb |
| SHA256 | 50cd40fab2fe433f5240c8aa7204b4eb7850183710ed1ea1c80324e127b797c7 |
| SHA512 | f0ccd18d5f15207e610b9368e25a5cbe20c3969feb89950894c787cd42c05d2991206734dde8fe943e554368263ca91fee93a32a610bbe1ed1ed4fc47afd2ce3 |
C:\Users\Admin\AppData\Local\TempIJRNW.bat
| MD5 | d5811bd988972a3991bbf82f7b88d675 |
| SHA1 | c8c6a418f390f9e574aa8d3da830451c85fb022a |
| SHA256 | 537e0de448adb78c31b0cc3357f228d32c726ccd62bb6ca1d974b8f3b8d3a367 |
| SHA512 | 5d1e6485262534ccbe3340bdcc12f4e3a86bcb26dfde1720c0a14c805b40e6e4e5748270aba15b9a6dddebf80845c26944ccf67f07bde0824e16e1700ef1938a |
\Users\Admin\AppData\Local\Temp\PIYHPDDEYEAVQDK\service.exe
| MD5 | 2b87c2af21ee84f54e48ee4d98beeede |
| SHA1 | 52b40c587bad2d9aae62990a3a06b765e773a6ca |
| SHA256 | 9a71c1189b3780e153273e5f470e43869ac98e7808ff110d35ed9ac57d3c7954 |
| SHA512 | 972d8a3d5cb8fbac66fd9f8d9d4a85599b49d7095b147166b3cec00288ff25d6f28f595331aeaee7138b1f7a4a0da6b3599b5c8d7ad766736f306d314b459167 |
C:\Users\Admin\AppData\Local\TempABPYL.bat
| MD5 | 8b3de0aee12e7aab69ea8fc2328da8ae |
| SHA1 | cadb8b4d91dedf14e4d3a51f949df0f4d2d0902e |
| SHA256 | 582ad57e5218f1271f4a403a75e06036c5416a9d3916bda39622fd4e32735376 |
| SHA512 | f94c758a851b1415f352fc5ded462474aa64f4dbb0b14d2e83479ecd019e102d93ee748909bdd8024d85d97ecacfdf234cd802707b9d84d707a6548d297b8c06 |
C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe
| MD5 | f1f9bdb7941d8138f0857694da4a6a8a |
| SHA1 | 21ee8bce1da432cd7a946eedff90fdde5adc6e9a |
| SHA256 | 431acdb6ce15c5efa9d3a3bb8f457d86e1c9f54b597cb7fd14323d9deb20f23a |
| SHA512 | d528584b2a96c134f5d457552647ca4137ae3014e60d47e677f7f511ad6ff81e511657cc5e65f46c6bad8c7344e01cdb9d1fea60ff3cc32f8ec0969179b24601 |
C:\Users\Admin\AppData\Local\TempKTPCO.bat
| MD5 | e6971fc5ad2bb62beef1e7af5975375e |
| SHA1 | 28cc9cdf959d6949d98d965a0e5c6686fae0c421 |
| SHA256 | 631e83a43ba699b3f360f0a6f4862b3c0644e14cc596e75eb1d05e014970af58 |
| SHA512 | 8f7357df0d71ecf54199480c5eb4064380c554f3c877ad0d9ec42ff573da506cca3514842916d4cd5b8cee09cbcfd7cf98fb02104929c7a0278411efda48c0a8 |
\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
| MD5 | 30b2c680b72801f49c6d4bb39e16b550 |
| SHA1 | 5aa72d3cc1b63e0129fe30388e0375fd5e665f37 |
| SHA256 | 326ed876706df78abefc5b4078cbf39f557050d105099bc95859559eb97c7856 |
| SHA512 | c8b0b0410cf5e50d023f8054c302024c2c21a51a0ed9a1eb0333c39cbd52301e8a32a922cb161b64a2348c7752d328bcbc4821f30f6b9391622e9b96f69547fa |
C:\Users\Admin\AppData\Local\TempVKKLT.bat
| MD5 | dc99d38bf1a45ef6f796f1cbce40895a |
| SHA1 | 6125baeb88e340f7438317be24d2811de3af0ad3 |
| SHA256 | 45a1588ffa960e741615252a4e91dfed23194d3d23cbbf263d2b36538a927851 |
| SHA512 | 4d9beec749fd3bc5d66b7b13f880d81ac7e085eac4f8b66437d510a0ce840d6b1573f0725d347f1701a92ff2be77a816366dfac8d04143eb2a275355720d294d |
\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
| MD5 | c30645677d8198c5f5eb0063fc389e46 |
| SHA1 | 564a23f5da1a6b70c2a5038199f2876eb139fd5c |
| SHA256 | 308ad25ebbe47da3503b9f12e2d04c32dbf11cc516dbdb59171c434e2d7f0fbe |
| SHA512 | 01669c35f187fa9845e1a7b1973e0e751049af297df379790a3d36ba0b960feb0de39622535acc86f1bc9563facacc14910a3b4e7fd6244772ee209c3606d453 |
C:\Users\Admin\AppData\Local\TempIVCTM.bat
| MD5 | 5d1f99d7a63b2dfc0891a317cb2ed94b |
| SHA1 | e862030f44f9350e2d588d2c81e61794ef708b4c |
| SHA256 | 3e0b854f0d5ffcaeec26322caad8563400276bf55f4683196d534c90903e81d8 |
| SHA512 | 0e66fe5b1cc96e92e33ce0b14ea21be7254d7992589c6b72ce0eec5f1bd7a9e1ae7fb018b36d76eff86ab9e43ee9cc1eea26fb28757f461d4538f12343c936e8 |
\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe
| MD5 | b54d063ee1641e6f873b8331b0d4c42d |
| SHA1 | 68d66f477a6e1e6c6fd41d178707eeb35533e09f |
| SHA256 | 796fca9560f4d4e60a1919ae19577cd66b5ff86522e079a9b92b1dfc1c28e382 |
| SHA512 | 6ab1705ea0be8c84fa82a5a3ea69af14d9d5acc27177029cac49cefae3888118529a469fa4a37746a56d4f8c24be0522aed750ce9480fea9a99b30d9d9294f3f |
C:\Users\Admin\AppData\Local\TempBAYEW.bat
| MD5 | 8ca070e19a7e5ff3f782a25cce111316 |
| SHA1 | 37ca4e654b17d53e009923605a12a4d42abcd0be |
| SHA256 | 0174594262b033702217a826669707ba03af06b88905067cf3f0134712301816 |
| SHA512 | c26de3c53120af0c619ca20a2de15606f13aaac57842901f1e169e1b6391f34756eb47ce99aa2a7f213e96bf65c80706f82ba8ef46b6d4d028df7c2c30da41fb |
\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
| MD5 | 3e5c651f5e206af4fd18fa0e1136d901 |
| SHA1 | 959af18f12aca83815d2053452e1ab768e2da6c5 |
| SHA256 | dca13b3329a16e3cd99512f99027199588cde8577566ad7357e447450891008d |
| SHA512 | 2f7dbdae8017a6f26482e35a4dffd0388f62d2ebff1b1c852d16efd42f97cc59164b1168624c5b05c6b538ae759432811382132399a0c482e45254399ca29bbd |
C:\Users\Admin\AppData\Local\TempKYHSP.bat
| MD5 | a7d85f41f2a6b6c501a50b4daf5228ea |
| SHA1 | ce778cf12ae843328419cea294fc4d8bb8a2c959 |
| SHA256 | c2ff394978469078ee30a653e61d9e27dec60f35aacd9b736cd64a07798450ea |
| SHA512 | dd963d5796f6b2a3aa4d5ff9683d4a6863ac568338debca3b376f86e1832df2b9e1f2db0d552d5bd372bf875903059d70cdcc9a14fabe6b74252373346cc1af3 |
\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe
| MD5 | 3333cb5d2578a35f07ffa3a0022bcbbc |
| SHA1 | 7de497fd49eced9147c9227b8a8a2412a90d823d |
| SHA256 | b8f0ce9f34826f6fc1ca5755be31826de3ede29b495d2cf7b3672fc6f817ed06 |
| SHA512 | aa8b45f9277d6cc541106314f12c14faafb2d355d321e88a8b77e79733a44f46ff3ce4c4f9db026ce8985caac4b6b2b47ebd8d34a39c53935d65aaf6c66381ba |
C:\Users\Admin\AppData\Local\TempVRRFO.bat
| MD5 | 7b4429133f5c6e37c64297f81ec77670 |
| SHA1 | b56d1182c2e66f79b10c11a3d505d21d9c368e77 |
| SHA256 | 549609b0e948251fdc0bc9c4e50c8b5088d611c3fe760c52a705a843fc9cff13 |
| SHA512 | e2e600c82b35ddbd10bb8b875771e85073ee7b3c9ca7dca8240747457c7b5ffe6a44ffbc71b8df0cd78eb9b42018a221cebc606e120a9cdf477aa6981ec89ce9 |
\Users\Admin\AppData\Local\Temp\TMLTHGIDBIEYTHO\service.exe
| MD5 | 1e04449306af786a468f9a084ca9f67b |
| SHA1 | 7e8755ad7829597c4fe49ef371a2a848fefffb2b |
| SHA256 | d896b2a53b63fc670d0a9f4ff1e9cd7d7ad23e85ee2a36a480d4d576b548f56f |
| SHA512 | bfbabdd15b372de23ac6862e00b35fd0b2772a8740f6c7af0eb85877990e2b65ee6f5d3b6dcb27968c75f9db857c4631a34d93b599682bafae5ee132dd2cbc8f |
C:\Users\Admin\AppData\Local\TempHPBIM.bat
| MD5 | f6d44b68f63d3ae08aadc68cd8350a51 |
| SHA1 | b11f704ebe67f93b5cd80bdf14cf1ea959428d35 |
| SHA256 | 3da4aeef76de05645e9455edc27cb9fc1732f1ed2e6d31da04e1ec94ae29a380 |
| SHA512 | 81f1d219e5c1dbc5bd2ae3c6d52535cd2d2e14c66d275c5ec9c698edcd94bf9194b845cb355abd733993bc9a040bd0391d3b9cccefbfe922bbee1f7b8a94f3c5 |
C:\Users\Admin\AppData\Local\TempWFRXO.bat
| MD5 | 2e1f0ca09ff5644d6b8b0bed01a4b74c |
| SHA1 | c82ba16b03e4c8981211a8792bf3a49ff53ea392 |
| SHA256 | 02892931719b8c3267a5088f5ccd88c1fece602addf66c71659083f1740df0af |
| SHA512 | 70bb70f4ab7d680d182c01edf5079596eaf67015b83150d8bcd4f41e6a25de7d54615e1eef15fe6a10d2209e61f5790e43c441dae0c2b8908e5de1e54eb11825 |
C:\Users\Admin\AppData\Local\TempSFERV.bat
| MD5 | b47a76e985afc3c3a70c04bba856e402 |
| SHA1 | 10bcf27d813d0259ecabe2090df20615a87ce2aa |
| SHA256 | 312adc628df00fd9894a64af2c4fb8ea679ba4262c70cdd6f0cdd0c52a9091c6 |
| SHA512 | 4cdc2e0eb72b63a2d1ac18593639f46362f3aa212ed8dd0ebf7b1ac694170ddf836294d4eac0857ce7480c5df40534711139872824ced10630b1526d1c29c2b0 |
C:\Users\Admin\AppData\Local\TempMQEHH.bat
| MD5 | 1cb553296fb6874dcf239b7331a27552 |
| SHA1 | b300e432359f8dc14c9c34aa1755f61f95335bf0 |
| SHA256 | 594ff0321aae1425f81a83cd95cf56cdca80f2b3d4d5378dfc622989e00ba374 |
| SHA512 | 81e2905254eae15a425cc6947e1c39eb241d68067d78aa6722b9896aef7a7d6829e3ffac2f344d42b4f573e0ed7e1b7d1701f42ec881bf5f3e6617c5686675de |
C:\Users\Admin\AppData\Local\TempRCVVK.bat
| MD5 | 53bfce173bee6cb46bf72cff1923b2ca |
| SHA1 | ec898f8bc5e8dbffd4378b590d222a2628d3848f |
| SHA256 | d8e5e08175f4b556c54390ec568b84be889cf08086594967bdc7b2072264286e |
| SHA512 | 89c5f8bc1de97c7bd6c1dea6830a11b7c7ce6d1a62ec991282ecfa2a57745b268d8df63b7256c94bd4065c0b25fc45e4d592760d6a82c235049466a164855739 |
C:\Users\Admin\AppData\Local\TempGXQTU.bat
| MD5 | 16ab4942ebaad96c3214d0ea9fd30568 |
| SHA1 | e7d2df7c2923808d86a601dabec75acdae3a9319 |
| SHA256 | b726998abcc4461028d41e5e886e339f724e38ca5868a504fd51eb29d43fb174 |
| SHA512 | 5ea92a645d350c6b6e7e7b1dfea2645c0269408dd103d4d22c22faaa29434c81c14c9c2167c7f3e83c3000acb76b13101b7c9cf4dfb83a88260578d6f378f3c6 |
C:\Users\Admin\AppData\Local\TempKLVQE.bat
| MD5 | a4678b79293bd9c72e141f97a921996b |
| SHA1 | 905d1d5d657c904fe155e662b3c3a9e1a0d5b2bf |
| SHA256 | cdea462e7ddc862d1d5d40ed96691762cbcac0acd5a56b6bbb857404af05ccb0 |
| SHA512 | 46b803a85712344f9c49c372f980793f62c8a3629e95a28363706566dbe592475f3fd9377c39570e4d1e87f2010ffb7807347ed772f7cd0f065bef6aecfeaf63 |
C:\Users\Admin\AppData\Local\TempLHVUG.bat
| MD5 | de69c25118df8838f32524d5b65053ba |
| SHA1 | d79b8934dab391b2f85b02ec96a6cf696e23d29b |
| SHA256 | 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921 |
| SHA512 | 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe |
C:\Users\Admin\AppData\Local\TempNVKKL.bat
| MD5 | 6b8f2a80a4c755c5f9ef2d9cc2f02cb8 |
| SHA1 | b771a69c991f06dbbec48d0f2c0251562dd1e194 |
| SHA256 | 0849f89feb845c828eecd47b062e6ccb274f856402734208823b18ed3b5a4c3a |
| SHA512 | 56c9dd10ea7407f4952d90a8afbfa2cb9c4879c95d6b009c37c81c0c3dbbefae2ff1c2eee8597aff637bb182232fa0cfc78eee1868a56ab4f5a73525c7885c97 |
C:\Users\Admin\AppData\Local\TempSDWWL.bat
| MD5 | 8e6dd29af96be192fddb1affd72ee252 |
| SHA1 | cddc04991feafe0cedb2caa2a85d86b4a53f12b4 |
| SHA256 | ce620946150088fd8ced810ef6060be072901e7509eb8f9c3497eb91827ad527 |
| SHA512 | b28f72908c20edd185a2dfec59e2b70746ce3be568e72da84f0f88f9474805b2295bae3e634af9d6c59cea72629b3db14605b10e87a41bfaf36e82834351288d |
C:\Users\Admin\AppData\Local\TempXUASW.bat
| MD5 | 229e201e32ed237e4b91d88b742f33e7 |
| SHA1 | 1165cc85b678748dc20ffb66d0cf88be9b29634d |
| SHA256 | ce068c82ee0b8f3c0c0fb99dcb40ca6fef29bb89ea50b58807d23ab8ea4dd6d6 |
| SHA512 | 155e32955d6216f0fed2867622a3bbbf83df4a8413e32fc49f00882402a8b0439b329237ee04cbbe5c2948b10bc5b87875c9b27319938de0d0afdcdeacd34392 |
C:\Users\Admin\AppData\Local\TempOPYUB.bat
| MD5 | cefdbdf3e03e35a03922a2739efb8950 |
| SHA1 | 3a31bd0b4348e8e7674bf50c7914d4f20a2008d7 |
| SHA256 | dc8ff0c84c87ad432951831214861088639a8d0b992f8adb206caadda2fcfb69 |
| SHA512 | 308278fb087d6df2de2e68bedea72fb061a38bb332e7bf3b13f934cf457a65b0e380c4acd79c8e2262dd2b45a5c6efc935abe3dd554c0fca0fcdb7f151b8cb90 |
C:\Users\Admin\AppData\Local\TempDGIRN.bat
| MD5 | 595674f8c2dd05631a17b5088ca7ba0f |
| SHA1 | a8d9ba8de161a21018c3c5616076523f17de7dfb |
| SHA256 | 5fd3c88a8b2750e7640ba992ba8bc4b4960822a52c97e7336ce238e5f4cc85d6 |
| SHA512 | 4c9f1b9e0c1e55afb06209059f7aceaa9ec82608f2bb011d63cb0268cc18d0218aaa36a3eb4ce3eb71ac0548e28b6bf319f492df72e1305d5d5dce624f3ab118 |
C:\Users\Admin\AppData\Local\TempVHHFN.bat
| MD5 | 91d93254d9bbda49f381c23817b12b89 |
| SHA1 | e252fe94c4083760dfa62f9e9b6873199b86490f |
| SHA256 | 29090be470cc067faa2f02afffe453dd058841c7df2548d8ffb9ede5f8924a7f |
| SHA512 | a8bcc742f907676952fa4bb8c953ef7f95f6c45d84f9b10d66671d8ecb538d3640ebb83f4c60071323de679894820cbde2c5f176c75d9c470feae373ca1a1c13 |
C:\Users\Admin\AppData\Local\TempHUFEI.bat
| MD5 | d167a03d6dd56673d92cafa5d589ed7a |
| SHA1 | 3dcd857ce064770758fa80f35b3f648277b44389 |
| SHA256 | 5d325eaf8c6e6c29bfc248ce2cd439f2e648dbb921e018f08e2b91080807ff68 |
| SHA512 | 873bcf5a77b2a7354e3fcd8927312e7da76863130ec5e57eae0eb12e3cd7d2903f8a536265bc3289a05fa1e27d2669b8c048097a214e1f4618fdb07732dc36f8 |
C:\Users\Admin\AppData\Local\TempYEWVS.bat
| MD5 | afe3ddd5177f0a738bbdf6e1a8c599cb |
| SHA1 | b402baa529bd9e6f6cbb8b9e9c06e4f24cb91727 |
| SHA256 | 24954e3317ae93fa3910cc0460f4c0e0815e99da7bc1e25ba85cc33d92a918aa |
| SHA512 | 5867f05a0f4c63f081bf135d0f73be37e59a097238ae0b944b972c043592263b2df47ab14cec3fcc4622d375a153c83722a1021ed1dbefaebfe9b0082ed9e5f8 |
C:\Users\Admin\AppData\Local\TempRPTOV.bat
| MD5 | bd8cbe07faca3865ba5ac9fba9c4c41b |
| SHA1 | 2a68f878ca44d8f72f971402552d207216fa20a6 |
| SHA256 | 8914e84ec3565b9bf3832a928ba7ec2b168010068a827f5bf7fe8bb7bef476b4 |
| SHA512 | 6bd98ea106b58975d2fd8c059a789b845639cb33a27b715dceb158532bebf7663f0d7ea8471798213c3676d1497f5f9ca60e1953dc2707a805dbdf74e9ef7aa7 |
C:\Users\Admin\AppData\Local\TempVCYYS.bat
| MD5 | edb22a0c94b3a83d6ea131ff143c1dc9 |
| SHA1 | f32f4d02de1cc5b07d0d4efeeccd95da57d31088 |
| SHA256 | 457435fa47027cfff3e076d5bfec48101a110064eee2259537f0a87a89a81f09 |
| SHA512 | 9c8cc84acb524a04442cfa00c69fccf9c5d900a79c3f6fd16e42e051c30ca289994ca01d97603ceebcb23d8d24da5fd9ff110acd5adf92f18bd2acc46dd86236 |
C:\Users\Admin\AppData\Local\TempLPQVC.bat
| MD5 | 9b45b83b29c5dd3d1e26464125fd6c76 |
| SHA1 | 63fdff7174cf9138222dd4f05bb1e9bccfca9e66 |
| SHA256 | 3caa1b94f7f1bde5a662acfab254e989cf17cd383dfc7d04e16d9628343ee45b |
| SHA512 | 60872b0d77d5fdbb89ebe23218827e5d1d5e9a67cb6561aafb3d2a753faae6e6a5f8424efc9e10957eb1567c9173fd3cc38d0c03baf87d6b9da5774da82b97a5 |
C:\Users\Admin\AppData\Local\TempEIVWW.bat
| MD5 | ea1053b117a6c0006bd856329565b27f |
| SHA1 | 27ac999bb0dc06c976a5b4f1924847dd0d2e0920 |
| SHA256 | c0f193c31a8d8dda648d55891ad00fdb05741ff77ec21f2f5abddf4dddf2071b |
| SHA512 | 0aa0b515f084d1162f4d3bcdfdf07666ea908af9e75e70133359bd75471330a0cd0b47375a6d12b3cd566235fdd3548a310d7826909619e130e15c27ad3f4a5f |
C:\Users\Admin\AppData\Local\TempGPBHM.bat
| MD5 | 9e578c30d5abd782192c456c0842e749 |
| SHA1 | b6d0203ff08a568627ea690ad5762f1a4c333113 |
| SHA256 | c05d870d95723502bb6fa7614405ccf842932240675b4c4f539a3b66740d5f2a |
| SHA512 | 23301b106ca4f3c463daf119ea2949c9a2d8bbca9a3430f55e2056a76d289a1c06b1a221527229c9b4fcfc2ba55045c2da972d7f2b01bd9317afc35193c440cb |
C:\Users\Admin\AppData\Local\TempUEPVM.bat
| MD5 | 0e328d5f3c034e344ed81ee0c7646dcd |
| SHA1 | b26283a7c0282f15fef15ac249d812d81d73959a |
| SHA256 | a231ee4757ae9178031d39448654a49e45b54ce4a15821070933bc40f1b2f597 |
| SHA512 | 1752aa74f8a60fdf699e95012ad70b0eeaa6c60b3f5ec976e69e4addb65e47c8e36c9158df8a4d0ff811219e4cef0eea00d877461381880a28413fe48cfa9e39 |
C:\Users\Admin\AppData\Local\TempMMOJC.bat
| MD5 | 7913ed7e6fe6d03df55eaeaf71e339a7 |
| SHA1 | 1053b780bc30cb14c289463b950ca587c96a18a3 |
| SHA256 | c5eb919cd1590c685d9bd28ed39a2d23806fb5a0123a4e4c22f09159306bed35 |
| SHA512 | 57b96ba010b1d499286c124baf83196422ca7d1d8387061198237f0987b2c0127361f3a78a05cf130ef40e0b7ac400384d3de8c37a8d5b0afbdc4612dd373e56 |
C:\Users\Admin\AppData\Local\TempYWFGO.bat
| MD5 | 7e3facbfd1f323f14d0e0b6b9304104c |
| SHA1 | d49ee38f589393b64f173e6ad02671f9685dffce |
| SHA256 | f5f44027a982db4a8a159b6d2961ae86be5a45153cbbba09bcb51bbce2745e5d |
| SHA512 | 6afc7b8927856ca58453f2e73bb1b792a0ad379c449ff9df62c0ca22563733f2681b39ff37b788688b021455187eb683ae9f5366b450b49aa9969f6635872d2b |
C:\Users\Admin\AppData\Local\TempMNWSA.bat
| MD5 | 911de8fdbf3d30e68a4e05a308822af0 |
| SHA1 | d03c42af04964467fbf9b0e979e0342c902f9b4e |
| SHA256 | 8ee66dc7c6d45b514a971dd255d350c426d7a190712deeb33c9b4620a87915ee |
| SHA512 | 806f41991043b5e0dcae977e1872c5588770aa85edb86f98d2788283def60aec7ab3624cbd8955347ed585a0ad0863f303081a929ea2f3f95c28e86e8c758b80 |
C:\Users\Admin\AppData\Local\TempSEMEH.bat
| MD5 | 82a1d38f30636f75a8691f7efedea9e2 |
| SHA1 | 0c89dd617e5282f0f5eead437d1162702cfaae89 |
| SHA256 | 3669915fa72803f1807a919204c9021844fabef6813f3371401bda08e5154863 |
| SHA512 | 3fa39a6753f34f03eea30518e7476441809432714515761fb8c001e868335dde706be8ea05448cef38fe35a378be03ecd664eac5d6cb6501e853f97668bf9938 |
C:\Users\Admin\AppData\Local\TempPWMKO.bat
| MD5 | c9bf84e720372540c21b65cb6be19304 |
| SHA1 | 19bcaffd4f37704a8106d311b8ecf2cda389a5c2 |
| SHA256 | 009ae9d879cf48e9730d02066205eebe79e409260ac27e1e2233f30b39d150b4 |
| SHA512 | 895ffa791cec5d0cfe88d335cfadaaf57f95d22f1c3671762626dd397d3302e9b7ff5c45c28b68b36431b23a194c3e8bb78a43c82dddd9fb47dfbbb53fbce04d |
C:\Users\Admin\AppData\Local\TempNANPK.bat
| MD5 | fd4a3bcd474ed19f3f73864f7f179e6e |
| SHA1 | ac3f785176c306ec48b46ad308dc6d5be80d219f |
| SHA256 | 6e98661d6bd8b17cd3d1b367f0ad87cadc4345a448a44a239020aca52d9fe425 |
| SHA512 | 94a62b2bd82edf4a15f8987ca1028029b5ac2bf9aca49d2f0ddc091b35cd38831fc6c0c5f70a562ff2750beecea27bcdc2a8c46d370e096c73e42538bb614382 |
C:\Users\Admin\AppData\Local\TempVLYGP.bat
| MD5 | eeca7a0bbcdd5dcddb806b64a25b3346 |
| SHA1 | fd1fe03a7130cbd404e439ecb32b7e5c23ecc69d |
| SHA256 | 01d87a3bf2d0899fd273ba870c44a3c499f1dfcae28d683bdde663ecc79bd958 |
| SHA512 | 10af1ad21c1563b26f360c368db5a69c6960d9696a4cdd48a5e7becd75e8f07b3f1e139983901a98431dccc694f09448f40085969f57d02eafdf4abfc5823946 |
C:\Users\Admin\AppData\Local\TempQBUUJ.bat
| MD5 | c0b3385161f32248102b45fb6b269bfa |
| SHA1 | 065ce91871e5f9045ed3d0e5c53419666664374d |
| SHA256 | 65f6985545d77851dccd9e3b752aebf0d17eaa29b0490911a10eb2cb306ab4e3 |
| SHA512 | 21d0dd3076c353efb738dd93aa6670f6dc1495e7bcef8277466a5684e3b1345230817a5c5830b5820137010d0b4b1ae2d9c5b6dbe6c2753d644792da79b6f911 |
C:\Users\Admin\AppData\Local\TempQKPMX.bat
| MD5 | b696683dc01767ae05abcbed59ae9437 |
| SHA1 | fdc4424f4b6b5677edd6963c7542a16f6afe12af |
| SHA256 | 9285103919e67baed2fbfb03d9001aec9fed9c5ce71dcff8d9ae4adf99604580 |
| SHA512 | cec464751b340c3d5d87190d1138868b6f3443c2267246ba4b3d4a39ab5e3ae0294c30f5a7e4d3667b604714f2e05fe7f74b9973318aad990ab0814268c34b9c |
C:\Users\Admin\AppData\Local\TempIBDQM.bat
| MD5 | 1e8813a92712fe490ba4002048c487cf |
| SHA1 | 41743664b2ac68b55cc34d6d9d93224c21bcc9f5 |
| SHA256 | b8effe0feaff70a9f1a251de4017611a9e5ab48d22ee4297a6a48d972101d898 |
| SHA512 | 22999cdfb36cf286c378439456f35f38298d0dee487fe21265d63e190a5fd040623b9891e8c8a325742b420cfecfeb03a66e1fe75169707243bee435a3211aab |
C:\Users\Admin\AppData\Local\TempXSSHQ.bat
| MD5 | 7aaa96a2a2c936a6c7bba3d926ed037b |
| SHA1 | ea7a4bd0fd1c1ad1a4af6c5ab4107cac01e1a0f5 |
| SHA256 | 7971dceb449131e446c9cbb5bb5e004180b97e41a3395e85180f5bd9ce026ace |
| SHA512 | 5a14bfbc2697c0a8ca773ee17f1caa0cef1ab1bf2740b446e388d19bb42f1beb15f6ddbd69d0c023e753551601ee7f262876fe82f1b0374d48c8ee0ede7f6d9f |
C:\Users\Admin\AppData\Local\TempOWKKL.bat
| MD5 | 4578bdf21588c4ec22d6239c4ef47cdb |
| SHA1 | c4ff0891e82a5c06a10c62568202fc5f12681679 |
| SHA256 | a39bb7ea785e6349eda9f0ef0ae59917c4d7417b848d7a0bbb8ab59ebca09362 |
| SHA512 | 33b9ed10d4c2d63750852289f2d6f0336ef372175bcacb123f45fd2cd9fe99a521e969fa820479660265dd65e598137517f8049e601e0451312bab51490a2be8 |
memory/2792-1194-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2792-1199-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2792-1202-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2792-1203-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2792-1204-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2792-1206-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2792-1207-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 03:39
Reported
2025-03-05 03:42
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUTJTNLNDIWVIQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQCAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FPYGDRVHIFOAGLB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEFBBWREMGLITQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABGES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OFDOMKPCGBQVOEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGBAGCXSFN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKHMHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKTQLFAFUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLELLUQYPENAWVM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ERHVRPUGAUWARKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVIOT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BIMADOQLJMBPWFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULKAU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWGNCBCXDTOBJD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQANY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVQJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGJVWER\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPCKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUNDNGFHYUVC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5092 set thread context of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe | C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe
"C:\Users\Admin\AppData\Local\Temp\70ad55e752d1b0a7dbfdb2cca003221608708ae0bc09b9508c5d708835b5beff.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQKDI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KLELLUQYPENAWVM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
"C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPCKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe
"C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ERHVRPUGAUWARKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGSDC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BIMADOQLJMBPWFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe
"C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYWFGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe
"C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQANY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWWSST.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQCAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
"C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSNVJK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEFBBWREMGLITQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe
"C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSOWO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHMHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OFDOMKPCGBQVOEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.16:3333 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\TempQQKDI.txt
| MD5 | 2deb03ec61f2a6aa1470065acb1f5154 |
| SHA1 | a17c83194bf954f1b1b89585194053724765aaa0 |
| SHA256 | 3fa0598175454d5e04bd5576a9c90390b3a501a8845f3967fd5111240e4757b6 |
| SHA512 | f13135a6908a45d810b31138eb3e098d3c9cf0735b4ac990e4f7d0ab29215341fbe89fe9bc297bab0c80af609be8a6406ad57e6b8d1e4835ae3060df6a969b0b |
C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.txt
| MD5 | 9604db6bdd38db96ab82acd553a306a6 |
| SHA1 | 52cbd83458a48901011eb4fc2852c3329e0c38c6 |
| SHA256 | 18fdb6602d9c55cfe952dff6e61284fb9d8f7fbd655303f8b2f97037454acfc0 |
| SHA512 | aaf1a446912b32636d00640dc27125fa69285f82df32cf7b6ca9441d21f9b31bd9d1d7b836056435eaa02acce8b14e979511dc648f9d8403101d7bdb5fd84064 |
C:\Users\Admin\AppData\Local\TempDHIRN.txt
| MD5 | 662efbf888c6d75769e8c5c0dec1d01e |
| SHA1 | 3181e950587a5f94a137cf768dcd15f46c0772af |
| SHA256 | b32b596d5872682dbfc521ee0f94fa698be838962b81585fd54c2523bd621736 |
| SHA512 | f56692d07d039f1af97946589fb878bf6c93a7cb2e7d8fbd4b2f24716cdf0cc10dd904e026894fa5128bfe108058403a6b1ff5fc4e1f3bdd53f5eebc4c484c8d |
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
| MD5 | 52f706969e41cbfdf6e431f93fe6f7df |
| SHA1 | 7842ec638fdb719cfc8f97ba5e593915952877b9 |
| SHA256 | 7f9ac1ffc8b5270cf732c60de6cd83f3c88978d01b0846b025b9266d3bcb417c |
| SHA512 | e17c463afe39a76caec60678941a86aa1369b79ab9161451f9234efbeaa3a624b9952377d40c10bda2e40dfd3c139f41ca96c3e3f8dfc4e66a01dbdb01d93a7e |
C:\Users\Admin\AppData\Local\TempMJSEK.txt
| MD5 | 6bd4cea5aa9051a20af347be3e98efe3 |
| SHA1 | 0788092c7784a7ae48b18a487e6e3c8e783754cd |
| SHA256 | 6a259affe02aa22b67fa7e0eab1fd63b3fb822eb2005e8291ffb741ae7553faa |
| SHA512 | 6ef5120ace1b1de18e6c02fb93a5d3abb31b971c1ad999d33909f0853e9e5b7704c10df20be0bf4e5e5e3826aaab702a51ec9159ec3cd76c9a6bc2729512f1c1 |
C:\Users\Admin\AppData\Local\Temp\EAWOUNDNGFHYUVC\service.exe
| MD5 | 305abbdfbc38cf0c11a842b1be913891 |
| SHA1 | 486b58af971d919ac9a2a8a6cf0410788bd2512b |
| SHA256 | ba99f75cbafddb264471b922be3bdce4ce6ffd6cb345185a814f4992e4ac6e43 |
| SHA512 | 2aa8ba4448482e2976b4ce9154651328409d29078833c31cce751cdd24727a2c6f3058a40c255acf889a21116bc9c1534b76f9139735f01882de18a073ba2602 |
C:\Users\Admin\AppData\Local\TempOXTAB.txt
| MD5 | 4fe8289fa91e1f3d57a8b53e0e32c65d |
| SHA1 | f22c17218370ccc4fe327f908ac4ad279d431881 |
| SHA256 | b9d3e38644635bfd55c8be80878d606ba15a972982522c05cb173b94dc2e0548 |
| SHA512 | ee0a6340a1f9f8f5664b9b2eda58b890dec1a4a4a70b3cfdeadc0617ccb5de3eb045c5306cc43967355e7823bae30ddd56ca07225335d0436ba0d81828fd16b3 |
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe
| MD5 | 11ba743065479d5b4f0dfa3f51394a94 |
| SHA1 | 6d4755a0d1af80f27b7396d37d7835a8aa300eb3 |
| SHA256 | d7deb7668ff8c5c5dcd1eb83796c1995b16e194aa4adfda11356178b8cd570a6 |
| SHA512 | e477d99ffc2702718663d23173b42ae7ab991c1700709599f9c1b076f67a79b96be8ab7d9d422c90de8347d6d7f4f3860fa47fbee8c37abe436a4d8a318d6225 |
C:\Users\Admin\AppData\Local\TempVGSDC.txt
| MD5 | 41f528d54b8436e45ba7c89a34f6a459 |
| SHA1 | 4a52049cd8fd6d85aa811b17c3ce1e7d4f0c65a0 |
| SHA256 | 163032580fb827c0538381a921cc851a05785b1392f06d7dc3071b05d0a97a77 |
| SHA512 | 780e7019fbcb9fc563a9bab03ed65ba498a062c112e4dc54e00dfdc787e55d89474969d1e18c9cdc9fb6ded965e82208c3fb48256c969aea0e73fb10332090fc |
C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe
| MD5 | 9b39a106b4bca11a47d09ec35552f63b |
| SHA1 | e17c98f371b8ae071b0cdc9d7afad286fc09fceb |
| SHA256 | ccabf43b30120531236979978ad37e812a1d5f7c3188cac7f3c2b8a10fad6e97 |
| SHA512 | 8fbb0df24917599da769d9d03ff287039e382758e73a977460eab2c536e31f2544700701d3940bde544db1d3b922752e7709ca1c67e37319ca351a1ca19b828d |
C:\Users\Admin\AppData\Local\TempYWFGP.txt
| MD5 | 129c6642394bb068ed6f37a1af2d42bb |
| SHA1 | b9d56eb8992d9822eb449b889c1f2e98778f887c |
| SHA256 | 02139dc5b0f077086d33d26e77fcf1594db857caa9cef98ed1efd5ffdc03c176 |
| SHA512 | 956c3e32cf8ea88996a32d5e0184f779f04148ee1624f9eaa1636e50c618dcde391d57dde93aa10c992cebd597e633d09cc4047918e866d76ce7228187a04c9b |
C:\Users\Admin\AppData\Local\Temp\OGWGNCBCXDTOBJD\service.exe
| MD5 | 263eddfb54ffa2fe6d050730c6deeb9f |
| SHA1 | 0f5b356cb6da09c6a8810bd8158d8e95e5deb342 |
| SHA256 | f9e6ebfdc5d69aff001d993ed28a2f2759d5cf40ae887e4d1b673923eb7564ae |
| SHA512 | 222137b95f70411ce10801fa9d096e50b3f93755f7d99a59dc9c4381bd6c5b680ea9639361e53244122547723e2bb969697f52c6f0625779f8b7d8243479f4da |
C:\Users\Admin\AppData\Local\TempVHFJE.txt
| MD5 | 9a0414306f49570c1a3daba50b7f6ed4 |
| SHA1 | 3f75f0e817c0b8a10b1aa313dd3e018c032da9a2 |
| SHA256 | e9547f8817316bf3638ef7f267b063fb0333554c69bca2405cee471db5f1aba8 |
| SHA512 | a723373a2abb4a8b1512af8abe44813a080605e2453a98b664d5a6f72626415fe13562c0d5a4ef923cc177eed4eb9bbf08549afaef82f9027f8ec77c4fee8ca4 |
C:\Users\Admin\AppData\Local\Temp\KGUTJTNLNDIWVIQ\service.exe
| MD5 | f516b0618ae70b54c2cabb3b30b80376 |
| SHA1 | a77f99bb7af9342b50ccab1b13ac3eaef473c142 |
| SHA256 | 1f1102f761198aeb3af9277e6dd9dca984878782c73a2a3efa2b9305c4932b70 |
| SHA512 | 459356fde034c9bb13f5e9f83d94b291eb191bc3b8b20abca1dfc7d782ca9d28e6c599c7afced1f1a519e682e7920ca767567eda035ded9c2174f6efc2104b30 |
C:\Users\Admin\AppData\Local\TempVBTXS.txt
| MD5 | 7f243e4c5143fb2a90303d9a5a9d7b00 |
| SHA1 | 313ad8dfcb833fad9fdefa6d1dd44e6cd8b8f0fc |
| SHA256 | d9d22d43ae1a59a370035aa8ab3213f1d3c1bdbcc78f0e08fac719ae0928e0ac |
| SHA512 | 68d6308efe2f11b4640fdbfe7d5231b11ab4b2aad677916b72cd47146bef26aebd709b48543fa0ea8cb5ab6988b6550b51c0b91da29ac22eb15576e0a718426c |
C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe
| MD5 | 81d0387101b6378db11b5ca5e92fb0a5 |
| SHA1 | 8e4c71213fe7d8cd268d1ca3822596c82e351ddd |
| SHA256 | 93a2329f8843ea98c52270b094d787968a1213a12f558d19764ee90a6e348def |
| SHA512 | 7a08d1c2153d27195db353ae46d27ac682513eac7d4d01f81ccd04e75d844eb0aee76d5225ebf43f8e31567c2436597925bb341efb798f917c38a349fc3f9f94 |
C:\Users\Admin\AppData\Local\TempNWSAF.txt
| MD5 | d2c9f517eacbdcb07002fc7dfe68913e |
| SHA1 | 11d9e0ed93406182b36c3bbaaccbb5581028548b |
| SHA256 | 7c4eb66144fd1df19059cdf87e21af9fc03eb6519f7193c597d08dca68e4388a |
| SHA512 | d5ab2b68ad518eb79a1425b99dd148cedbbc6d61aa804b58e1b4074a94e9713d73efe7eca9f006f8763859fe537b5d2d379b2194aaa2b60b7e4aee9bddbe3d5f |
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
| MD5 | cf218260048d72ec543ed51fd0a9c8db |
| SHA1 | 35d9314854c49193bc6a7a3bef1fe7673c20f558 |
| SHA256 | 33baccca55afbcd6ba340815463ef07d5b961e6f73491b02b4f9ddca3af46cb9 |
| SHA512 | 3724d7caf357286ef3e06a6dd95e15f83fa84ad8689cc626e70548f7b2c323d04619655fbed25ec25bd327962643df2c4f0c26387eb32785a39518b19a4543d6 |
C:\Users\Admin\AppData\Local\TempWWSST.txt
| MD5 | 38a5fe573d1748ef132978d7d67998b8 |
| SHA1 | 1d9107aae4c82cacccd0233998086f2e7f06a6c8 |
| SHA256 | daed0a467e7f95504773a6c6f4110e4c2d526e747e8cd3cc6296b007ded6a22b |
| SHA512 | 62459dd7e0b681ad8fc056394ca4e05791fc7c8ce5572253c031d89e3d8fe0a2da22791d894186509ad0a1f22af96ea35ec955eca91233e7fafaa1fe8a2078e4 |
C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
| MD5 | eda7bb28fa6270b162d8101d0c1768bc |
| SHA1 | 81e01e3e61380af48b629c60ac7b932d5ca84a49 |
| SHA256 | 809f81ba35a56aa961381b2ae249de7d358d97a97497bfcc5bd25d6ea700b15d |
| SHA512 | 37ac1059af98730774e3e565e986e1887bd8b3e9d0f1dab717bb90dba66a6e3302fffd5d3fd3ba427f6361d1e22a2bdf386fe13df0aa588de8b4fe014c18681d |
C:\Users\Admin\AppData\Local\TempSNVJK.txt
| MD5 | 7b4996e4f79b795abe0bcdc71a2f6b30 |
| SHA1 | 598a2834125913743b842edb9baad652cce9a94d |
| SHA256 | 00df0c28ec3b2127735540302b090ef4d9c649a56c9c0e7204440b91c78b18f7 |
| SHA512 | 336bfe36c88932be07ef7a8d08172213eb69fccb45b44b5c85a064660f7607c856db07140ef24ee533fb0882690a705cb06f8d4e92f0142fe482e9e2350ba088 |
C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGES\service.exe
| MD5 | b3df5771d565cb889eb7bc0192115928 |
| SHA1 | 0c9406dee1a435a6c74436a02e86e06a4f22c3b9 |
| SHA256 | 22727980dad0aed37f35c4360be79d1f534b1007d56e272af31374d2a3f6995d |
| SHA512 | e6c8a95e3e5f0e301e3063925518b68fcbbee9910bb18a312a8bf1d69fdf136c77d9bdfcf97386de45a12783eb7b9e9a92d75c1bc440c339b2ac3496b2826f16 |
C:\Users\Admin\AppData\Local\TempKSOWO.txt
| MD5 | 3069d65aebc4a6311f35bf6fecb9318e |
| SHA1 | 05ad42573e372ad28d1e51b36b56178dd04b0095 |
| SHA256 | 88120590c89faa14fee09447c5becb5357179615edc5e7895905e252081f5c1e |
| SHA512 | 28dd8a69a396d6b33f7f8c675d8f8f21648c03d8a6de682f8f03ff888767d421c125597bac86681e79c8edccaa0b4c5a31f657ad4a017f89f73ebab041a321c5 |
C:\Users\Admin\AppData\Local\Temp\SKJRGFGBAGCXSFN\service.exe
| MD5 | bf6265df97eab4fc0f13472aabf36a18 |
| SHA1 | 59dc67548fbf84559368a1d1e0422369f834be38 |
| SHA256 | 07ed77b4cb41e9a8272c8c39d6f0db98dd009707ec0dbe0cb74e27a957d0e1d1 |
| SHA512 | b175ce70fa668b0efd3d4cb06da39ddda206e4836f81ffbbbee72ab6cb55c0e5f2f65ff99004a9d8ca6e7000290cea2ca8d429f55fbf98c05cc63812c3e9c282 |
C:\Users\Admin\AppData\Local\TempXMIRI.txt
| MD5 | 8a3a36b14f9cd9d03e876bd1f2f17e1e |
| SHA1 | 4fd260f40555677f2a56769cd185a7d36a886dda |
| SHA256 | 672a516c3e7612b0716550c2548db41dbcb5e62d34838a0d272d2ef4747d62f8 |
| SHA512 | 8da49854017d8244eb9de38f0f81b4e7989fa4be326f676d2ab8e9fce5733746dc1b9716485cb3b5e55fb01399f111a34eca56745c4c8bb5417c0366d4b95b8e |
C:\Users\Admin\AppData\Local\Temp\KDTCKTQLFAFUVSB\service.exe
| MD5 | 68e0e4e294d58733c18553bd45dd7cb1 |
| SHA1 | edbf540072de20211e52466f29355de34b0e33ff |
| SHA256 | bebd077b8f662ceb2e7bf46518686c0bfd347575e2ab66a129fb9aa09e82049f |
| SHA512 | e8ddd2c35bb065e8b132ddebfbb8c4209b541a59867b77bd7bf59261a093520b9482f77cc930e9dcd23626c7f3eeb6a928f95ce407ddc34d326d4bbb029415aa |
C:\Users\Admin\AppData\Local\TempTFLQC.txt
| MD5 | 2a203fa95c511f4fb3b42526e9c38269 |
| SHA1 | 08fdb577504ba55a11d89dbda642ec864b792b51 |
| SHA256 | ce994fc8d684e32a48593a350bc056e2fbbf2c0e593deda1d1438c90ec5b6301 |
| SHA512 | c5653976a7f3a4fb082a74d55391fefed64defef20c1cd347a634b46aedfce988eb04a181dd9e99774fdce526bc43df3e3f8c5d2802ab5eb57b3a1d6a197b486 |
C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGJVWER\service.exe
| MD5 | 8da97cc0f668959861d7fe6fc5bf387d |
| SHA1 | 837752c767caa2c694d6708bac63937c037618e5 |
| SHA256 | da5fad3847d187cba83d945c67fe050da863b7dc000668f5f7eb931ed73b00cd |
| SHA512 | 0cee99748053616fc6ad1fab2a5b700d0a5f431c8a812b05285ba9d66be3d47ee71ec01de49bcfa4e8bb37032ec2e3aedaabbcad96b7c007820375f3fd04ba94 |
C:\Users\Admin\AppData\Local\TempGBIWE.txt
| MD5 | ab76ecc74323655ff4be1c0400dfad48 |
| SHA1 | 44583f4e5b80dae8c8d7d1ba8f05d76e85373ea2 |
| SHA256 | 31957eafadff16021968a815a4b25af687105bb41a85d3b10536b8e304cacd9a |
| SHA512 | cd43dcbcd99ffbb54e5485304c6048f956edcf341c160a9817050cafb7173ff59ace51ad953c1c63441bd44e7c30f37a4a6526c9036bdd1d1e32248cefa1af34 |
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
| MD5 | 073037dd10f698980171567db0c43342 |
| SHA1 | 987ede9a557812be1cb46a5fc6a506dedcdb836c |
| SHA256 | c062c7639911b516aae02273cb0af10b76cc387821985d8f3d2b422605fb83e6 |
| SHA512 | 0571441a8b6eaeed035feb30f6ec811eece7ce51bb5e248a19f19e373aaa6ce28e94c0037c8aefec4ddd5c013ca971f0f4017a325b1b1a79226c1f2d3d565d22 |
memory/4084-407-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-409-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-414-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-415-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-417-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-418-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-419-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-421-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-422-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-423-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-424-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-426-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-427-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4084-429-0x0000000000400000-0x0000000000471000-memory.dmp