Analysis Overview
SHA256
75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1
Threat Level: Known bad
The file 75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1 was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Blackshades
Blackshades family
Modifies firewall policy service
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-05 04:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 04:01
Reported
2025-03-05 04:04
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEEAVQDLF\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDEYAVPDKFKXGSY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIURPTOVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDRMKPCPRMFIKTP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASJGBUYKLIRDJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRRFGBCXSFMHMIU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBROYOK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCULICSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYVVD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIXWKLHFHXKSBMR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IHLYCMSKBACESAO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCSBJTPKEETURAB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HNSDBFAITVQORGU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLRIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMAABWBSNAIC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YEWVRSFLSSDXWLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVCDAIBGUUIJECF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHFMIYLSC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LAUQLUGVBFVWTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQORCHMLT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUWRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMGBBQROXJP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBYNMNJHOJMUDO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EXVEEXNIRIGRPOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUXIMSFCRQE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXJGKFNCDVTCDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLEKRCDQWNVKUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOKJWDNWUEBLFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIWDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVNUJTJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVTRVJMIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEUMAK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRREGBBWRFMHLIT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNYOK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGSYOMQLTHJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEUPDKF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXLXIHLYCMSKBAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWRHVDLCX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYWFFQXNLPKSGIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDTOCJD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDSXQGQKILXBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBEPRMKNCQXGSWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQCJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGBQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSJITQPTGKGEUSJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEEAVQDLF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQVCDAJBGUUIJEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLPKSHIYAHIQMVM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAIB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WKWHGKXBLRYYJAA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUXKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVOTMCMGEHXTUCP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKTKUQLUFVAFUVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUEPU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BPFTOMRERTOHKMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTTRALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDMWUEALEYFVOST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSPYKQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKRB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGELHXKRB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VBCIAFUTHIDCEUH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXJJCWBDUQQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHQHQNIXRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELHWKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCQMKYPBORMFIJS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKIQCIN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVRPTGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPBBPUMUITJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRKLVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SJSPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GHENFKYAYMNIGJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNDOHFIYUVD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYUWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPRMKRMCQXG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDCFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOKHYWMMOJCGHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRVHIFOAGLB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKIMHODEWVDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKUQLFAFUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPBIMAD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULICWMNKTFLQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YARKQXIJCWBDTQQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJKVSQUPXLMFMMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYAYLNIGJYMTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXIJCWBDUQQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4116 set thread context of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe | C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
"C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBNVN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MCQMKYPBORMFIJS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe
"C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQFOB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJKVSQUPXLMFMMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe
"C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRPTOV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRRFGBCXSFMHMIU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTEDHY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBEPRMKNCQXGSWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSTYF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YOKJWDNWUEBLFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXJGLG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJSPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNOYU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
"C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDCFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGSYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe
"C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUKIMH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLUGVBFVWTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
"C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCULICSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUWRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTKFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOKHYWMMOJCGHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKIMHODEWVDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe
"C:\Users\Admin\AppData\Local\Temp\NFVEMAABWBSNAIC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHGTAX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YEWVRSFLSSDXWLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBOWCU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXWKLHFHXKSBMR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPMQLT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PDEYAVPDKFKXGSY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVIPK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQVCDAJBGUUIJEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPTGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDIPBBPUMUITJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYAYLNIGJYMTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESAON.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXLXIHLYCMSKBAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe
"C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVTRVJMIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBKVTR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLPKSHIYAHIQMVM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAIB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTTRALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
"C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNHCYQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IHLYCMSKBACESAO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe
"C:\Users\Admin\AppData\Local\Temp\JCSBJTPKEETURAB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTCOTD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GHENFKYAYMNIGJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBWPVNDOHFIYUVD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCDRNM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKWHGKXBLRYYJAA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
"C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPJOLW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VBCIAFUTHIDCEUH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIURPTOVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKRB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFQXNLPKSGIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe
"C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VBUEQPRMKRMCQXG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRDJO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUXKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DVOTMCMGEHXTUCP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOSNV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRREGBBWRFMHLIT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IDSXQGQKILXBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YASKQXIJCWBDUQQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
"C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGBQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHQNIXRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFJJDB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EXVEEXNIRIGRPOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
"C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCNTYK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKTKUQLUFVAFUVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUIPKP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVCDAIBGUUIJECF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSPAUHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJLGCD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSJITQPTGKGEUSJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESAON.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXLXIHLYCMSKBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe
"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCKBWL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HNSDBFAITVQORGU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHQHE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJGKFNCDVTCDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCOWNH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDRMKPCPRMFIKTP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJASJGBUYKLIRDJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFGDL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMWUEALEYFVOST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe
"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BPFTOMRERTOHKMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe
"C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe"
C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe
C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEEAVQDLF\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempOBNVN.txt
| MD5 | 24c2f0e1418cade946626c1e4c9d3db2 |
| SHA1 | 260517f4ba53f1062f0e60840d1e25d804a3bcfd |
| SHA256 | de23ce509ea458dc5a9341b808d6fc8ee77cd6dde856f4f7c34e105071ed7855 |
| SHA512 | 72747ae22f5b3e47ea2028e0e8a94feef6dc18a4f10f2a6adb2bb53f8b33dc2580a6c18635c0c2302fee361a79c36631b36015dcddf762a3b7c97c387b7a809c |
C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.txt
| MD5 | 2596faff5e611f3787be85229f2ce55e |
| SHA1 | e519fdeb31a26eea4f5d8fd18e12cb34aebff837 |
| SHA256 | 91ac8294e4ef0e3a990008de42f5f142b45fa620221f8f0ce3c7fb95662102de |
| SHA512 | b3431e479a96c9d7322e1c49dc940d8b72bd0300d09c508bdf5b2bd125d79b265e369142b8ca684d4633630da6c564a25b8458a01341cc7959d358946ceff02b |
C:\Users\Admin\AppData\Local\TempHIFOA.txt
| MD5 | 65051c70fb370f0677d286ed2bb6bbc2 |
| SHA1 | fd7d7addbb9b886bb624ed5943299ac1b5736fee |
| SHA256 | c057dd885e2c0d5fcc08c30e83f212943a4ed1ad4f301dfab2d9ccf2dc6e6aa9 |
| SHA512 | fb891f6c8f8ff0921c96a17fa47f43136c5d4f384d954d0ad325c903f54990d96c1efee4f69b79fc267a96e87157b7dca4d805799d9f05a0584b1f020014e145 |
C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
| MD5 | 72716d493aff8a6997f6308fe5dbf9c1 |
| SHA1 | 98d11ccee4c53f625eaf9f147c069be063085b03 |
| SHA256 | ed046ff939cd5398486299c0957329c3ae756c82b2e626861eced9fabda2436d |
| SHA512 | b3850ae274c79db00bb6acf21ffcb0c4a06d35e6b2fa9367febbfa7b289d159b6ca73a698a27a8bcc50323486a80f977be6dc7ce3466b6041bacbc84cabe0185 |
C:\Users\Admin\AppData\Local\TempQQFOB.txt
| MD5 | 5cc2ea5b9b6c892c60e123e88c6a99d0 |
| SHA1 | c998802db0b4c11a3d31a01909c2179a90cd0224 |
| SHA256 | 5c6865a907c51e367723eb27fe16e1b9a429e3a91f39acd37efbbecf482cbc03 |
| SHA512 | 6ff4955273f29c83537150ae6fd8ac53ed71ee96ab974774fa8b009284baf78efd17fa4d54cbc62cc91bd9ca5e7cf4e857b6860e6d85d162c330e0d0fc24a071 |
C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe
| MD5 | 379f89b7b5e01302a41b0fcd82ff3c7e |
| SHA1 | a6ff514484d8c4f07382b93c44b9e12f0bc95c8e |
| SHA256 | c33e1cc2735f2e0845edb1e3473511015c8264f55d3481c583827e36b29235cb |
| SHA512 | 8aa86be3b56a018619c3e488858cf2445eb1f95b2ed42b69a20129136831bd6987d9ce8fc7c7cfadf3bf9db082dee9caa05278f746508597b0d863fb935ce986 |
C:\Users\Admin\AppData\Local\TempRPTOV.txt
| MD5 | 2ce4c6b9a237cf057b039930930825ca |
| SHA1 | fdee448380062355e0481732343c1c855d63ec21 |
| SHA256 | d073fe00ea7f669a17ac134ee52dd92307f850ed14853d02b33e1cc6fe5a9073 |
| SHA512 | 53dbd75b64da54e319636d87c7f2b5ddf87c26e29d18292ef831e7b5ea274aed8a58ca63737877575baede6950902bfc9a90de32ca6a3d8af269dcd2bfb06b99 |
C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBROYOK\service.exe
| MD5 | f3700f5774af5f2dffaea7d768b78ae3 |
| SHA1 | 5d3c6e193a78a038c5dcd2e431b2abb6ab79fe00 |
| SHA256 | 8027d7e2325de2c56fea474fb534b5ed0e07d372e0db12c222e2cb507163681f |
| SHA512 | d195ca57e920cb31396be49487430be5924a13a7f50cede002f49b733a1f85ed8026ccf645efb945d44f3c28366b12014218a80db2b6db15a12b58a4c5dc472d |
C:\Users\Admin\AppData\Local\TempTEDHY.txt
| MD5 | 7f0b527f7baf38b696050eda03a7dbd0 |
| SHA1 | 09550435888ff4507d342f553820e71bc5cfbd9f |
| SHA256 | 33222eb27238da3553e43f9ede57fbd5a6a2e5b482522adbf820a7a35877f66d |
| SHA512 | a26143eb0054adbe029547d6b6db46c00cdc9376c39217a2090fbce798a86d24021940db491031fb92b845512bef54c059657dcd5971a44b6a3c41d2ce14fabb |
C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
| MD5 | 254ca3140cc2a4d23a4a08c025204c5b |
| SHA1 | 1549a3c1b95988497cf287c8cc850acc02e1a250 |
| SHA256 | ad23a23149e77f9fb1a850b6d7131657c53e1a19da5daf3fd0251f48a28c3fce |
| SHA512 | 9be996a97bbbf06268d7986d72fc9ba02607effa049e6454ec07009a49f71ca4bd26965767197cf3689e3b87329191c2b7a4fad026721356e04561a178366ec3 |
C:\Users\Admin\AppData\Local\TempPSTYF.txt
| MD5 | 9b433bc15d3d296e8a7a971b6b81193b |
| SHA1 | 137eff257f036962f818b60de1265298ff0cf0f2 |
| SHA256 | e6f45e547628956b5902eabe852adc97a82153b19f0daf7895288668d7bb6374 |
| SHA512 | 3189a044189a99d9bdc57faad32900c68a8bd5ee71ef05e86a2627601ff19dfba13cd938f196a3f7e65fd8b84a95f192addfb2860b0907c4f7cd13b408e541b5 |
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIWDMDX\service.exe
| MD5 | 1086ef81abe16e09fb53cd8e6fe38497 |
| SHA1 | 54314e3b630aeb595acc84cb2aaafc313448ecf5 |
| SHA256 | 3eeb487e2e021bb83ff7137091db0e4d2d0135a60b18c4a7e3aee29ae6f638d5 |
| SHA512 | cef6926a5bc76cd306fbb3cc3d971f54327fcc2ce7080d25fe342975c8dbd46ecb139fd90d885205eacc4b4a93d62e35899765c03d4fccedb4bb4f794185e552 |
C:\Users\Admin\AppData\Local\TempXJGLG.txt
| MD5 | f6c6a403a39749222bb69c6861d6e00e |
| SHA1 | 929cdf17c595d7dd4ae3dcc73744d40fb0916469 |
| SHA256 | fa980b6510eb003301bbbbf3041d09df1c00ece88db792be56ef83183710eb4c |
| SHA512 | 9244c30fdf053377ce4133f14e9d1f794f01121a13e62551cf80f90f2dddf884b2713466cb235cd1cad2cee1fde843df5b9a5499aef76ad61c2c20db81f0f6fa |
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
| MD5 | 21f9b0e9d18b20e73279f97d9e937686 |
| SHA1 | 007df101c6346e0fba2d2a0c933e1844c52b1941 |
| SHA256 | 0b12802d6f29ef8934d07f4b54e3071658662e058e6816b50e9fd703fff8efb7 |
| SHA512 | c9aa0877b1624018e3c6907dbe79c17275c318584415e938797ff425db6e7daf95b22cc9a3abaa4b64828b1487b331f8e787e5f9b721f0c315d1c7dbb116a86b |
C:\Users\Admin\AppData\Local\TempUQYPE.txt
| MD5 | 5a4384ad153eee40e71481f1b84e2979 |
| SHA1 | c4f6eaf1a1a7e034ead8fb98d9f946ae66547733 |
| SHA256 | e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935 |
| SHA512 | 68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09 |
C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
| MD5 | 9796752d843ba9a10a216d2e8ac83cfd |
| SHA1 | 4d12cd3225f93e6575cad6652c72d2318b3df8bd |
| SHA256 | afded2176daad044c5924bfb3e48244efeb7ffdd5bf5c44c0992316e38624ce9 |
| SHA512 | c6230ced3b3ddd2242d81287dfe4cc828cbfb469d1dffa34a65c14fb841ca3a29bb2fa192ed12471794f6998120cd1d77d712e322b1977b3bf4e659470229998 |
C:\Users\Admin\AppData\Local\TempKNOYU.txt
| MD5 | 11ba06449b0fed6f98191316260722e7 |
| SHA1 | 7954fbe57520cb3d858059ccd373e28c3a87b5d0 |
| SHA256 | 5b2bbe6fa1d404c9835ed1bac8aae3c9d0118c0cc9b6e3a70ad625a14d4478e0 |
| SHA512 | 1c9bca04351ee2a84beb0c2b52440b36e20985798401d4c6de3c22b8a846120f4ce7b339893dea64b2a4d10b966a52cc64cd7dc14eac41f1c9cf84d0800f85b4 |
C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVNUJTJ\service.exe
| MD5 | 35bd19438f50112ee844de62ad902832 |
| SHA1 | 0919c7609230dfce3012d85d71ba992a9d28b727 |
| SHA256 | 37b061456652acc76ec89f65c8f61ab3868f029fcc9b60d9c88458eedbe4d92c |
| SHA512 | 2bc956147f72fa03eb1c5ec1ea041af90e42db9de7cd88a27f8846f54cd893fbbe3f59bbda020582890dbd218598b538f752d324a4c1eccc370d6250a03d0226 |
C:\Users\Admin\AppData\Local\TempPPYAT.txt
| MD5 | ba03c24769ee4df2b3348900a5eef3b0 |
| SHA1 | 72602242abef0ee01aa7e6a2f66af2c3d50b5238 |
| SHA256 | 547f261efc13275bb26c77cd9cf03ec474403c7141bb83f787d00adb95100117 |
| SHA512 | a02ad29aeadc37fdcb71cde132039404cd302d55eda8b4b7b07dc8074a33f13e8d5560fc66502638aefe9ebd589c506c4569e8f24e2e48653e780f21576a077c |
C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
| MD5 | 7aafe35f1ea898228b02d999a20877ac |
| SHA1 | d7a78eebcedcdc3a779e2385c26d60e9ea86d086 |
| SHA256 | 89dd5d30247aac16ee3d5483e60e6eb4e7cbf38914f099c050cb629a79860dc0 |
| SHA512 | 2b611dd9501728e30db02a3bce17199701a3a9b6393b5b4908f45ca47c3ca072fdba78de047dd0d7a526db136d9a40cfaa741e3008983fb05e698d8e91aa3c88 |
C:\Users\Admin\AppData\Local\TempUFYYN.txt
| MD5 | 455fc777ca670028aa6a797ef4e9c060 |
| SHA1 | 00e9fe86b46dc414762245344bfa569348f78ac8 |
| SHA256 | 1489bc1f65cf47a89842490e0d8aba5b0d5331bfee8fb5114a7bb66794487ca6 |
| SHA512 | b759a9f0971b583d8dc90d0bb11c6a3005f5cebabedf17227f09488ffb2d9615870263aba19d9629fd4b51a8b9b2a0aaa4c15c5b1dc4c57d8435412b013e4fd0 |
C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
| MD5 | 3aaa21100972c76fe394285fafae4cfa |
| SHA1 | 040f0c5306e43f961fa021c9f7844883dabc291f |
| SHA256 | 6c5bd498dd37ab4a8e4d211dc00f1d59bf94cbaa0a7d42d9ab4f7b9035e82823 |
| SHA512 | 4316e8d20bb14e6968b1be0846775e0f6fe5accda749d4b502034efb7a308179efd7470e851112c71d363f2e01b4889a0f3513ea6d7a26edf36c28b545c94c42 |
C:\Users\Admin\AppData\Local\TempUGMRD.txt
| MD5 | 1ec7e3ccc363d8da29003f6ca9f20bcb |
| SHA1 | 0f0f489d7aa81ef3940691225309146a6831f60c |
| SHA256 | abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c |
| SHA512 | bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2 |
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
| MD5 | 0ab766575a4aea45c529f8f07d1e030e |
| SHA1 | 1a22c7fd89e1331392798093755587fb4f239229 |
| SHA256 | 3225d35d3bf440aa1844b94318b473d283b183be4b622201e09cb31e44ac348b |
| SHA512 | 5d1e616005f51576cd77446f7c9982abd2336d4638618f3775ea90033715cb2abc0741ef84b551b6b34216b33ac543cb66895e22c2e8f915ad24d184f25facc2 |
C:\Users\Admin\AppData\Local\TempGUCQP.txt
| MD5 | a05bc5c948181b8882b7b95448172f1e |
| SHA1 | 9dcd6a7078ad15bd61db8a84bbf43688fb27742b |
| SHA256 | 42691c7bac5d448be2e134d9011b898323a2329d4bae67b70058574e0563b226 |
| SHA512 | 24d9d2f4ad6f7b0c5707928055102c4219220aa55df2cd05340728fdb09121e74ea9a5a3ad10c9deb1cbf1d134f2a6f73bf904111318d0ca1aec583d3680880a |
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
| MD5 | 4b1dcac05ab6080808ff94a24208fcb5 |
| SHA1 | 4e9603b920feeb6452538306fc8faf740c39a0b9 |
| SHA256 | 0b04c7f54fa1a608a8bd582f27b3fbd1eee88570e86ed025196fb146c7e535d4 |
| SHA512 | 99ea3a1418859e7822e958b6f7adc73ab884728d38feabe7706573302f2e5a85b73d5d80bb1d24c6b493251a6e4b68c7ce752f55eab836881364a14e917fc36d |
C:\Users\Admin\AppData\Local\TempRCVVK.txt
| MD5 | 1b8a00edd0fc407d3403cb505dbd5f65 |
| SHA1 | 01e6613e2bf660ccd6a0c976b7ca8a7abaa54fc2 |
| SHA256 | e11c26837d37df3c197fa7828924cc2ba298fda359ecef1db90c23f8f2503a5a |
| SHA512 | b63261cbc40fb7e5cb957f9417b78e8857ea5fb57c49aa98421737892626ccec8cf51426500e88e942be731c5fc8eb48b533e7c962081aa0c049923c31688f4a |
C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe
| MD5 | 38a118dae986ecef7cbb8ccbda1f3602 |
| SHA1 | 58efbd026ba1292e4a1ed5f84dc37ef9ed5cc3d3 |
| SHA256 | 93a4fb5acb602d2982e8df1a7686a17fa70fb5466eaec3ba4fc8d912285217c1 |
| SHA512 | 6e1a5e5d545329405b794f3efe7090a6c22451c5534121e4694deef3266f1ee67d68daff5276beedf093ab6c9ec6a28f16f20b64381eb53c97786d242d9550ee |
C:\Users\Admin\AppData\Local\TempIRNVM.txt
| MD5 | fbf8beaf48fdc011e243d8595f2140f4 |
| SHA1 | 92bc32a451b9666446a343abf3389a9653dee951 |
| SHA256 | cb6b58412c832a730e896acd16f40bc0679312df5c467bfdf5e10c66495aea49 |
| SHA512 | 286d70c6b86c59d8fbf3e56bce71c36c7db06b77168b5842499065573c65f684c18f895301cf0d0210dbe801369df91c636d6e2cf31fc89e1c4c35f8d8642bb7 |
C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKF\service.exe
| MD5 | c1149ca1be9f8bf14e89755c7aa4e0a8 |
| SHA1 | 45155035d8d9be4cc558f771aa833e3a1322803d |
| SHA256 | 17d4501ca0a6d9c07895edc6e96e22b4114f8aa702521af658b67be337c72d40 |
| SHA512 | 963792ac651f8e6b9e17fea2809848046b6e2d0918eae8fd6cb020024834d6a68db827b2c436856a5cc425d7bddff7a3c8aebc1932617d14a191985149767ee8 |
C:\Users\Admin\AppData\Local\TempUKIMH.txt
| MD5 | f345c4741d0081aa0932ad7f5845f759 |
| SHA1 | d9144eb1df0ddb1070de557dc04da0b28e1633bc |
| SHA256 | 59ae30069cad5e80ca7e9a8dc55b36753cab62d2f0b1c9f6a43df50f56e842b5 |
| SHA512 | 6207c4c517053b2d19e05a55ee8bbce09fb78f749caed525c22c996de014766ba114139628b2263c66bab73626793f7705df0d4342a8d9cd70f9b0f1e059b221 |
C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
| MD5 | 8b2a491ffeb5a9d68e20a6240d70a7da |
| SHA1 | d9ccc987caecd143df63a7fff8dde465d3edcdce |
| SHA256 | f33298ebeb7e97e78a5e4b4e1e4116df4caec4fe1af58580affd6bfc26f81018 |
| SHA512 | 9ef61fa05731e787c831890a87e2b43b1deda8e125f4967d6efd74d2f306f3cfc221ec01b3eb2ad495c58ef02af64687f4a6127fb075e48ae2f4a11d025d512a |
C:\Users\Admin\AppData\Local\TempKTFLQ.txt
| MD5 | d55e6f40d7cd30b45c4d53f24c07ffa0 |
| SHA1 | 858e175f6baa0cd28d08af0fa4a81323378c5444 |
| SHA256 | e1f38603ef277b3320508246e951856963b81f2e98862f9ce6bbce6d2d631763 |
| SHA512 | 90b2938eefed287196c17a415d01882c0b8ab07ea54e226762f76cd86fd395ca912c880c88048a06fb0fb89d09b63c1aad8732910a5d7d395d978bcb5f00a584 |
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
| MD5 | 1962ee9e3658539b99bbcbe820705634 |
| SHA1 | ce7e9e8a2b31df31d1eda8b8311ed33b2d728470 |
| SHA256 | 74b68d5e7b07039255c69b7c90258ef4d29ea065db279783d8614bfcc3503b63 |
| SHA512 | 77881f39cbda8a4b64ff69a8ac25cb02276bfdf919113cf87f5bf4c1da64d83b8aa645e81fcdb09fbe0c3a4862320b1acfd4b9a658d84bb19006f45846505237 |
C:\Users\Admin\AppData\Local\TempYGOFD.txt
| MD5 | 1c8a1be9bc3ebb31b2592214152bb854 |
| SHA1 | ad9dc2375b15466336615991e8f93396679cd5c7 |
| SHA256 | 8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb |
| SHA512 | 0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81 |
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
| MD5 | 61cf4e9e636ecc1700fac983bc6e307f |
| SHA1 | c68ac3e52d6d76275b905d516707488a3bd5a8f1 |
| SHA256 | b3e6bfa503e2fb7b16dbd64c0bfc308c7f5d2604c9798b89af03469640f294c7 |
| SHA512 | f261259c168a7d664f470b42f8a24709103f3ca5a7e1bf33a92dc31e7b4b1fe6eadd45b2b7f64087219ac98b21bc522387c51db72b99bdbc16270612f5867021 |
C:\Users\Admin\AppData\Local\TempRCVVK.txt
| MD5 | ff63d8e96cd28976f42345b2809c73e1 |
| SHA1 | e5b172e153c6373f1c4c65550f6b037c2a07577c |
| SHA256 | 9fe75f61c2ae4c8c2590dc4a9a6d4e6136427bae61eb2dc9f669768a64981768 |
| SHA512 | 9132e2fa180702b9b64b1163aeb324d5c73d9f530e62369f23756421adc7fcd7128b6b702993117a697f370e9a494fbaf9f0ea1ae0473dd9f47fe7dbd7c7f306 |
C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe
| MD5 | 2c9c316db12cbd05c960c32493372144 |
| SHA1 | 2f363dfa79e857d6008267fd26b3610ccf8e3877 |
| SHA256 | b06305086554590b99f423848c61e217145136ea4ec2cda573659f7518dea43d |
| SHA512 | 5cf1a187744173de06c97cd4b728bcc4b55566de6feace95d2ab9d7a1df997fc9367fd3befa3dd6675b7605832a7c58278b52039dee4edc9d70535508feaa074 |
C:\Users\Admin\AppData\Local\TempCWAMY.txt
| MD5 | 4d4091459af74a77721c38b55804957a |
| SHA1 | ff472eaa805892be07006d056f1eb01a3885cac6 |
| SHA256 | 1fadc6c62b8682e1c2cea26e8fbf0287892ea7e2499684b121a97e2203fa9c18 |
| SHA512 | cd8a39643eb396eb0dba86fd004682d14226ca6ddb18540e2958d51b4199a2729a7836e082ef41ace4d8a04b28b9a2531b68d14b0f9de23f03281772531f664c |
C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe
| MD5 | 88043ff594126647c9aac5c39de5ff11 |
| SHA1 | dee230d1c6701772ea8f806c46fccc26d2cf090e |
| SHA256 | 828f39cb952fbfade4363d8d2d0189f81dd7476a36b05f82060cc8f1e2f6bd0e |
| SHA512 | 8d5fbeb0bf921611d0f8f2525bf8299605600272547b1038bdbe709b0abcc48347e5cb02226457c2f59c70c739966d8dd72ab603322dce6b5c3eb69e6bc73db6 |
C:\Users\Admin\AppData\Local\TempLTKFO.txt
| MD5 | 600de9ba6410731f1dab1b1209f9b7cb |
| SHA1 | 95eaa59fe43e255ec9f6ed03fcefbdd8d8e3bf26 |
| SHA256 | 00a1f7d9e97d7dfffba22410abdf3fc13ba7c996208474f55ca7240af930b4e7 |
| SHA512 | f2525d858df80b87dbc1ea4ccedec63a054e4ec7ea68506d02fcc122d9bd4c4c5724afaf00df867f8d3e68e6bb101bbd29208e439b2969a810ed00e49d793ac9 |
C:\Users\Admin\AppData\Local\Temp\GPYHDRVHIFOAGLB\service.exe
| MD5 | 040bd162c23091c5e13a2b2c536cb46c |
| SHA1 | 27a07199eba9df1f6bbce77bee4279972a495514 |
| SHA256 | 1b8d0e4cc8bfc32237e597d4d4d0178bc7ad2b6a7eb265ec3e8d7ce907fa7bf4 |
| SHA512 | a2867ff2f612131b78765487355456cffc40f059b1967b26a0dc215b2eec74d24d1d9994415796817aa3a0e7674596dcb61e9d5946e1f4f8d75b90b79f204c51 |
C:\Users\Admin\AppData\Local\TempXNIRI.txt
| MD5 | 48811a19fe9dc5d9707922daf1c24028 |
| SHA1 | db22aa5f235045892c7f194e14ed8963063cd6c7 |
| SHA256 | ea8257645737bef1a0996db3d647f6b045090e52790ded3a7f6e0e1cf024e400 |
| SHA512 | d46885c8bcb7642bee9a1c8e0ab905620a92a1f9942a886c7f10dfbbee70caae950e026d72ab42cc9d78d9466a328f43c520984e5e3d140a9ca79d1acc821193 |
C:\Users\Admin\AppData\Local\TempGYXTU.txt
| MD5 | 15f356bf716202506bde9dc0a1b921c2 |
| SHA1 | b0eb51d47e256c9b5a4513758d86412366986f29 |
| SHA256 | ed37a3e08259934e790ca1a78068a0d3295371cef6ed81749173552ed42e1983 |
| SHA512 | 32dc9603e864597514149d9fe1a84f79992d5a4b8a5d7cbe89cb4a5b5b5c7409798333ccef12906f54694dc262a22b7cd73a32453ec4cb47c29e935139ec42c8 |
C:\Users\Admin\AppData\Local\TempXGGPK.txt
| MD5 | 92012f0668bee46ff4f22de0c512ebc9 |
| SHA1 | eaadb3aec6c416ad3f2a7db8020f518d0c24b843 |
| SHA256 | 0a5ae9f443a61cdf8fb5c0deb1a7e66e4a8ab5005cd3c5323b571ef2cafab802 |
| SHA512 | 139caad4d91981febb0d282c354f977dd4f591986d01863a60c32aeb694794836caf422796526b15b93350d51d73ce339fbdfda85d31d586a8a10c7bdd32992a |
C:\Users\Admin\AppData\Local\TempHGTAX.txt
| MD5 | 96b45457d58b0a74d454f7773168579e |
| SHA1 | 69f165ce112b526cbc2bb99cfca76b3878f5bc3d |
| SHA256 | 44ad5611744904355d8f42e7698c2cc0405c8a37f8b43879d93b21a0134f0f69 |
| SHA512 | 950cce5090dcff6e5c24b8f161c4aa083a7a8d1f5a94bdae1cb7f475c13023f0ec6d7ef1bda94ab9145f4fb41e94364d07869d2d30925d4639fcb7b49a3373c3 |
C:\Users\Admin\AppData\Local\TempBOWCU.txt
| MD5 | 87cc50695f15c2f63b4666c97e17c811 |
| SHA1 | a3a256a7638a40dfa5957b9e0075c2166face646 |
| SHA256 | ce1b528777903638c3d1d54e431f4401ec3cb9373d6df0fc2cb627eafaac01b8 |
| SHA512 | 61b1158f880c6e4043883c26d0e65fea323d2bcd341158d8df51ba578e8b9f7a2cad067c6af5d5cff5ad95d96a26d6ab353d5ee642f6d76a9f1edad62bbfd687 |
C:\Users\Admin\AppData\Local\TempPMQLT.txt
| MD5 | 025b440da23deb540aa314393303485b |
| SHA1 | c24514626fafeed0bad536ba03d38b19c84ada58 |
| SHA256 | 33fce00989bf24be4ef7dd57feb556d230c9889a771eec337e2a4b7a85c0b238 |
| SHA512 | ee500cad17f4ecf03ce05eaebbd0e9870676a6e50773875e7f615d6681ba7c788f782f6f6a957c22e456da9f26af8a0c40467d7fef21b49f8f732f0c2bc93506 |
C:\Users\Admin\AppData\Local\TempFVIPK.txt
| MD5 | 583ea3fc5095dfdaaf7618dc30bbab46 |
| SHA1 | 08b45396a4b04e5f69dedc41b718c50ec2de085b |
| SHA256 | 9d5968081bc1649ef7a65ef14893cbbfcefcd2d6b2522a386702f47bb7accbfb |
| SHA512 | 2816ac5c7d645ccbd5983d2d5aec4ffb84c8be95633e3f56104071714500f4d8c83690235c3c0cd380023a5e397425190bd2cbf29eededf5d418cd658d933312 |
C:\Users\Admin\AppData\Local\TempOXTAA.txt
| MD5 | a858f377e50658245042676e63af142f |
| SHA1 | f4c80ab055d83e351fd43cbebd87f1c82a9294d4 |
| SHA256 | 62255c76c20b3ceae60e02ba072747a318a65dccf75d4b2d80745ea800680e69 |
| SHA512 | 72135514fc9d45ab7f22dfc3960ec81986419026a36de46242e4a906b92c01dee652342bb11e0ac8f8a823ab4f1e0d8e10d70cd2c2388a6a000ce8774359451a |
C:\Users\Admin\AppData\Local\TempSDPAX.txt
| MD5 | 01828693093ff77f5747295d62c209ff |
| SHA1 | 185f2ab8d95dc3560551dcce5f8de1d1ec079672 |
| SHA256 | ff2c0dd6b807ad417a34d9ae9382878859bf85d5f68517f23d3e4da0487dd8dd |
| SHA512 | f061d8d712ea0f6958d4418f3f3e57cfaeac04b76702439558cc6ba218085d2fc45946ddc54b62b9e34524676c80b92453f67a581ada73203534ab6fb01ae439 |
C:\Users\Admin\AppData\Local\TempESAON.txt
| MD5 | a001473333022899c9dacafdade0e104 |
| SHA1 | b880e4a9a640f72a935155f658d3192b739f2c11 |
| SHA256 | 9cb662c00791ea13303bdf95abf1d94e901997c261cf3daf3cf84c305eb0985a |
| SHA512 | fecded9fc51f17d40e4decaa45127bae6ed2f89da57c31b9a04fbae20da576a858deb39995f57c5e7f514c635d678742de456c157e4e705db0e82119d5e19bf7 |
C:\Users\Admin\AppData\Local\TempBEFPL.txt
| MD5 | 987c8458662eeab733267717194dab10 |
| SHA1 | 7dd9830cd4baaef90b3c205db35756383fbca135 |
| SHA256 | 129efeb13fe3eb79c0d5c886dd20022d15df42ab0c95f79d4f09c26cbdccbe19 |
| SHA512 | b83d2df29028f61fd70719311acae4ca08fba183cfec0ca56f4954865f1bbbe7512b6406d92a47eb236b10f4d1b1c54c8131eb3bb5cc2e898892814fc174f0d4 |
C:\Users\Admin\AppData\Local\TempBKVTR.txt
| MD5 | e96e321e0d958fefc515bce0eee69efa |
| SHA1 | 572020c477b6360c7d8962c73cdbe7395d502a00 |
| SHA256 | f8529a8728fe98d79b99baeebd66cb44e8c13f7a0263d822746d04d7874fc1c7 |
| SHA512 | d5ef1fb7bd1d01caaa944007892ad3e8e7900d55e38a6460252913ccf8bd033d9bbc1212190853717bc248f5a8fe6cc4a1d20402523c7fd6a6132ebca8c787c5 |
C:\Users\Admin\AppData\Local\TempWIGKF.txt
| MD5 | e5ce57e5d30e26845277d501a8c1311f |
| SHA1 | 7000a2c08a8b046d6d781967692733156a2aff16 |
| SHA256 | 6e226e0033a8817c210108feaaae68b2b0ddbbc60e66151efcea4d19ad3d98df |
| SHA512 | af1ca4eac827acbf4f5ed0edf2b781dbe4aed93ec308117fb6328241df795e5f7698ab9e6a82fdb66982d9a6e033ed8788b69240000027a21477bcbfebb11073 |
C:\Users\Admin\AppData\Local\TempMJRDK.txt
| MD5 | 469f3e5ea5e8cd2c141fab98f2f64e1c |
| SHA1 | b515a918878ae4e5e292acd4b871388bc445161e |
| SHA256 | b058ef8d671332bb18372495bcc723fdd18cfa6f7353d9c16ca997caa2df44e9 |
| SHA512 | 2f86365055577c89259b0340e93a9c88856955c1fc7f1f3b177e2feba6442905f27438414a0f230123bd16f7e299805e39940c8b4eb5e2c3fc73a936af17c219 |
C:\Users\Admin\AppData\Local\TempNHCYQ.txt
| MD5 | 6d37932234587cc7795c130d52abd31b |
| SHA1 | 79b14567c8ca7857d93bf85810e2bd401423ea07 |
| SHA256 | 5db4a4e46432fbdc79298a88154ceafa8e0755a382e62739008f70f68868049d |
| SHA512 | c1bb43359eb4fd425f9b5bac8744f7e4178b8108c27f14aededf26eded3d82e043d5fedf08123bd2c0c6e33c01a7aff13fb0b344306d36539dafa1caaa86feb4 |
C:\Users\Admin\AppData\Local\TempGBIWE.txt
| MD5 | 9d8a73676ceac800fa001ece1f4e52f3 |
| SHA1 | 789fff73252bda26653a511337e96d9121f836b7 |
| SHA256 | aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51 |
| SHA512 | b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df |
C:\Users\Admin\AppData\Local\TempKXFOF.txt
| MD5 | f5e32640b80a435dead33fee40e71f4c |
| SHA1 | e43db0656ee9805498e1bb9f416440adb48a4717 |
| SHA256 | 89e0d74c0f0a3411e1758fce5992828b2bfeabf24c228a7d04cb3b678760667e |
| SHA512 | 37f5ef386f4cb358cbcb2f4a98e3524e53fd262968679059d00365aff0a1ef73fc0e3e693c131ebf79c1c7d21b6c7d12aeaf2d7f5d15ad303d2db585972cb0e3 |
C:\Users\Admin\AppData\Local\TempTCOTD.txt
| MD5 | 58ee66fa6b26b84a2b2723f98441bbf3 |
| SHA1 | 05c879e35afc11162776a7dae2e378bf7f0cc794 |
| SHA256 | 94e0e21080675e26120d7dc5e254759277bcd31ad3470846d04b9b93cdaad7af |
| SHA512 | de51ce998642657b32d6745c3d154ee36a9c5a4240dd0ef55ffd09e3d593fe118a3d0188b2de2af38286e5b07d065318560e35757a580e0cca82b146fe77543c |
C:\Users\Admin\AppData\Local\TempCDRNM.txt
| MD5 | bf2c1572765208029d1140dc018927e0 |
| SHA1 | 3328c95270b5502797cdd266aeef728bb058f318 |
| SHA256 | 506d32539093f4e3ff009ef517d883026fee6b0f787cc3eab6bf879ff4ead966 |
| SHA512 | 900a47cd898993f98331fe4ffb24742f84c85769aa0718863f27240bb36406527e1930ffc4a50ac23a08ae4806b7683d7fa7e0ffb50ab0198f1c5dd4b1441419 |
C:\Users\Admin\AppData\Local\TempFXWST.txt
| MD5 | f5dddc8c8195b915447e8eca984daf4a |
| SHA1 | 92ac8e13c3544047b426c6a188f1e272801f7f73 |
| SHA256 | b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4 |
| SHA512 | f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77 |
C:\Users\Admin\AppData\Local\TempPJOLW.txt
| MD5 | 3739c9378a95d73cccd808ad93026048 |
| SHA1 | 2efc0143c6c84413774e112f8dbfb2233a98cb1c |
| SHA256 | 10912fa52b1c76c9f47e788d10fba9a20461a9d52437c78cd6b201b27b4e94f1 |
| SHA512 | c28defca28d615c7e55fdbe04dcb661a7ec2ff3efe1a027ae3cd4622d39cf5a5ee53253feb97b1e4d223a55af4b30b37415b21290a3b7d4a4bddef09885d0d0b |
C:\Users\Admin\AppData\Local\TempUFEIV.txt
| MD5 | 5ff073d27058d42b4e1a233167dd3a3d |
| SHA1 | abf063edcb6c19d997dd4e414118415e81ea4447 |
| SHA256 | 591bd8e593ca7f6d04bec230dae035b525f78d62f2b9835df05bda8ae23a141c |
| SHA512 | e49b7c255947cafcc7258ca2b178b89c543366e39a605694041d31b032f475381617bddd5facd06c12b092e47768ab9443c2a309055bf546898dfdb36018e0be |
C:\Users\Admin\AppData\Local\TempPYPEN.txt
| MD5 | 3c86f9fca6e72f3487041385d17af02f |
| SHA1 | 1d2933c86ad80c352b05bef3bd23315aa866d364 |
| SHA256 | 61d8dc5504e877a049a72beadca2329646138a0a3fe296a57d4c4ce8fc2e1b70 |
| SHA512 | 88c6b3ca0518f7158920d474b10bd35414fc715d8bdca0271f98246cf45015adfc5da84994fbf070767c35d5adbcfc2a8fac09b6947b9b4501c71dff4a711373 |
C:\Users\Admin\AppData\Local\TempQBUUJ.txt
| MD5 | a92f22d6aeebba42c05729c0c7188c08 |
| SHA1 | 0de2b31be037959418e09bd24a547bba663e5fbe |
| SHA256 | a75a1c5499d9c5d310706d6f0f239247e0eb87c3a09adf045d8514034a81bfad |
| SHA512 | 8334a9f1a511194751060865501a1e4c8bd24c625a4251b2ebed829b4e88da66b69af1857786a2fac53075e5774662c1689113e0c370c74a160e21e7b306f35e |
C:\Users\Admin\AppData\Local\TempAHHQM.txt
| MD5 | bfaa2fa051ecdee4bd335049a464d9a3 |
| SHA1 | dc06ad549275eeb7f81ec592b04b1e9b0e5a9c86 |
| SHA256 | 6585e73a303c780ae67170b23512ffe6e1c4f52e3ea969efad5687ec7d785292 |
| SHA512 | 024deaa1dbbd3923a970364708c7a6522e2226d42c2fa88d7095594be8270d0b6a8ad6888710647f78b84aa3c9fb3052c80dfa731d5a170bb419392763647d54 |
C:\Users\Admin\AppData\Local\TempGAOXK.txt
| MD5 | 55eac6291ede42a90de5207804c0e0ec |
| SHA1 | f53972b85dfc194f41acf4fec1ac1ae71f8d63f9 |
| SHA256 | 40b95e7cd44d32cf66e2a6add1cbd09310d05a51d59d88e9dc656ee90602efae |
| SHA512 | d041313443f64f4571a67fda74352f256e85cd7c2d343f4171c4eecaac9c468eca9dbc427ddb8005da088bae2d6b888908245a5fa520b4ee92167a2f0819e3dc |
C:\Users\Admin\AppData\Local\TempQOSNV.txt
| MD5 | 502091e88d4f9bd9c7adcbc8ad6eac18 |
| SHA1 | 72a0dab360fce3de25db13635a0710d5e1baf763 |
| SHA256 | 76eba63d23fe3ad22863c047f30213acd8b1488b91c492ba92f5fe838f7f20b6 |
| SHA512 | 4d0b0d9122202ae510dccd1fe85998de6780972e1418886972135391774dcaac7ff990bafc6806f64564fe5e186425a6509ab46fe951a6d782160686618b01b6 |
C:\Users\Admin\AppData\Local\TempUGMRD.txt
| MD5 | 82a35feb9ca1f14e6f8be79a1b859f20 |
| SHA1 | e138c816dc24146d24d4581069ddec79b8f7cf7e |
| SHA256 | 48c8032b57d27959fe6006f9f554c6e7deaaae09ca44d10740cf4a5f028e1c8e |
| SHA512 | 8e0319b5833a2b70833a94c2432525549ff45de4bb43e8c93d23f179c29ff3e751498069f667495d29275c48406b2df81a06bb68f5eb767f96bf59cb6d3bec2a |
C:\Users\Admin\AppData\Local\TempHIFOA.txt
| MD5 | 0ad59275a022c5e20e87ee3b1a5005a0 |
| SHA1 | 3f71e6923ba2404a0aa4c59827701abfa89af383 |
| SHA256 | dc2f20de3ae28bf281fb113fb03b1e76b81bd7addf0f5f76be20cfff0e3d419e |
| SHA512 | 175201b62f9302dec4f9a597f0bd94209ce1bc41fb6c694cab3edd53459aac5ec0d411a2a1ac9fb7df4e252cc5971e11906592264d2ca7a2c0cc60367dff1b08 |
C:\Users\Admin\AppData\Local\TempSDXWL.txt
| MD5 | 1a3da698ee8fa36e10bff6662c71beca |
| SHA1 | 6ef93721e781a68c788b0f3adf5c402e66b49f00 |
| SHA256 | 02effddc870eab367d08f4d09ebc710e98bc02f3ec9fcca5a98db8e9b0637e3a |
| SHA512 | 61ed3b5665204732e3a6d2398e769a5fe6414afa3560a2451e38a5ce5bc4c63a30ebdca8fc84a137fd7f9c0d29682d1b3806630a9c17db2d5d610357500b0200 |
C:\Users\Admin\AppData\Local\TempLIRDJ.txt
| MD5 | 0ad6c9500e0217c6a48554d553396c1f |
| SHA1 | ba19a344bcef4b2edb43ff807dd4aec698822639 |
| SHA256 | 819a70bd41db67deebfb277a07da2ea0319aae00f012a4cf28d2a713ee2c7d3d |
| SHA512 | 91378178711b44ff33de321b82a02a58ae4e73bc2cd3288b0b0f370f5cca6e4633fe5c67c21e9b6e340dbae03c2483cd5c093b641e29c8d2c6dd988bbb9fa488 |
C:\Users\Admin\AppData\Local\TempQBUUJ.txt
| MD5 | 373e3e79d33ab24a63920df75aadedac |
| SHA1 | 025ca3368b01e37d1e2f466a1612d6be164af035 |
| SHA256 | 559746d47a9aab1f4b5e26da733afce2275997ff8470bc178f65d8865bd4ef52 |
| SHA512 | 33af5673baf8114720e31fc265dbbf6f3331709e0e9608acf90ab02f67e90c8dc57a860d19be1b5ad0716fd2c43e7739c2c70569122c009c42a6ea9e9d4d48b8 |
C:\Users\Admin\AppData\Local\TempRSPYK.txt
| MD5 | 8d400655fc3fcd5eae2405c6a57a1dd4 |
| SHA1 | c14b761e8d12819c11b794d04b7c094ef0456f7d |
| SHA256 | e178ebbd43a7d8fa3cee06a73308c755c8cc2dd2a71c68de2c7c31db32d403ea |
| SHA512 | d6ce992e91d330bb7a70c5398447229deca4014274cb0b9acb2e55f2373658a5ec00f82b115905b776ae1cc9b6ba2ad8b43164fd3f6db362e724c42d04089ffd |
C:\Users\Admin\AppData\Local\TempFJJDB.txt
| MD5 | 9207fe76b388c0905d7a4918eb992b03 |
| SHA1 | b6a86f0bfb7e2a6038f7791e3d6d325a4adf368f |
| SHA256 | 5b5ee4acd07ad0c45152cd82eb10907b16409c1270aa664097f3b48d643f2b90 |
| SHA512 | c9fd91bc389b96dcc70765ce80361a1fcc2daa56a7bab4427e38be41000163510514840d7f74df413c36c878ecbc3012c38b5ec60fc49d5a4ae42f7b433a6932 |
C:\Users\Admin\AppData\Local\TempCNTYK.txt
| MD5 | 475731ebdf5491f601dba41d5133c888 |
| SHA1 | 5deec8772334d6e1a1b9b0c9da089f645b3850b7 |
| SHA256 | d5e46bead89bfd2ca30f3a5f57089d6756aec8ab4c965d19a48d610dfc738a34 |
| SHA512 | d24965a896102abe6f28034561316b493d0608e7cf8ff5fa2831f2c449bf5bdfdf5a47e2aae4e0bb9015d8aa293976a07116d2ab1831239d046ca8eabcdd77da |
C:\Users\Admin\AppData\Local\TempUIPKP.txt
| MD5 | 8131020d25feaf121296f4d7d56a01fa |
| SHA1 | 3ff923604cbe9be3ea09f7d74c235d3a9bf110fa |
| SHA256 | 0a38597aa86cf23ea920315044bd38e93469a86365e906780f5c146ea3c2b5d8 |
| SHA512 | d567db0d8f7559f26cebb4a2f885c99b6041d62949fafec7cee1fb9ba2f4892d26a4020578824ae1784f7db5362252e2f4278712ee7f44a72dd381b29d61979c |
C:\Users\Admin\AppData\Local\TempOPYUA.txt
| MD5 | fd57fa28b96aa63b9bf7237817711272 |
| SHA1 | a3c675fcf77412ecebcd072c7c29836170b3e2d5 |
| SHA256 | 94ed8c09695dd7503351259ff03f581948c810b7c1bbe4c9068a1e455bf345b5 |
| SHA512 | 0daf00af6a649da5d4c3c4541c2cbf4a96c13898b720eb2b4089dcbc24ed9b42e9cccbd9195278bd4e4759bae2ad7656f530dea64d2d844226c4211d3f75d2f9 |
C:\Users\Admin\AppData\Local\TempJLGCD.txt
| MD5 | f637d8b13ec271b6d272523d5015a3eb |
| SHA1 | bbf29700ebed4f822b1664aaedb96ea6f3af2265 |
| SHA256 | 34d45d4fb598ea5d45283194a05525559c32ee10d0a40781dbbabe66305b94e2 |
| SHA512 | 634e930da8bcbe13e94ca07820cb9b5bffa959cf778f57c91a5afe1599f82ff882ec388c8b6c026714a758667b9bbea1811cdc692b5ec043b09bde0549259c7a |
C:\Users\Admin\AppData\Local\TempESAON.txt
| MD5 | 711994a7f79a8dd38a8c5f0fd82752b1 |
| SHA1 | 519f32ec2c2deb669ab58cd937f8aabe1e15a3f4 |
| SHA256 | 026a44b024801bdcb33f53ba18bcef6763fc11edb924980dd4353a1f8130dafa |
| SHA512 | 7d2b4a5ab3a6e7cfc9361febc92b382454e678b0e899c1990ff46f18a88e04cae461d121096e8823364e2ab0f99f4c7fdd2eb59c3b5f39775c29f9deceb341dd |
C:\Users\Admin\AppData\Local\TempCKBWL.txt
| MD5 | 84fc039c54cc69d4b22281a3bd8277a7 |
| SHA1 | 9a84b182f92b014b5ded116b51de0656a2c653fa |
| SHA256 | 2a96c7a5878b14d18aff5081b15ae31d2798f2899320f9e9ec5b14f94125d7af |
| SHA512 | a6ed04f2d6048a98a661a90074329f3ee531139c1d9965b6c224bbf0ba9ba2c1888e9396b2ef41abd8a4484ee9ddbd7c4666ecb05ced314663c584f9bbfcf120 |
C:\Users\Admin\AppData\Local\TempLHQHE.txt
| MD5 | f1a04c73db54f6b1409726d80a78eed0 |
| SHA1 | 88a4b47f4f23b86b4051d5afefe50e68a4fab40c |
| SHA256 | 0d8841ccb39580507b12ab2654db7fb0e4ca6f8ffaf1d2f1af6e1e9e205439cc |
| SHA512 | da60fdc98ccd3616448e6e6967a134f418fda4a2afee558f1dee509727ca14073db16ff76463db02dbd6eb97de27af0a3f2ae33136c8d01d8ecf1695f5009f3f |
C:\Users\Admin\AppData\Local\TempCOWNH.txt
| MD5 | 4ff67c7ad8f7cb3a5150d20f0441fd19 |
| SHA1 | dd5fd9ef937a200488b6a900dd4c1d0dce70d1db |
| SHA256 | 72fd430a0a705e3b8f97bbaa7eaf486a3ddaee4ec3719185d00d35ce0e645a01 |
| SHA512 | c01120fe1b945870b92cce5113cc86e3047ab948bd2b9f55a694a73f1232cf00f7aaa3f5647b36cc09bf2dfb9a503e89e4f633941fb858ec8ac4e1f11ec3e8c3 |
C:\Users\Admin\AppData\Local\TempYFGDL.txt
| MD5 | 1da058b5cbde769209a6288b96ef384a |
| SHA1 | f4930bedd81d64cdcbccab1130af611000cb4f80 |
| SHA256 | a68442151fc450c31bd67906143522eb3fab7a073fef876c294eb233caca5764 |
| SHA512 | 1866eee9c77921b70a4f68996d57256f23595cb28c57f023548116d80afa1711440ffe33f2706e3012de0614cb704c003826926d6dc92a69c21ef3a28d5f357e |
C:\Users\Admin\AppData\Local\TempREBQY.txt
| MD5 | 2b3e0ce2e138841aea19559aa1ee6ed1 |
| SHA1 | 36730e6fb159d61a7ce53287aa4370f351fe83ac |
| SHA256 | 94fe3c16fd77bdd02fb54596230d39b586d849e61f2816cb22f13d6751996854 |
| SHA512 | a24ad2aafaf32862f31dfd0e4748164c179722afa78034ea6013b355bca4e9e22df53812d1bfca95862e2d88876787fbcc1f9362a6b8467d26a92b5fe2b2ff7d |
C:\Users\Admin\AppData\Local\TempJSNWN.txt
| MD5 | 2b26c884ede435aec0ef937c2946e464 |
| SHA1 | aed29a08df61ebe0ebcc075c5bb66b48847fb040 |
| SHA256 | 953e2072ff24fe7a62f3c10d1e69973b30b7ca2dceb528c52b7b7fd2dee25e59 |
| SHA512 | ad1c4d9b4938328e5771abb5f50eb9df89bba7864c4d21ef57a4cc89e330fd31a3925059551cd7fd82b1c0b462731ee7e9bf4d46ee0edf268ce45f7cbd6004c5 |
memory/2904-1650-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2904-1651-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2904-1656-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2904-1657-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2904-1659-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 04:01
Reported
2025-03-05 04:04
Platform
win7-20241010-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJTEUDTURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSDTDSTQLRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LHVTKUNMOAEJXWI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSJWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLEKRCDQWNVKUKG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\UFDHCKVAXSQTIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTVHNUUFYANWJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVHOS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DPQLKMCPXGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIBHOXANTKSHRH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PUABHETSGHDBDYT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYXTUHNUUFYNWJI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\YAWVMCQMJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKUKPHYPDOE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WCDAJBGVUIJFDFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKEXCEVRS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQVBCAIAFUTHIEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNSFJECTYRHHJEA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMDIARIGR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JFDTRIHKFBCLHVU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORVTWHLREBQYP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSERUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNYOK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\UHLHFVTKJLHDENJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASKGBUYKLIRDJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RXNLPKSHIYAHHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSPPL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\BIMADOQLJMBPWFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQGRKILXBYGU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe
"C:\Users\Admin\AppData\Local\Temp\75e718c0e168b9f076eb68b76e0dc142eb5091e723445b25aafd7368ce892ad1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMDYBN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKVAXSQTIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXWIQI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UHLHFVTKJLHDENJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIWDTM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTVHNUUFYANWJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUMAJV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RXNLPKSHIYAHHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe
"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDHYUV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLKMCPXGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
"C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIQKPM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCDAJBGVUIJFDFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
"C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMWRFC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEUHPJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQVBCAIAFUTHIEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
"C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVGSDC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BIMADOQLJMBPWFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJTEUDTURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCLHVU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNSFJECTYRHHJEA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIGKFM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSDTDSTQLRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
"C:\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGOGAJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JFDTRIHKFBCLHVU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
"C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGOINK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PUABHETSGHDBDYT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSERUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSTYEF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe
"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNYOK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOPUBC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSJWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe
"C:\Users\Admin\AppData\Local\Temp\SLEKRCDQWNVKUKG\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
"C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempEIJSO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YAWVMCQMJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe
"C:\Users\Admin\AppData\Local\Temp\TVLFDKUKPHYPDOE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVCTMR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYXTUHNUUFYNWJI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempMDYBN.bat
| MD5 | 56e62a5261bbb9ce37e157e5fceec40e |
| SHA1 | 4103106c6409939c1fd12cf35abe3ed28da06548 |
| SHA256 | 448934e2951d7cc4e4444d9209fb88d131faf2c1755a0cce3e9577107e46b2fc |
| SHA512 | 860aef0aa30a9db4958069deb123e78e9893041b09bc260c0d833d28c5768cf1bbc39298448baff55a88fec9bf63e4a28b0f68b4d2d02e13c92a749cc49654ba |
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
| MD5 | a4bc60b2edeb8fd437b89ea4f85bfafc |
| SHA1 | 0da4a6ab94348a2316f9925ce23f804af2099400 |
| SHA256 | 599f468b1630bfb1f17034e5978390466d59b2bfd277e2458a57e8def2c2763b |
| SHA512 | 48423900efdb99b87ce8e7bd911567868cadd22539326bab9fa78b81c7d0331bbf18e192b7de15e1f048afd2a30cdf8fd9c5703ef9d24ea1fec664c6f69e3b68 |
C:\Users\Admin\AppData\Local\TempXWIQI.bat
| MD5 | 4b7bc7b3abf2679d6f571f7b703398f6 |
| SHA1 | b3361bdd0816710b4384e96962fc246749a2e743 |
| SHA256 | 29a0b1eb97a4373a336fee28d7036c61625a8bb4ba6fc9cd7f1058ec5e793c24 |
| SHA512 | 2e2e5ae863dfeb8a891830ad0e8ee35c7a195047100b16785400e37ee7868047620b7d17c6699ff983c04d96733584ff137ed8f413219f9e353b5f5b24ac8829 |
\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
| MD5 | 7bb49f75b6660b66862e7beccd8cfb9a |
| SHA1 | c9885157db7d5025756f038933732accd1507a04 |
| SHA256 | a6e5d2759811c07129666f663e782aa8f5cad7d94b04251385329994b64c76c9 |
| SHA512 | dbba51d1a1d8161b3ce4463d518a7133f5b4a6ff2c0dea3c2be1d5347aaddffd966cdf4bb16fbebb51a50d923a186565e176409bf344ae5a6d52f2e26262d106 |
C:\Users\Admin\AppData\Local\TempIWDTM.bat
| MD5 | 7fe370d59da451691de97d72e1472222 |
| SHA1 | bc7e8443e5f501fb7e50e75592d87d98d48cc99f |
| SHA256 | 47664deac2a316be349e5efb72fa9f129d3ea70e6dba1066f9b8345d921a3747 |
| SHA512 | b52fa7c1927eddec513b3cb7097d547a0feb507e5a8ec6547083e4601abac714bfbf820c2eb38b7f2e1f6d49da59b0474915a9e313af310717384a02f71d4e24 |
\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe
| MD5 | 3aed41880a85678454f071ae995c8f5d |
| SHA1 | 577c4d3c3c44c8e2d1e1ea18c9d04f7add0e813f |
| SHA256 | 6ebbeb5147674182d821eb45a2ad87389d9eb7e920ea4c3965abc8d732ff7e9d |
| SHA512 | d3143699cee7605dc4a5e8bb0a14a4a2d946614299bd85d308a0eb13002612cb25024fa8875d30af5823168a972924a520fe68a015779952f7e1c0842adb9b16 |
C:\Users\Admin\AppData\Local\TempUMAJV.bat
| MD5 | 7439353d31c70df02f64cdc035298ca3 |
| SHA1 | b9685b6b456d50c0721f4e62c42199fb2926d79c |
| SHA256 | 2cc151bfcc3b54be65d0b149ccb72a7f38a28375d6a894f6d7b93a35398d9e00 |
| SHA512 | 5d36b623231de6ef0645aa6741021aae4aa2fb7d03bc59732adf104a2773ee3e69d867b6bb2cda00b74003e5cc2491028bb1ad6a57701e4f28462aa3aa7c62fe |
\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSPPL\service.exe
| MD5 | 5b65b29417553baf4e976925770e700e |
| SHA1 | ef33b9f0c437dc45772162becf735df287c5c64e |
| SHA256 | b0afbc666e147f06c1b436581d1727e0602be6219e3e99255ff16b98084de6c3 |
| SHA512 | 89571b29b45ad6745628513613c80b8913e5d934326c29fa962777d65ca7fa6dfab595e6145edcfe8392a5c33b360181bd4e9dd09fa34d5709de5969d45f5c03 |
C:\Users\Admin\AppData\Local\TempDHYUV.bat
| MD5 | e13f314830c35740302e2988e38038ed |
| SHA1 | 25ae4d4027f1d379c14175ed5431ae564c074ec4 |
| SHA256 | 5a2491d3063b42a11f0fc9fd9dd345e475c6de25bd0e3ac44f6e2cbd0435dd86 |
| SHA512 | 15eb39f7a5845955431d921816f979af697e1d637f3feb68cd2d811bb833bec0e99eeb032833d187f517270d6331d14c44bb0686ce7cdc26953f1626915b2d17 |
C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
| MD5 | 381b239c932d48942b47f1e4b3ea6b06 |
| SHA1 | 4cca950f0b21c7b33f79c8f77cf947404a8992fe |
| SHA256 | 4050a05d3c9817269f7708e110b06a37f4a0631f02e37cbe6dfd503ae2b05cb9 |
| SHA512 | eba09931f71d593a452af3552440fd4a93a8b3d47d4a7cb906ae19849a71395e108b80d51ade68b67c221ea588e5bc3ac403e7a7c3f1bb28cb2964785d6332e2 |
C:\Users\Admin\AppData\Local\TempIQKPM.bat
| MD5 | f3215b76593a1894e5edd5c1c2515fc8 |
| SHA1 | 87b29a6a8aa5d8921204495707055b6e7d6c4ea9 |
| SHA256 | 416b48bac5678aea5a8fd357feae17a8ed365eb8b54e70df138642ebd1553144 |
| SHA512 | a2aaf9cb0794b1f5524dbf1f558b0f593cfeeab84f397ba670ba7e4319a3216db4a514c067f3dac58b1eb75767f58560408eb87095025e2e2432c87b77e71a0e |
C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
| MD5 | b64194c217222a7ca06370bdf11dcae5 |
| SHA1 | 97eb6f40380f81cd90f74a753e353a7c7cf6406b |
| SHA256 | f58a96b923aaa51c27f95d1fe125e772d68c67ed99a03298ac2fdfb9f4517195 |
| SHA512 | ca8ec64b8928a341d1ddc8e01793ffa1fa832349246086ff1baf24569f3d47d01747c5d94e6fa261bb5ac85629ddd3397d426917718aaf2aa7177432c47adb47 |
C:\Users\Admin\AppData\Local\TempMWRFC.bat
| MD5 | 262a690383101b6d14fcf1d0035fcd22 |
| SHA1 | 8598f6acc2d04374c8d94d6078fd8659c69b3f6d |
| SHA256 | 87ebc880c05ffe5dc9060d56b13f5e711373281f53e9e5fc2cc441bbab7c7f99 |
| SHA512 | 9754dcad33af28e5b2fa337085fc2d0b4c2d200566773f41c1c2c24a93605bd2e622b29e44c88c4862a6bbbfb4c21546ffe7f17363f4a60e595c22b202f2d477 |
\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe
| MD5 | a55a9bda426b42b250db4e80daf728c2 |
| SHA1 | a1464fc2974590caad76eb27130b3c9a9f8c3033 |
| SHA256 | 610144466b81a8f62e17bf60992d155d4e5e6bde24d19cf6fa99bfd9f4b5c085 |
| SHA512 | 72461dba7b2ab98b25c8bbbcbcfc906d1ab2b10f7ffd21306ce62fd9a5973f73d7636eeef98b019810c550c23d413e157af30c078c5f8bc46e6ad897926b5568 |
C:\Users\Admin\AppData\Local\TempEUHPJ.bat
| MD5 | 8906192e2704307f41c53839d8ffb47f |
| SHA1 | 3d1d811e339cb09209b25a1c947b8d132832ebb4 |
| SHA256 | 4419766c59bf9527d61ea35deeeb0b2e7aeb0f72a87892b6d04eef1d9b18049b |
| SHA512 | d205217a4abafc89aee5ed77dbbbba141a980b1c28aa978784b424a1809e4bdcef0ae3e8a8588c3f3a79c4706f926777c1a8fd1f50d7a504fad776eb659db077 |
\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
| MD5 | 306553145b664c72013f09d20630225b |
| SHA1 | f4135c086caa5b46c223fc78d54f7c511ca35958 |
| SHA256 | 6599550d1fd11d7be2be42ccf3caf5d5d71564f0b01111867c68ea6814402d40 |
| SHA512 | 5b54283f798eeaed6b807fbb5e693dc4c004b9646a43df2b3eb977510bf02c34e9ab5e6a6bdd4970712ef35b8b628fe5c6da8006299ef02ccc296941fad5c768 |
C:\Users\Admin\AppData\Local\TempVGSDC.bat
| MD5 | fe328125766781fae9680412f03ae7d0 |
| SHA1 | c2deb156fb0ba41db7649045818b1a9ca0593e9e |
| SHA256 | 9fefbc395dc92a415c6c807d1eb0050c78c6c17bcb450326c0e441550e2c8fdc |
| SHA512 | 0e660c44614ba8224eecca39273cb980c9786e11ccb63b5a6ae4910bc24f063a42a201ddaf080ab1148da7636b8fbaab5201fa2eeee14ef82978af2490eec2d6 |
\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe
| MD5 | 54b345136339d140cd8d1ffa41f17d4c |
| SHA1 | e0d1011ca825e3fca682938e82ede96625fe35bc |
| SHA256 | f73db7bc05524dda6d9ec74deca536043a5b6dae404b65431ba731a07f99db7b |
| SHA512 | 6510114abe47342ef9d3749fa4bc4784dd58787b48bb2a2332dd5c97cfd3459b62c52f39ee403879ba03d540bb663297ea44fb01605ce5b48a99dbd2984e51e0 |
C:\Users\Admin\AppData\Local\TempXIGKF.bat
| MD5 | 7ac1fabc9df638590705057fcfb35843 |
| SHA1 | 713852ced0fe693801d29d556f4945ce46712ebe |
| SHA256 | ef520fbaa273cc23c26e024e90e9aa9168b4f8968c42a14f802b7d1048f5fccd |
| SHA512 | f523462b0075a98e2bc697cc4c2b06192466148f8fc3f8cd3d0d55a32df5153d0307eba4c59236e8c4ba016b36683a57b1c990f130e52518c01093cd8cff6c71 |
\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
| MD5 | cf79cce44ef072452a7867bb920a595e |
| SHA1 | 442b914aadefd50a55ff4517548e50779746ad14 |
| SHA256 | 47f1d263e83540857a51388cd0c5a55e0e9772b06f8fa8d6fda4b084e0bbca1b |
| SHA512 | 98b13f452370eeb603020f12002af50f9676889ca461d083ac7181b5925c95dc56ca45c6fb8bd9ee0c8c0c141112df6f3373e04f46c226ff2c66f3a56b7e2d75 |
C:\Users\Admin\AppData\Local\TempCLHVU.bat
| MD5 | 296acaf38f1112b3b57011ec45757f14 |
| SHA1 | af100448f9f10b0f918cc1bc805ca868af1573c3 |
| SHA256 | 8d4d127d35f6dcfc835a060d8fd313e8dfe259f63c461d7fb6f39fead194e5c2 |
| SHA512 | 52eb42f77f7c192217d93ec643a237d08acaaad07d84950cb98f429b0d80f42d194e0d1678eba09de69271a7634a9d7107020df7f9d42c91b9c63288bb21240e |
C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
| MD5 | c76083791bf3f55520671c3c4c698619 |
| SHA1 | 313dd997afeed5874344eb5ba0962d80f933236c |
| SHA256 | daa1e5031f6e4e98d3bdfb3d4e07faebeb95f1bc0be123d8fc239bb023863fa3 |
| SHA512 | 588921b9a9a57c739a2ccdd3ba2fd90f1d1df70ef5f71dc5ac2df0bc722d33e43fbc6035cf47f0df84f62a8d44396850e66755ccc8366e65f2547adf2c2d6129 |
C:\Users\Admin\AppData\Local\TempIGKFM.bat
| MD5 | 259fcf2d77cd48c375b929493d9e95d0 |
| SHA1 | ae081b27b04fa7248d5a76d5a71b4cf3abb748cf |
| SHA256 | 03d5d4132156b47723a4dbb1e4c4972cddb4849d49c11bd99b16b9b0741b3253 |
| SHA512 | daa5860fd72a954f303015944d10875b968a5e40d2631e7c110696447747ceac4e47d29f3c523ae1d576c48dfbc14a1ab2f5b0f18ef4ae8686b6a53fef50dcfa |
\Users\Admin\AppData\Local\Temp\LHVTKUNMOAEJXWI\service.exe
| MD5 | cccaa800697277d5bbee58e759de5ce9 |
| SHA1 | 693ca50de693e54c84711db2a63a3772702fa8ff |
| SHA256 | 6ff2da474dec88793548b902bb474baad88cad7ae84012a6a5f50ab927c0b92a |
| SHA512 | 97a277d91c36dbcd1cced1f618f0c89853db30bb0880ce382e54e3c1dcf790fed8c3f8587e3dddcb6a0b6bebc91982cac555c950742b6af6064d559cbebbb2b9 |
C:\Users\Admin\AppData\Local\TempGOGAJ.bat
| MD5 | 00a1aab76be53cc31bc46547536ce0b4 |
| SHA1 | e470a4805a7225a254c33b920d2279909558e524 |
| SHA256 | c1f64ee2489a51a9fb8f0d52f1fe843cc8f8e6641d167e4bac724cb970c35de7 |
| SHA512 | b71318c4e0022eed6683766dbecff358dbf8db16569632b8284c2ebc5d5b67319374cac939be5e25281a1c53181bb583b85cdd122fc6ffdaa0c55c580214489a |
C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
| MD5 | 25b5751c2d793598d4c8d9f1a4facdcd |
| SHA1 | e8fd5fe05011c3e04251e963a0431996d21fb24c |
| SHA256 | 04b833f0884fb69ac0ff95abd2a156e25e331c85bdf471314495fa361d65812b |
| SHA512 | c411f4cf17962a8ec3491888dfa5e488505b0e29f1717439b846da464bdffc68d3633d2cfc42b93e7e3390ed6cbb4f60b03512ede3bd9e8433db2071bbe53c85 |
C:\Users\Admin\AppData\Local\TempKTPCA.bat
| MD5 | e6971fc5ad2bb62beef1e7af5975375e |
| SHA1 | 28cc9cdf959d6949d98d965a0e5c6686fae0c421 |
| SHA256 | 631e83a43ba699b3f360f0a6f4862b3c0644e14cc596e75eb1d05e014970af58 |
| SHA512 | 8f7357df0d71ecf54199480c5eb4064380c554f3c877ad0d9ec42ff573da506cca3514842916d4cd5b8cee09cbcfd7cf98fb02104929c7a0278411efda48c0a8 |
C:\Users\Admin\AppData\Local\TempGOINK.bat
| MD5 | 66cb8e84ac9e70eb9c5461f1df9fbd49 |
| SHA1 | ae2074b6c5565d02c05aba6752b4a3f2288f8f13 |
| SHA256 | 03b34ef5801e82a5f39a733a9862cfc378f5246115e37246ae7c2d955c82a387 |
| SHA512 | 6f4667b820f01aae418f6b28c324fcf21e8176908b3d8e05f36616bab914b3bd29fb7dc85504ce5e2c6cac3f1f1f0b8221a6232ac0e05209daceb7f2c82d16a6 |
C:\Users\Admin\AppData\Local\TempUGMRD.bat
| MD5 | 1ec7e3ccc363d8da29003f6ca9f20bcb |
| SHA1 | 0f0f489d7aa81ef3940691225309146a6831f60c |
| SHA256 | abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c |
| SHA512 | bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2 |
C:\Users\Admin\AppData\Local\TempMVREB.bat
| MD5 | 6edac9d3462022d02e120279da89ddaf |
| SHA1 | f278c52733191d69d88dbe1df8b6a02a93ba3fea |
| SHA256 | 22ab5108adb550ada184626694ebf822a31cb5f87674570ffb6ae03af94fa1bc |
| SHA512 | ac9a38118f86ff136674e058c047c65089df3f0029a4226e3031a41b31a8ed17b1b82bb1abf51abfe993eca6ad044ce249016b435891c4674d1e924517ed110b |
C:\Users\Admin\AppData\Local\TempSTYEF.bat
| MD5 | e504d0c45a4a9b32ff935364e8dfe1f0 |
| SHA1 | 5bbc93f6ed0dc1ae5fb35802c9c6037862b5e442 |
| SHA256 | 95ca150dd41cadf95c3b7de18442c2e6d0332331a7fdb263a69ae43f50525c00 |
| SHA512 | 56a76f9af3d60d6a0f1b4a3ebf6e5e00f36694bde6c836bdf43b271702c85a73aa99037cd042568acbf7fa8a50abf73bd1590843fa469ad201cb1cc140eb25e9 |
C:\Users\Admin\AppData\Local\TempOPUBC.bat
| MD5 | 4c4d019560d9fc027ebb29c920f78fef |
| SHA1 | 638fea69835acacd2105f6463785ebf08cc19ed8 |
| SHA256 | b566f27e1772a74b1b53c7b97e17b040c53109e5a75a3272a3f8b94c20edcf43 |
| SHA512 | 692f991138ba390079445c42fca536bec82c76dacff046f8b455b173c504d04c3ed939eff36432506f88eda464e73561d2246f5e298e2324a5dfff6f70a36147 |
C:\Users\Admin\AppData\Local\TempKYGUT.bat
| MD5 | 1c95cf0a551ea20f4178aae177d34802 |
| SHA1 | 20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a |
| SHA256 | 8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48 |
| SHA512 | 82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c |
C:\Users\Admin\AppData\Local\TempEIJSO.bat
| MD5 | ce316d102fe17369fb900df03386151d |
| SHA1 | 8bab2bd5df4620f24b14caeaecddbc6bba4ce07d |
| SHA256 | c502884dc7a51d0501e9a4a09c9d1e53cc78d826c4fd7d4d57971ccc381da2f8 |
| SHA512 | 0b64df1de5c1c846f0f0a1297eed4fb5ba0e1c096f106ae220a2082f33fb653195afd09d702e7b11db7f6260bf631d00091ac044ebb6a4158714f494c8786576 |
C:\Users\Admin\AppData\Local\TempVCTMR.bat
| MD5 | 5566146a4b2e398cf04636ebeddd1886 |
| SHA1 | cb43f0a532d335a4b29784df4b4502d0fbd9f793 |
| SHA256 | e2a4d7333071126742ab4b180059cad2f7e7539566b84e397765b000b86f2cd6 |
| SHA512 | a8d1a401f690f4fc15a1ede5cce84aa4d332b7f6c1c61a601b303f10a7a3a932e30372e975f5c5d2bdddbfa52791979ac373f1371c128f71603ee2ac0c7390fa |
memory/2480-594-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2480-599-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2480-600-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2480-602-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2480-603-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2480-604-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2480-607-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2480-610-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2480-611-0x0000000000400000-0x0000000000471000-memory.dmp