Analysis Overview
SHA256
e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
Threat Level: Known bad
The file e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49 was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Blackshades
Blackshades family
Modifies firewall policy service
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-08 23:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-08 23:01
Reported
2025-03-08 23:03
Platform
win7-20240729-en
Max time kernel
147s
Max time network
145s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOBFBPVNEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UCPPBJASKGBRKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDUOCJE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLJRDJO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DQGUQOTFSVQJMNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EJYAXLMIGIYLTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DXTOCXJYDIYWFQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWOB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YDNLKOBFBPVNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SJTPKTEUETURBMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JOTABGDSSFHCACX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXHTTUPOUQGTBK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITVQOQGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNTLCCEFTBPOAJA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQCGLYKSKTPKUFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMHGMIYLT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IETYRHRLJMYBHUU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOJNKV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYWKPUBBHAE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDCFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIUGEIWXKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUIKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXTOBXJYDIYWFQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWNB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSAFDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQGUQOTFSVQJMNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSGNIM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JOTABGDSSFHCACX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
"C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJYAXLMIGIYLTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQOQGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUIKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXJYDIYWFQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempESYKG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNTLCCEFTBPOAJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXTOCXJYDIYWFQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YDNLKOBFBPVNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
"C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAEUVS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQCGLYKSKTPKUFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBHVDR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOBFBPVNEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempACQLL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIUGEIWXKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe
"C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXKLIR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UCPPBJASKGBRKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe
"C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOJNKV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe
"C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDCFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXJHLG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJTPKTEUETURBMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKXFTS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"
C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempSAFDR.bat
| MD5 | c541ca326e9cab14239fa381d2add0c1 |
| SHA1 | e4327cbc1daa11a505e095a583a276100d1f88e0 |
| SHA256 | 570a3efb6c12a7a2465549e466754bf40a6f15ac8e4e8dd39d5ddd19d7e3b0ca |
| SHA512 | 214b9b135eff188df2c1a60277ca46575bda48642069126b6318dd27cfd28274b4631bc2e87f727520f7123be19a5e03391935be5e6e2fe84243e975df20d4cc |
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
| MD5 | b711b37fe1827d094f49245996fb6586 |
| SHA1 | f18cce62ba76149d0212f74818cba48753a8cabf |
| SHA256 | 91ab007af9df49861eb0b67a580eaad8d44c768260621a8652b1bbf2b1fa88bf |
| SHA512 | 9c4afedc3a8ba4972bfdcbbdab53cf7ab50a62dfeeea32c43544a3a86e57081dc2671ee861a8f946cc7e615fcafe7eb87c7548289f376867e61aef9fdef0efa6 |
C:\Users\Admin\AppData\Local\TempSGNIM.bat
| MD5 | c7e6cfe4c4dab03ab6a54ac46e1efca8 |
| SHA1 | 2d481e8da8f75b4631227922ac95cfee543c14f6 |
| SHA256 | b4e3f4b47b9ca54f8f5c46b04160c59fc6dc9eda3cc4ca82e63d69553d89459c |
| SHA512 | 634f9120980313a0a67f88d4806b07339f9472b350db202ecfbbe345fbd724c41efdb3aba14787f6d8fc7ab95cb7cdfe6a9952ca7821e98c73a7d7b74c3941fb |
\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
| MD5 | 76a130096fc769350712dc7a1cc65687 |
| SHA1 | cadd7187f3a55a2ff9a4108a03e4f108b7b38e70 |
| SHA256 | df813dabee17f0bf49d2402d71dc4a09836b7dcf2e08ed22e5113cf15de39a8b |
| SHA512 | 42af491b53a90b963015f5b8c56d5ed2106e6018962bc4584b2f00ef6516c6f7d085ebc7e60e1d9a61366ed273495dc14b245c5dbafb53cacf329f33b0ae3f2d |
C:\Users\Admin\AppData\Local\TempSDPAX.bat
| MD5 | 8844eeb126afca7fa25f6f14477b1a72 |
| SHA1 | 072ffd238a85c812a89a89a92a6fb96687ba837d |
| SHA256 | 7d3ef7b49800d1008c33d74501dbedfbefb92de774f2c5a3d7980f401b6c9eef |
| SHA512 | 9916ecf047f120dbb20877aa2f889b6453b306643a0e4e9634696d897338eaf63b6e11959f06992b3a5208c5daf84589e7f14daf35f668fd5d8cb545d887b58b |
\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe
| MD5 | aa76f6250780e72832a01b73d0cf060a |
| SHA1 | 7bfbb53388255ef1d442eb56e1123ab0df98b3b6 |
| SHA256 | ef80ec09d68e01466a3d273a96575018acc57833a6d84f176554a76c0e3743d7 |
| SHA512 | 8a65bb252be6f49ecd3f0dc68210e1ff538518ec818cb26b62446327fc93aefa5faa8da14221f6e231f1572fc1e606c253aef063b29e2f9c7f6224e351539d2d |
C:\Users\Admin\AppData\Local\TempWLXIH.bat
| MD5 | 9e6a09d1b6789e118c5221700b64948b |
| SHA1 | 29602221dbaae443b3d986d775f17f4ad4c48d46 |
| SHA256 | d27cb363bcf91dc7e2665ad18be66222c4118112f72ac1803755adcc941b2725 |
| SHA512 | 0a12facd0d1de1664f345a19af20632837763ef7e6b4760cb0ea7b08c95690c9eff85b2839c669303f27564b1a27ef06ebed8d4290ac7c56b2c7d30abb0802a9 |
\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
| MD5 | f5d293580fd8f57ca5b931c6d0915aa1 |
| SHA1 | f8aee0b6910026c576c3cf75688b4a1b40e9ec99 |
| SHA256 | ae487d212c4c6de9f33ecf6dc3f90ba3e67d2cad0848839a737b8d11e964fa95 |
| SHA512 | 5544a8918033402c606eb4bb6fcae6436dbf86112a8478e29133560eae53e922d38785ed6c0b19855005481a648466887307db25dbb9bc23802bd3e3f3913642 |
C:\Users\Admin\AppData\Local\TempJSOWN.bat
| MD5 | d39cccc913240baa6efa209416c54650 |
| SHA1 | a80a7efbabf2efeb182cf64e9f19153c475cf2b1 |
| SHA256 | 305e94792baf3df0a537a78527dd659f5359f28291242e09928d6c78f916f545 |
| SHA512 | c951547be1a48011283fa7bfcb0dbadc01e21b377b1fd1fab96f61c4ef692544fcbfa87f5d981221e6a8c7e2520dc87ba269c8cd8532e833df6d5a5df047f5c5 |
\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
| MD5 | 38038ab30bb1cfad50b17114cf3bf353 |
| SHA1 | ea8eb9a9cb2d2787e9f18d154e99681f6fcfa14d |
| SHA256 | 44c4bc2fd899570af1832f6c4607bf931d245f732ff883de2dc2f782e9a16a5b |
| SHA512 | 58f594d88d8e8ff5088c427018ee80a131798a9670fb1b53473b8c84c7ea354a4a37146e44954a2f6f7cefd665b97bd0bbb0f8a613e7ba4890368ea1cb3f71aa |
C:\Users\Admin\AppData\Local\TempNLPKS.bat
| MD5 | ff1096bdb764d5e5ffa3853c6f8d10fd |
| SHA1 | d7563e6018e800da0f64153cfe8e2e08f19abc36 |
| SHA256 | 552658e30429ce40cd19d44609910307c5fdffb2b508ec40f15f87c1fe013e6a |
| SHA512 | 8249d1ed3d93707c76efe96a1a9e894ac806673f19e5f68112f7cfc1f555c3c3e6f2ee7bd726e6b857b15e8a571cb65d5de0f580530324de2cf7cf8fcce386d7 |
\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe
| MD5 | d1c03e0a4148395cf59bc81e793a3b63 |
| SHA1 | 36b74528726c5170102a7617f89923d7f815a373 |
| SHA256 | 5bdc61d57307fed50ac097dc45f78f4acacc0bbca00f6e0c99aa5344d508ae6a |
| SHA512 | 9e1c5a399a12b97b32c710bf90748d7b889f9ddd6cf5ab54696e46513ffdeb8b8bb4d7c725ac6c16b2654bef445323ad997a36191bdbca3e8b9ad4c2e9d21b80 |
C:\Users\Admin\AppData\Local\TempESYKG.bat
| MD5 | cf19074d3946734560f4b830120b1980 |
| SHA1 | afe4272b7e414b84e4c48cc84094a4689110f999 |
| SHA256 | ffb98d0b4bfb3d89942ac3d8bead9f59cd323947a0da72323e5bfc6891e604ec |
| SHA512 | 8f2ce9819c08fdfe637f832104af54802b71dac5ec185113e285298ccaf123d934ddf84ee7ffa3829253056ec7ed68bb0957d5971be260eb6007540b98838fc8 |
\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
| MD5 | 53e43faf440a57ec7e2c5cd816f67e0b |
| SHA1 | 9c2aed4715aa3090eb9ddec13ae5167878fe673f |
| SHA256 | 8aeede5f2a1020457d2ae26aa7666061c143483fa24b0d160b6ce187adf83d87 |
| SHA512 | 39d9a2ea41f3c01f71485607370ba6f1dd2ffb50140176a35ffa2b7fef39a8e91791980b891f0684dc4586f1897318a7b39012b83d67ad046ab59f3ccf611d9e |
C:\Users\Admin\AppData\Local\TempNLPKS.bat
| MD5 | 3d8d60c4d48e5cea304780e7de64b91d |
| SHA1 | 71bbda9893833549aacd60c69b9c102d16500cbe |
| SHA256 | b33ee359035ad5092c99a826c6bfae75e74c95f1eb6edde6b69f1057a35cdd62 |
| SHA512 | 3e91aa7fe8832f7a9c92f64c60a56d3ece677650e35158c9d1a805067b2a9c5d33539eb1105c1149cdb998f2416c0633eb4ad55e14490a4df12e6daef01ea1a3 |
\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe
| MD5 | d6a6795605aff8bbcaeda4a1dafd0314 |
| SHA1 | 9f482f6fb143920d9493b86d20cdbb72793d260e |
| SHA256 | d0b70b313f2ef600c0e4a72637fe3c7e2a3a18ba9a337fd41608e15e9c85e71d |
| SHA512 | 8090527a05e1700e800591ec97f7e479d2a420fe4e5f7425a630ed6e15b4eca12b818fade6e034963135fba7442631d834de9994329e10aafa350261bea7564f |
C:\Users\Admin\AppData\Local\TempAHVDR.bat
| MD5 | b322b260bc7c43ddb07a39c989a405db |
| SHA1 | de69c53a1e9258e7e1bcdd0507556094bce84765 |
| SHA256 | 24c0c16d249f7d34a6b0c43b6a4788ec6ecb5182cfdc7c4c59784393411f6e7f |
| SHA512 | a4704ea88b9e0a96f0c6863e834af7daa01279ed541228721f137bbed5f59c415eca7c11fe6ce97d22ee18b2ab49f477337aed7ff6ed5897aa214b6afaba72ea |
\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
| MD5 | d5d174bfe80168a990e14bc3a2fa9073 |
| SHA1 | 6db5b8e9e7827f8dc6a8836f0ff96dc707215920 |
| SHA256 | 9eab405103bb56061d78784680b0e55ef3611c5975d05745c43a8559d3eff311 |
| SHA512 | 978698aa765457d040b47ae0c320dcbcc2f65fe7f380822c9a77ea8487cc04d89acce7747f3855a14f4ea8c82945feb0d41f7810f7660080123470b8230fd220 |
C:\Users\Admin\AppData\Local\TempQYBUU.bat
| MD5 | e2fde989efdfa9c12af7ee59baa74dfd |
| SHA1 | 496290188649323aeb029f1cf8f70cae43d00d99 |
| SHA256 | f31507d060c2098a8887e1d7b0fd0027d7c1377c0619d70c81536feb4f0344b2 |
| SHA512 | 6e49925b5f00549760fdedebc04f53716c4943d0d1d0f303ef771a061767b8cda3e6226f564e8641433fac63d7cf33b598615f31c5059779093239d4351fe282 |
\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
| MD5 | 414ba6d6e8ae340056ae5899d209668f |
| SHA1 | c0cc0f07595db4ef13eba4159527f99389309158 |
| SHA256 | 089f5efe8b722d8de13b927055b18d8986c22794202579774bafe25146403302 |
| SHA512 | 17ede3781e487534753ee8ef66803ee2027cc17d45e4006efc2647beaf89c802851189b037f311187d988c2eea1eca2d2fed7fdeda0932ce0466a02969e89f87 |
C:\Users\Admin\AppData\Local\TempAEUVS.bat
| MD5 | 9b8950a8d2bc44b20c8555984b0fee86 |
| SHA1 | 5b90fc89e089f39f4f46195eb7395e9924eb7289 |
| SHA256 | 1664f35e7f04db5ca4158768ea6fe08e153f32b2320d3ff54864351e30fa99fd |
| SHA512 | 0254a17c49b2b010018972df13bd67aedbc0355332fb1f91dc9dd6e6a33f94d3ac1facb2eab0ad177987c2f326fa523358ffe448dfaef0b2de2f0870093f07ca |
\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe
| MD5 | bc91f4641dcdabf6399d002212ca52e8 |
| SHA1 | e1c26000acc3b94f1b16fb2ecdadc766f90884be |
| SHA256 | 8b6a7887cf1f04b76215537e23ccd1c340f44a65b719ae2ff49e2b7f7d78f7d5 |
| SHA512 | 8d152682ec42fb1fd4e36f1c8989bea2300b55ced073936606ac52b64060ee286893431126d33235f5c946ff1b127bd34f92b2bd27bdbbc63d8f27ccb5a262db |
C:\Users\Admin\AppData\Local\TempBHVDR.bat
| MD5 | b8382e28e36c2f79e4c6aabc88e01934 |
| SHA1 | 4e0d6b24e341d2c38e2043978ff08d6a962a765f |
| SHA256 | 4aaf2c1c77ad5f3e02e53ac5a383d88f2a933e530dee51dc72c7d0a18f321129 |
| SHA512 | d5179a9bbd4a238041217dc5a41a28420026424357e30f9e5c553e90ca230a29779185d9679224d8919a6b59edaa181b2f10ac582323f9f5e6aae9583a5dbb65 |
\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
| MD5 | 11b1e9a6fc566d31850400087536a27c |
| SHA1 | 5d12db7bbc9865ca32e54e3ae9432a9a33d4acf3 |
| SHA256 | b4b3517031bbb90afdacc36de850820668e242e88ca6fefea963f64ac0d08b23 |
| SHA512 | 878f39c108c30dfaae3c65dfa1a92a97e44fe1ffa88931b5cacb360f69f6e7e8d5bf0a77a4a4e32665bd12a5dfa68da9ebd9dc4516aeb0d0bf422d8c3155f041 |
C:\Users\Admin\AppData\Local\TempACQLL.bat
| MD5 | e914726db013849135a3df270ea01fe1 |
| SHA1 | f7ed91af109707b20d461db51899f12a08493601 |
| SHA256 | 001c411f3a5a19e9475e3cb644d4f0a905c57a27aad76c26a204436e269c8e2c |
| SHA512 | 541ffd82cbe7796b307f0aea75f6ed52c4e6bcc85e562cd2cbb91cc8b6ab5fb2edcdceae98e86d68dab110f55984c94dedfe0524ca5babaffd01f54262d8f889 |
\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe
| MD5 | 366907e90cf59a2bec35f2b2be683631 |
| SHA1 | 6e8705fe82b2454f160b86d178b1f194d2034134 |
| SHA256 | 8323f573e3aadca9f62bfdb4569ddf295ef07eb494526110b2b65ea21e793357 |
| SHA512 | 79fcf94af645a599f32b2fc4bc9c700b752ebb7245217f59a77080f42b00fde714d5f0c26fa93362987da8d3c066913f89496f62bca23506b15b5143798f5983 |
C:\Users\Admin\AppData\Local\TempWIOTF.bat
| MD5 | fdce57b6b98e201e03df95e0ad110d92 |
| SHA1 | 20d68760a99ba37d163926c3ab2e0695e8fbe592 |
| SHA256 | c4ec711aea998303f686d537c3318c6214b9761b2c9ac39cf43e98ee4c24da8f |
| SHA512 | bf0cf7db9e0a9c23cf9492408f993a18c13804074e318e348677c92133948280ae274e4012209b744fe1c449b4a84d8c85ff266f643640dc953652e224163eb4 |
C:\Users\Admin\AppData\Local\TempXKLIR.bat
| MD5 | d809c53a4dd225a669f8fabff704fa04 |
| SHA1 | 62a666433aece79e30f34ab35b5ad4a98dc5ef89 |
| SHA256 | e6116444e247226193adc0cdc220015a1ff36c8b07a435e72e48fc7e7cd27842 |
| SHA512 | e64e2a0084422d2d7f2fb35db9c42a01d40ce8934c37b8b8f0aa239f7e2846cbe78c6c34bb5a463b0b15f82c9f6a5e6e39abeaf45efd02c35c27c6caed2b8d27 |
C:\Users\Admin\AppData\Local\TempSQUPX.bat
| MD5 | 233641eac719ddd5cf2761f64e75aad9 |
| SHA1 | 0d8aca9fdc3454d7137cf3f603b645aa4bc286ee |
| SHA256 | 3c9d793f5675ba25e754d1cb5a56811cccb610d16d58181d10e2deedab4e5c03 |
| SHA512 | 9bbe40aec69451757fd6a04884b6df2defeb2319d265030a4da7f50bb45063f7ad2a86c048466cb59b0f0deb715b31cf1a9f89dc7d171d93412a1b298ea7b8a3 |
C:\Users\Admin\AppData\Local\TempGUCQP.bat
| MD5 | a05bc5c948181b8882b7b95448172f1e |
| SHA1 | 9dcd6a7078ad15bd61db8a84bbf43688fb27742b |
| SHA256 | 42691c7bac5d448be2e134d9011b898323a2329d4bae67b70058574e0563b226 |
| SHA512 | 24d9d2f4ad6f7b0c5707928055102c4219220aa55df2cd05340728fdb09121e74ea9a5a3ad10c9deb1cbf1d134f2a6f73bf904111318d0ca1aec583d3680880a |
C:\Users\Admin\AppData\Local\TempXJHLG.bat
| MD5 | 7625fe0e989a8bb599d145b6483418dc |
| SHA1 | 20a35acebe2f17ef4c51bea383e7a64647742307 |
| SHA256 | 2a834cf9b1b3b911f5066bb0a235cb39932c91fc755247925653434158af2e05 |
| SHA512 | a6a2f26ace1143252fb85611c5916fe570dfd305295e69db80607aad58e2405b63bb3bcf4f2bfc487da40a418042c543e172926ecd6cb5538171019e2dc2447e |
C:\Users\Admin\AppData\Local\TempUFEIV.bat
| MD5 | 87e6dda0e31203e87c351d11011a0020 |
| SHA1 | 876ecf8c33da30448557a82401f32f1bd56fec7d |
| SHA256 | 4abcf181eaceb32b5111d062d95f4fa9893f37a5be5caa03caf42d5bc1c2e1ff |
| SHA512 | d53f49e1d0ee687bffb9f29bffc36ec242e31665daf1ddff836d1f41ad49216b0876d65e9a6133da5d2c4fcdf6ce4d357b480b9d99ae098b1822e6bcb0bdd206 |
C:\Users\Admin\AppData\Local\TempKXFTS.bat
| MD5 | 85842b09d2dea6667cbd548ebd2c2f39 |
| SHA1 | 4a6bbfb6ada10a281cd14a93715cbd68fecf37b8 |
| SHA256 | 6fdf41a5560410dbc0042c77162b6bd350cd664aaa17d4aee2f5017612c939ba |
| SHA512 | d9ed6d2d98c9fd790028e4aa53df353d7c0feacef9b867598b2f989f3ca4cefae3503e0d0d23a1b44d56c781150a1582ca722a470f2c6eefd2b6b17105aebd88 |
memory/1576-546-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1576-551-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1576-552-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1576-554-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1576-555-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1576-556-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1576-558-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1576-559-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1576-564-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-08 23:01
Reported
2025-03-08 23:03
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXOOMUGNR\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMAMYVASWROPCHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EOTMCCEGUCQPBJA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPDAOWO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBIC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQALRWIGKFNBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQJCIPYABOULTIS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVXSQTIWEM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKYFOXVGCNGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFAEUVSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IITQOSNVJKDKKTP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUARLGBGVW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGELVLQIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENXUFBMFGWPTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXOOMUGNR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAPQNWIO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFSAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYPNRMTIJBIJRNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQJPWHIBVACSPPL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OUKIMHPDFXVEEYN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERWOWKVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EJOBNVNACWSNBWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKIPLBOVF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SWTHTEDHYUWIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGBACXSFNHMJURP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVYJNTAGDSR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MOJHKNUDPTEQBAY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFNAGLB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJHKWAXF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MJJVRPTOWLMELMU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVRSA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IECSYQHHJEABKYG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHET\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGWVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMDULAK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKKUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFDGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIUROSNVKLDKLT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXRFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYAKQXXIBDQMLGB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQORCHMLT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YBLRYKAACERNMHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AOKHYWMMOJCFHQM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EOXFCQUGHENFKYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VRFRDBFYXTUHMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVFQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOFSOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMSJRFQG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCRREGBBWRFMGLI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDOT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNLJNBEAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEME\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OACFQRMLNDQYHSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJASKGBUYKLIRDJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NRWDEBKCHVVJKFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VXJPWWHABPYLKXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVLVPNQBGLYKS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFRDBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe | C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWPVHD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYAKQXXIBDQMLGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe
"C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACERNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHVDQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJNBEAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLTKFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOKHYWMMOJCFHQM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCVTCC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQALRWIGKFNBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVOTFC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VXJPWWHABPYLKXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJWHGK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFSAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMUGNS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe
"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXATT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMAMYVASWROPCHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempESYKG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EOTMCCEGUCQPBJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQTIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNCLWU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SYPNRMTIJBIJRNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTOWKL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBACXSFNHMJURP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
"C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGHEN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKYFOXVGCNGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRIGS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OUKIMHPDFXVEEYN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFRDBFYXTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHUFEI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OACFQRMLNDQYHSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJQA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRWDEBKCHVVJKFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXODMY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IITQOSNVJKDKKTP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe
"C:\Users\Admin\AppData\Local\Temp\LETDLAUARLGBGVW\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDHXY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJOBNVNACWSNBWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe
"C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLBOVF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKKUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXBNK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAPQNWIO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFRDBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIUROSNVKLDKLT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXRFMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe
"C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBIC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWTHTEDHYUWIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYQFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MJJVRPTOWLMELMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVRSA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVSS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MOJHKNUDPTEQBAY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe
"C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFNAGLB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOFSOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe
"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUTFNF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IECSYQHHJEABKYG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe
"C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHET\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGELVLQIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTQOSN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FCRREGBBWRFMGLI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDOT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGGEMF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXUFBMFGWPTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe"
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXOOMUGNR\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempWPVHD.txt
| MD5 | a6a356d2b4b9efad0d586fddb722c933 |
| SHA1 | 74344d6d5a10b3e4327f842986d7569f51876cb9 |
| SHA256 | 51495415978b6e5f0323a4b75728c8e02f939aeb082d866706e6ebdbc49fa96b |
| SHA512 | 1e81d7a4b10b1f14ca9dd093aba9c19eb3e22a7a5c0d796c3f81da59dcf60057e4d2f2fc66c875db2e3b4305d680db8e264c8549a225fd9c89114ca3a5481b6c |
C:\Users\Admin\AppData\Local\Temp\AOKYWNXQORCHMLT\service.txt
| MD5 | 31a9cc8bd44061295e2fe392d4f137d0 |
| SHA1 | f63e884f48bbd4eb0607c56858a7dcda4eed92cc |
| SHA256 | 63b2edd29111c36468df478bdef3cec9a42ce41bdd9ea8c8668adbf77573f296 |
| SHA512 | 93df33a96f498f884865e6ae6a22f04670645c918035903ca67bcf472e4da53a3bfeba9ecbf75c9a113ee28f478139a2e276b49311fa8788a7d1c4db573d3631 |
C:\Users\Admin\AppData\Local\TempXQWIE.txt
| MD5 | 743691743d8e8df93eddfe8efa698259 |
| SHA1 | ed6f1e361eb6586cb10372f7b879921251b28751 |
| SHA256 | 290a8ba0b49cfd1556a9322ac6d0ce8dc22ba6046dfcf5043642be1c5c6c704b |
| SHA512 | a3e1f5526b531df6a1d0f7c42c854eb5dcd1dd0f50c9ac19b0ecdd7cb123ffcee8c5eae729bb4bbc39066324fb15c366278a151bedc62b7bf1472fc2d0a88348 |
C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe
| MD5 | c6df6fc41a24891ed5a63aa11b670994 |
| SHA1 | 10969489fbc303e273c9602f09ba9daa8d903c12 |
| SHA256 | 122c8f16638dff602c445545ae05aaeb29d734b67c7a1f76233dcfdbeab212f5 |
| SHA512 | 5babf20c1f4122ffd742f1a7d4088861a09c3e32ddf01574e6270ba93ad26c48d372f52ab1ffc0da560087c41cdc287d8ae75e51ab25952bc37f207801f9b57e |
C:\Users\Admin\AppData\Local\TempAHVDQ.txt
| MD5 | e5fea69fd378f24cd1e7dc48ceb8289b |
| SHA1 | 40726f47bb9fdd955834922939ddf3f5404583b9 |
| SHA256 | 5399625df7343f1ac173b24c626b96e7ea6eb480c6745331fcdf5b1b14901b09 |
| SHA512 | ca258556151b7f69d0a0368418469edae5092593d2a3a5833e380f91e66d8bf688626a12b40d68bbd8bb9e783b64d6126fab2ac614efc3c0bcd5f424a3d29a2b |
C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
| MD5 | 34455b2aa3f4b9d1aecc25433007bbb4 |
| SHA1 | d69227e7fdf4f8418726dae6f20b3e2a9a5ff340 |
| SHA256 | d3e4e29a28fbb7a2a5dcd6ba0bda4d01cda5e42871b2f0636464e4798da31bf1 |
| SHA512 | 31facdd33df3d90e492963292727dfb2206979ec5d624972bd20ba45c8a92d698a1ebcb14d0233397168e5460863818fae31814a3d2a9b70e4b88932e377cb15 |
C:\Users\Admin\AppData\Local\TempLTKFO.txt
| MD5 | 3e754df7e64a9ec957e2a556e1f5747a |
| SHA1 | cf8dcc90da533279b0e57f0ddfc8df475be032b5 |
| SHA256 | 8c5de31afed06c70ef24683520aebc07506b62556530d2f441e29e1089e6d599 |
| SHA512 | 597a30f19d670397e21068524210b687db3f000b1c9223d24620f7894e75d41daec1af471d02eb0039601253f5918612979c0fea88d852aa64633ef24b481e97 |
C:\Users\Admin\AppData\Local\Temp\EOXFCQUGHENFKYA\service.exe
| MD5 | 58c2e813aaba995c7447b6287d38d1d9 |
| SHA1 | 020286bff3792a6514c2fdc62047c8fd56d76684 |
| SHA256 | f9fdbf33aa61771380190ab5c05b24f84fc2e24b7e40b357d7c3d439f142e3a9 |
| SHA512 | ec2ec18fef0d64311f28a9e477506a512cbff01bca3ac9e9fcdc7d3399d74367d7c3efeed31de38d212b3c1ee3fe3e320a80f2d120c889e50a144cac439e6a29 |
C:\Users\Admin\AppData\Local\TempCVTCC.txt
| MD5 | 275174313a2b433bea4412f51746c984 |
| SHA1 | 0eebf035c90c4e225cf33705775a9c5fb5cbc211 |
| SHA256 | 1feb545981a83465d1f2c20a7da63705bf9b372db4fb3cc0760467322cd5504f |
| SHA512 | 16db370572f3579761721ffa45abace7f5d7554785288fd8d1e9a127654c5e6e97f8621dafe5e056785b96e3ab6245bbd680e2836ecb2e4a8b4a708e54924c93 |
C:\Users\Admin\AppData\Local\Temp\XQJCIPYABOULTIS\service.exe
| MD5 | 4254e7afec41b6f772749a93f3886488 |
| SHA1 | a128c6c126996815df9b17210c8f7829e36f5568 |
| SHA256 | b43ed12bca8b88702d193154bc212fd65d6d1d690f56186f85cc11a616266f21 |
| SHA512 | bbadb530ad5c7ecdcbf0057e076a7c6b31d26bfa3c053bfa40d4fe32a34738cb211bfde22897f024f9bf7b74d0b0e9509e3909bbea8b25f70ea0e65dcb353747 |
C:\Users\Admin\AppData\Local\TempVOTFC.txt
| MD5 | d4c2c187ecbe9866d91d5713a6cf9d69 |
| SHA1 | fb7b54083ec1a6301b8090735d56364a219e650f |
| SHA256 | 38463578efd244d5249be95d62b57a76498e5fa5979d7bcae9eecc25c0fc6b0d |
| SHA512 | f737cba3fb69a16cf6f703fd064b2236a59e3c6b0d86914baab286bfb1e31fb715a6b5d374b7672ed9ecb73e4a7283d37858af987b9bec7afba0f3e6c54b3588 |
C:\Users\Admin\AppData\Local\Temp\NJXVLVPNQBGLYKS\service.exe
| MD5 | cea8d8e5d79baaea0c3544d3973507b4 |
| SHA1 | 80037c51c7a7dca5fc936d4bafb70587f89adab7 |
| SHA256 | b7b02cb12f7893f648861ccab767466c8b05406dff77764f72e282cb927dc3ea |
| SHA512 | 85c193f804885eb5dd413a8ae9c6938f52ea84888c88c8999d6a5350d602ce08b485274443fbb688e2a3d6fcd22e2de839559e9f16bb793658ad85be566a27c6 |
C:\Users\Admin\AppData\Local\TempJWHGK.txt
| MD5 | cd7b73ecdab64dfabaa705c8175aa245 |
| SHA1 | f28fb8fca424755a0dbd828c77c6d0e583b9fdbf |
| SHA256 | 3c9928829d3e5d2b03d80be1301e08e77f42dbd1247665728c0751931459099e |
| SHA512 | bdef52704c32326b0e08a96e910a650a3ee5c5e1ec956aa839bf49bbd0227d87fa540c466686a9616a0cd4e0e7ec55fded3efb66719ca6acf9fd9584e57f489d |
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
| MD5 | 42820b246781a5d1185926be7af0c834 |
| SHA1 | f68a4984b55cf3287838161e9065528888f8529a |
| SHA256 | e1c7cab1b30be0002eafaa2a9d036832ec753040f7bdd424241a8f6362d0179b |
| SHA512 | baec6b25b014b91c42bc292491cba67f68d8c7fa1effa154571c3f3886ce3e79c9d8b9c507cbb45f5e91ea4bbccfc056a90205fd71888ebb1392d7b73a4314b0 |
C:\Users\Admin\AppData\Local\TempMUGNS.txt
| MD5 | 11ad762658723fe1b07038c8e4abc9b0 |
| SHA1 | 6b1230f97f32cc96cb804b5f8f298db5256d61b6 |
| SHA256 | 50785427907723a9a882eb1d1445f49c12aa49c2c91ebbd6ff09907d535b6a72 |
| SHA512 | 772ec9d8d6caa163e5d2b1aeffc90df81ea74a513117b85389d5e880e257de1cc6405817cf340474a71e4d9fdab3a005610e563b37586add9416a5cf4575da88 |
C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe
| MD5 | de5863f5e64687eed5db5abc95ff3919 |
| SHA1 | 230428f0f5d27fefacee7b2a4a83cb1a51916a55 |
| SHA256 | 538d4230c1c09e13c6c1687112ab44706f605a9d42bec833646a9cdc9038eec3 |
| SHA512 | a8e141b4c69df2bcbacc81b4f05a6b74c45792e8919fe4c1b6f61811654dddaf398f94018be83dbd1c139484c3498b126c04db3ac7837488d51587d927671033 |
C:\Users\Admin\AppData\Local\TempPXATT.txt
| MD5 | c04a1800909a8333e71fc197ff071d9d |
| SHA1 | 12305c72700402a3574bdce6bab13accf4c3520e |
| SHA256 | 9fd133e75523e0545c523bcaa549d63c7b0a0c061da1020cebcf05bcbd9c825f |
| SHA512 | eda4a8f1c4c00b6a813678e8cbda76ef6fba0365089216aaa81938db677029e618901709b7d63993a48cca9be5d4accdb9a892d431d7a96739291e10560e4c7a |
C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe
| MD5 | f5ddaa57dac5012400e359f798ceb80d |
| SHA1 | 65e31cb1cdf7d319ecb1916610ff0512f2e4bc31 |
| SHA256 | 3e90354adf3e621dd7a7cabd5424e60789479d6ac6f3e4c5d81fc0ef72b60616 |
| SHA512 | 58c3fbec09389f370a22512bed07c5d2cdde18c62ec1d1974001530285e3cdbc1eab5d20266a568e6ea0c08295edd5a5a0a506cae584ccfb2a2468819789c70b |
C:\Users\Admin\AppData\Local\TempESYKG.txt
| MD5 | 69608039a9100b66344d0e27f28327a8 |
| SHA1 | 3fbf0948e290149ffb90b21d9e3a401258de0d9a |
| SHA256 | 1cae5fe5857a1de42e0423f499784d1f1d501cb7a5a91c479b51c73650e6eea0 |
| SHA512 | 4a363a1c576361a358d4a878099c99d905ffd54806868f8fbbea3edd1d7982afe4f71de32435deb901ad36d1ec145c6d949f0498dad5d3d6cfcc1a551bd3b0ab |
C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
| MD5 | 7927853e448a6800ba402fb33e9f0514 |
| SHA1 | 8f6bbb34fed42cc12fa8a22765906de342145821 |
| SHA256 | 2a1113d2e115340111dd8d51ab360e83aea9d28cb378f9093b2a26b2a47efa92 |
| SHA512 | 2775bdbbd61b469c9c7490def83f3c4902998ac5cdfe500d8d7c59231f7506d76d3ec12f8747078fb41c1412713d16fe26aaa37d7bff2c6a55e84aefd2333394 |
C:\Users\Admin\AppData\Local\TempDYBNK.txt
| MD5 | 9b43f1e53278510e2b5775bc17f3827d |
| SHA1 | a0f267cb87243f5c90671be07e6af69093dfedca |
| SHA256 | 35f64b5dc8c76cd13d69761f7af1983305a31b1289a2ff0275f206b83dee395d |
| SHA512 | 555d924197b1c4b0aa9807149454ca383f6bbddc39806b28b1538c2ee7252e594180912c1dd0368b6089ef7dba2c8cf49281391a3964a247464ed1bcdec83402 |
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe
| MD5 | b2a80fbde54954056e4e4a4d000bb83e |
| SHA1 | 940bae9219f24585c900991568826c62dbeb74a0 |
| SHA256 | 2d4d7dfa2daa2cccfdd66a2444ed3586717c50fae985a7d39bdb6b2e6b255758 |
| SHA512 | acb65c8a8d4fa3a041d37471ef142381fa7bf600718c33b29d84a87e261bb852ef8345fddd8479aac2b8cd3c5c02088889431e873b849cdc0ad4c70375bcb6bc |
C:\Users\Admin\AppData\Local\TempNCLWU.txt
| MD5 | 5ef664327d98f54123692599492aaf28 |
| SHA1 | 526ce8210feaf0ecce7d4bd510287fdd8236abed |
| SHA256 | 25fb1541225d23d003873be0bd315f6568caa114d1b2e26aabcca6479afa1fa0 |
| SHA512 | f3a91a5b033967b52b3755f34976e5226408810fddc432a31a6eef0b6032d1f087ff86be4ab927fbd4b299bc13caebe4de7513805b8e8377dc351a60ac70988f |
C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe
| MD5 | 8272076e6637cc46fcf4140869dce5aa |
| SHA1 | 6397b18cb531469b675c340226e84f246f045d11 |
| SHA256 | 3bdb3dc8a095acf5942a20d0c387129c361e935e1ee9eea0f3f04d317ca221f0 |
| SHA512 | b4405f8f74b310323aae67c339248c68c1fc827272e57c220d108488f187d063bac069050924746bfeadf1cf3653e3f6b27ce0c6957d4260904912ab13eea2a6 |
C:\Users\Admin\AppData\Local\TempGBIWE.txt
| MD5 | 9d8a73676ceac800fa001ece1f4e52f3 |
| SHA1 | 789fff73252bda26653a511337e96d9121f836b7 |
| SHA256 | aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51 |
| SHA512 | b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df |
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
| MD5 | 492e51bf04a52ef6965ba29d8e9dd3cc |
| SHA1 | ed24cc7906b8af9ae9b650a6495d754d39f94779 |
| SHA256 | f6282b1101ef2d15f0ff169b4feb4fa2b9d0ce8107429614fe542866932fc6a9 |
| SHA512 | 51992f082f6d559f94b7fad0daeb340c8c20580bc2894df2461f1590255360bde795f6eb554548987b7110791e794db55645f7db203765a38252fb10cd696fba |
C:\Users\Admin\AppData\Local\TempTOWKL.txt
| MD5 | b71c01ed84b9c66ee2975a5fe4ca198d |
| SHA1 | dc47384dfe9dfd2b9cdd5a1ea315acc21f928bdc |
| SHA256 | fa4dfcac5b1e69c83a7d52ecefb1c5a31905782df3c0f0005d8dccad4c0818a1 |
| SHA512 | 353f5282d2fccc0babdc7321ffb5fa9b44a479351ba1de7f1784439ec5bb2dec6fc5eb1f5d51e609e054e0e93800d5a6673d882ebf527a918752837e4ade8897 |
C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
| MD5 | 9c378d88187969c61c24a1bc8fbc0825 |
| SHA1 | 078fefb723decd58a0ce844a8be85f422abd8557 |
| SHA256 | 82969ceaac95fd5ae043c8e61d33176fd74b54c0d9c4933901f37cf403b11d14 |
| SHA512 | f1e5dff967cc3e05be1aa308179ba901c6d665ed494434d3a1de79d6a38f0b7dfed70d179a4eb94ce08bcd56fe6663a6863898769b9d74daf8f7dde7184d8b2f |
C:\Users\Admin\AppData\Local\TempUGHEN.txt
| MD5 | b317d9a4bda7ec2fdef220e86c280304 |
| SHA1 | 586b2e3290b4f5ee43497f276e0947a58c5c2e95 |
| SHA256 | 907f30592d821d1840375f7edab3ddf81e588a04016d6f784b898e84828d2db2 |
| SHA512 | 09ec2b91e554a5e76865a644916894cc6002f118f1d51f3916fd40d614be15e142533835deb3959398dcfbe6fabec0dcdabaac95ad99a7e50ec9859738a39a48 |
C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe
| MD5 | 60f0ba980005f6385ff059faf715e155 |
| SHA1 | b8505070ac45bc6cd752f9d07ef32d77c63c0b85 |
| SHA256 | 2b37f36f1849cc9d40c38828a297d75a0baecec21a356a8a2300e46859c07a98 |
| SHA512 | 3c0a68faceafd17e83f1a27ca61249a08397c513d8d1fe9c9bdd58fd35ef0011fce4c0b1b8c85bdd888248bb7e31131e0004bec8829bfbc36eeab395fdd89f47 |
C:\Users\Admin\AppData\Local\TempJRIGS.txt
| MD5 | 64d0c25d229ee11d34007aca9e0a800f |
| SHA1 | 546a8ccc6d36f93efd41ab04b2d7063fc2864072 |
| SHA256 | 5f04f7e88481707ccdb5e17f4fab5d9389edc620d1e86da98b30897c05bfd50f |
| SHA512 | fa96fad4fafa3c3618559d62ec42d46fa3bba62c7fbb27d85dacb83997a3f7bff35a175c234013d635fa006fc49ed99cb014c954ef3e9c4f732c68d2ff3dd7ef |
C:\Users\Admin\AppData\Local\Temp\SMFLSDERWOWKVLH\service.exe
| MD5 | a656d174799616a0178a322c2905c601 |
| SHA1 | ccc18da9bc257507434e07d0e8756dc4ab8e92ae |
| SHA256 | f1da973b54d7cf1dafdd5a2cf19e9c76eb97b5752856dba491d0b11c24f088dc |
| SHA512 | d1a5c42ecc2c136d58deb8809056b932b2ec6195a4b7eef65c75f2f860c223d4df1f181281f4b2c981e403db979d8b0aec58989c068ac0b6b91dcf3cceb61732 |
C:\Users\Admin\AppData\Local\TempFYYNW.txt
| MD5 | 55ae9eaf6bbf34f43d2b174ad6d75110 |
| SHA1 | 5d828ffea60910fd94a9955fbaf2d31f9deeccfe |
| SHA256 | 5e8f4b6191f88b6e94835de40dadc0eb7543bb512cba996049bc01d1fd73359a |
| SHA512 | 2aea0961f2890f47b695ad363b7be7414c87a27c7669708f57d32184b42b64a48e9427901a7581db444cc0816313b544c9f36b48b133c1a14ca398c056ba4119 |
C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe
| MD5 | 0578981329cb94acb48a9835a8648b47 |
| SHA1 | 8db28bb31226908d10ca04b2ac3f782ccdd1ee3d |
| SHA256 | a7c9f2f4f0e31f0a374b9ff3e80a5b022cd852830c9db95a9aaf902b87cf6b9a |
| SHA512 | 7a6e52c948aaefbdc967836cb2ad80afdd34653f1544197850d3ea2c24a74ae6317dbc6cdb2b797f9cb9f550bab30e2f13692008344d11241e5288da8701201c |
C:\Users\Admin\AppData\Local\TempKTPCO.txt
| MD5 | e19b90bfba2c69d2c21ac3776c877917 |
| SHA1 | 85d70a13fc6e4842be8e175522d24be6bd879a9e |
| SHA256 | f26d0a66680e921a772d938e06bdbf148c6c8cf1d28d0e2d6f33b202f4fd55c5 |
| SHA512 | 3473e5d438d56038f4cde527e74c8ea478621af9702f4e6f18d1041f45da675dbece582c6157a46fe76c79a6445d3f8833830ea6d2e717263cccbb563b90b46f |
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
| MD5 | e402251fd8d810ed2fd3cb263ebaa166 |
| SHA1 | 77c8f396b7a2467ae592193e6a7179c981475b36 |
| SHA256 | 32994c7b08617921a56ca26f25f2d7b5474854490852a7d91e3b26e8ccfdd904 |
| SHA512 | 06ac0516c545004cf8480d58cb2739778e5969d5336e6b01deefaadc2f002ae5ea2d9fa8fe8cb59b7431506395a75a389203b16ff4a4791d340a9aa474fc26e4 |
C:\Users\Admin\AppData\Local\TempHUFEI.txt
| MD5 | d167a03d6dd56673d92cafa5d589ed7a |
| SHA1 | 3dcd857ce064770758fa80f35b3f648277b44389 |
| SHA256 | 5d325eaf8c6e6c29bfc248ce2cd439f2e648dbb921e018f08e2b91080807ff68 |
| SHA512 | 873bcf5a77b2a7354e3fcd8927312e7da76863130ec5e57eae0eb12e3cd7d2903f8a536265bc3289a05fa1e27d2669b8c048097a214e1f4618fdb07732dc36f8 |
C:\Users\Admin\AppData\Local\Temp\AJASKGBUYKLIRDJ\service.exe
| MD5 | 62737afafc03e339d0a031d85b681944 |
| SHA1 | c39542135425657c04b65b62a3df74262081efcf |
| SHA256 | f065f9b13465174e5f29cfeeebce5f79a8be009ed611f2827fcefbc03fb12cbf |
| SHA512 | 7c3e8994b0ed9da76a8779ff0989c47553c2c1cfaadc63067c7830b4fed22c9526e14c19681470dd290d34593f7168ad77b1c51fa17febd9aeb20862e82e57a2 |
C:\Users\Admin\AppData\Local\TempGWJQA.txt
| MD5 | ff00f653cca12ff89c1093f4c4474057 |
| SHA1 | 61de0079c2342226a77b8ae63b3134b67e30bc55 |
| SHA256 | 8b8d3faa6fcf447f05567e088de707146c7198280d2cfba32c7bc0a29c257727 |
| SHA512 | 20ec421758ffb87a796b6c8a8f7da9a521c4f1002293cd432d4a36de44284fe31065e630e6422af7dadaa0a9bd2244b941dac9b820d5cddbb51e0c120ccc0fde |
C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
| MD5 | 4b7c6007dacacf8dd419c71d9b4c6670 |
| SHA1 | 16faab63288f3a7dd116045c5f091cfc08928139 |
| SHA256 | 9fda86995a6adc5858b951062ddd5f77e4f32ef552eff79d5ad5f933529bcfdd |
| SHA512 | ae5b101ab94722ac837c85302ed7408acc70b4810d51806845a1274d1850d015995b83587adb542564bce1b2698bc479a2f24696afb70182aab9edad86c1c91f |
C:\Users\Admin\AppData\Local\TempXGGPL.txt
| MD5 | 4733ad9fb4d445ce8b49c8b002dde71e |
| SHA1 | 8d4b4d589d282443c98be543edfa3f434918f8b4 |
| SHA256 | 7664fa4d5f995ccecba9e4533425e6d9721d4b9904dfdb5fa8f8548400afb435 |
| SHA512 | b54d22b7fc7643d666e22bad1e9823c925cab1082d822bae8602b9b6bde1425cd11ee4c8dc22bd3c3d1645f8b32656ffbab2ac547c50f2b692128dd3261e12e5 |
C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
| MD5 | 2a7525d96b56c65ef19228c717bd67ff |
| SHA1 | 68b5650a18baae2c059a1e8256db24a47ad722f0 |
| SHA256 | 3a74fe0351eaeb2d89e96ec0ae9019fbe8000e8a855da9f2fcf60bcbd131b762 |
| SHA512 | 6bec9ea28cce2fa52c4acc91f8ee081bea45cac68b092a67236f4765967d86bcef28371d291084e65d9a4ee866cdf1ca41a9651660ef8188ffad02e5063647d7 |
C:\Users\Admin\AppData\Local\TempXODMY.txt
| MD5 | 2532dcbac1e834e1e1ba52c75085adee |
| SHA1 | bae15f077e4b3c0946605dcb8f0c02bd2a01e1de |
| SHA256 | 32ff5f70924f75a8b5469bb91ab121e0e882fcf752708bd9b0d6cd52e4c18c1f |
| SHA512 | 9706d09abf6dab11b48c323e5a6679d66b51dd1ec1645d045a9eecd922900382520c4e70d4570bf23af68d792115c6f1135daaba193a62a046d7438731dcb7f0 |
C:\Users\Admin\AppData\Local\TempXDHXY.txt
| MD5 | db21fcaad3f7817206eb7a5ab13b967e |
| SHA1 | 8767af79dadac7280b9d65d26f27b0c4fa4e7d5b |
| SHA256 | 209d81c873b175be359c27db3bd5dd27738a41bc2e0feb133a7a8dac001787a7 |
| SHA512 | fdbf17805815cda30cf9048111e58b2d096157ddc3fd339d2a67fa657d747b3f78cb8be28c9c5218f3217b5b42d964a16a3986269d50ca4ab4aa15b6061855f1 |
C:\Users\Admin\AppData\Local\TempLIQDJ.txt
| MD5 | 957ad5dbaa44ac91d5d250272d2a94e1 |
| SHA1 | d6c101bb30848098ab9c181fbbc422278ab6f6e3 |
| SHA256 | 64b0e81a7b92bcd7830d11fd3c39e32283c4a7fb1c38688c28fa581186061582 |
| SHA512 | 052d798609fb80f14c32c1ee87a9741d11fbf89a72e53e08c146031c943dbe2f450ef3c4ca6d35d9d015574eaf7a41f773418fc0c6637b3d5914e6ffd405e857 |
C:\Users\Admin\AppData\Local\TempDXBNK.txt
| MD5 | 2f8d9f8f839cefaf6e793c822df4b87c |
| SHA1 | f12d7e789a19dc007186bbe483fc8244f76f6409 |
| SHA256 | 894c1f0c748825d255dc02505fbc207346d341ffcaa0716bf777fc9d5f66b2e5 |
| SHA512 | 7aafcc9c63587e06c1e1f28b1a809457f5921840b009b69d8c36107386f39a0a492bb13a5ab3b56416686f79cc33fb4f20a16c711670a3c568fe50f4b2712ecb |
C:\Users\Admin\AppData\Local\TempYXTTU.txt
| MD5 | 980956a3fe5fe8ddda8de7c1fe0fd3cf |
| SHA1 | e9e6968fd02fdce967b5654748d3661c2ea51542 |
| SHA256 | 8c013a7f3be51959e476fd7d7c15a4fbe3ac3a594b4ed14642d3c1fff110a1c2 |
| SHA512 | 9dced64dae35c0c80e8da9b4461783d0e952df65d6c876c251bbd29c42bd34b0708a20da46efbde91f1e9fce943828afad4d0ba5bce414aba215bfa93507db7d |
C:\Users\Admin\AppData\Local\TempNWSAF.txt
| MD5 | 1a15ba0942c96ad946befe1a84299150 |
| SHA1 | 81cb5052e3dfbfccfce36ebe614cda1163f72d99 |
| SHA256 | 00f4acfc005e1e8dd5cd682d989afe03f1e7ea57a57fada424cf43a6d33920b9 |
| SHA512 | e9833508ee354ba75bbf490d6cc67783a27f8da1acd56d42045d81257d29057f350bc5f98943caec0ca5d8cb1b9697ee782c6795316c38fa309227e866bf6268 |
C:\Users\Admin\AppData\Local\TempPYPEM.txt
| MD5 | e6348f4c811ee47c64701c4854ced368 |
| SHA1 | 68ffe06a37d8f3204a521ec7b3357fb1b5cbb15d |
| SHA256 | 37575df12f3a31ef0ef92193c5f6e95d5693c23605f8d469c1990f11be89c6b3 |
| SHA512 | 7a94944804c638197d435f2dbb392b8f9fec1edc40352ab6ea1a04a55cb8f1570dc13b31014d3ccb5ddd18a9de9ea626d9d6a4857a4414f417a3c4e462ff400e |
C:\Users\Admin\AppData\Local\TempNOXTA.txt
| MD5 | 2f639433a90ffd80f88b06472aaee1ca |
| SHA1 | dd95f3059098502e98cb1f11ac51b756c509fb67 |
| SHA256 | 1adf52f8a0dd36c614052aa308038793d2c314af5e50719c6d987888c77f4866 |
| SHA512 | 24bf0e75536c0e50be3e88c7e95ef7fcf6f9fb17e54620d35e05bbaf251556a81a552f0d5cae5d1c1d8d79d62d87e3ee591e3126de0c0fedacd2c684820db5d4 |
C:\Users\Admin\AppData\Local\TempXGGPL.txt
| MD5 | 8596d03e05bc1bf684fe5378480b07f7 |
| SHA1 | a95b91da45c2bb6b394f5eeab3460a94c21f736e |
| SHA256 | 7f351ffb826c3a4571de9b839701b2fa4a950f06c9a8fa95f70c6b434ee5bd80 |
| SHA512 | 689d156e1b5042a895cad83e84d6d3f17f20d732aa2225bbe96eb555974ea0a9a3c683e13cc4fa415b082149d002818e8318e28db13c2d0c191d1d25dad11c59 |
C:\Users\Admin\AppData\Local\TempGAOXK.txt
| MD5 | 598c7a777f5f0a84cc669b3a7f8b600a |
| SHA1 | 2de190e40ca2e0371431d3ac32fcb09e0de43e73 |
| SHA256 | 35097cc0642644b48962b699c8449c6e4a7e7b3f8aa84004c406cf5a729f2153 |
| SHA512 | 40daadec0a15451ee14053983a19ea3428c213eb2bc5c8028fa29409041c68a0a28e46507815923bf0d6e4649720de9c192c0876577e1244df2974d6ee286de1 |
C:\Users\Admin\AppData\Local\TempQYQFN.txt
| MD5 | 36cd1200fc8bc37dcabde2335c93e89e |
| SHA1 | b89c3f37aa79580e28d070e39731a9aab936b22e |
| SHA256 | cbe722f95bea66b473aacf60f1c3be929686dad96de85290e15759b16f835fb0 |
| SHA512 | b6f9555594b1b4940c922a7ba786c4ca7e1e62a47062d48e375f8608b35c1fcbda471f2db921035f40ca601975bda7655bea913e50b3bff909895b26d9ab4272 |
C:\Users\Admin\AppData\Local\TempEWVSS.txt
| MD5 | 393d3bbac3e0801b7c7ad74ef52aec45 |
| SHA1 | 8d592a375f8e568d475226aa524889ae9c7cf0b1 |
| SHA256 | 6a386293abcb8f980e7215c56efb83b1c8752d6a6ca8cdbe06816534ff236605 |
| SHA512 | 4d76a25d169c51025af3d6013259a07e697f6312745d254ba5e47f46f77f63fe49b20eec5ed731b7b1d3630379429c8701935fb28436a4d3514fa54b5582e838 |
C:\Users\Admin\AppData\Local\TempKLUQE.txt
| MD5 | 68603a3bf33b1371944acc84fda0d5c3 |
| SHA1 | 8a5cc76d43e8854a064902a694058a4f0139da4d |
| SHA256 | 0c380579cfffe81c26242eeac446dbbaa5cf10bffe6c9ad0517dce461f07c4d3 |
| SHA512 | d3db01ba305d3cba257fd53ee0d087f639a723587311a2df6938e96dbfb070ddb3404794b2b029b87ed388604cd6239509de1824bb1ce5b12d3eac45e294355f |
C:\Users\Admin\AppData\Local\TempUTFNF.txt
| MD5 | b2b70af0804fbd3d7253b7cccabaaa3d |
| SHA1 | b27bbc932aaa03195e624ee98e325e2a4bb69a81 |
| SHA256 | f3381ec12229252b26164bf595d7ac29e812cb97ad072cd1d74534d1c6f7e24a |
| SHA512 | 078f158ba5ecc7792eca6e9ff6bb281d122c17a9311a92ada8a6bcdb44f62ab14c3ab287e278b2766f0be305a69caf71f26b6a7e0367a756093699bd91fcfabb |
C:\Users\Admin\AppData\Local\TempKTPCO.txt
| MD5 | 6924cd32a0a33db2140009298b4b812a |
| SHA1 | 6442a9818093e0fb37b9af856fccd6ccaf8a5737 |
| SHA256 | aded1d2932822ab8a791a717911af196bcf7715493bbea38730a9c3e64efba9f |
| SHA512 | 1761311e8094f56c790d3c2cce5b52d6a9e2410766c596d189e3d9d0a16135ffa36ddc609364fbc1de751497759da17feb2c2ff18c5a47527a4c13190f9fcf4a |
C:\Users\Admin\AppData\Local\TempBEFPK.txt
| MD5 | 5d5193981fbb091f2db96343213a1540 |
| SHA1 | ff915d08eb74f807c0f4025cb9328452915d57b4 |
| SHA256 | 0507bc248992b8bb2868f818afd9557ee243cf4a23ec0600dc075bd545593611 |
| SHA512 | 22900c727121acdd2e26815c64739c26e94de8e96aada530d44006b47162cefc8200b44829f5da5a3332e4227738a6fe2dab62772ae5987f7521a971bae2dce3 |
C:\Users\Admin\AppData\Local\TempTQOSN.txt
| MD5 | bc86c0446fdb1df8d67a42771c206cb6 |
| SHA1 | dbde23577c1b83d30d0f2f112d91e9cae31db673 |
| SHA256 | b773cbc680bc134b180039e7542e759164cd211588c6e2710a678c736a46db0f |
| SHA512 | b898f9925bef5b75561ef873600e498d85c46fc53270abb11e5d516207caf066921232fa812630e9dca489a37d50d389864d3e18689d78c4d3a5028e08d16733 |
C:\Users\Admin\AppData\Local\TempGGEMF.txt
| MD5 | f6d84f48ffef89e54d20d7a0efb4dbbe |
| SHA1 | 6d8779f55eff63cf837b88cd38fe5b82b898eb6d |
| SHA256 | d8a7b021bfc52f0396fb8a2eb1f2f4b9b4fd13ac81a66a0436062fcce4a27c21 |
| SHA512 | 5ef6f47946907fdcdf5a1d6c794692b7f283ec24906ebaa886caee01aed9a026768fc2fe59b476615bb30ee78e5ca8743a16546d7f44962073cdfbf05c0487e9 |
memory/3580-1002-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3580-1003-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3580-1008-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3580-1009-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3580-1011-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3580-1012-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3580-1013-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3580-1014-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3580-1016-0x0000000000400000-0x0000000000471000-memory.dmp