Analysis Overview
SHA256
e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
Threat Level: Known bad
The file e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Blackshades family
Blackshades payload
Blackshades
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-08 23:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-08 23:01
Reported
2025-03-08 23:03
Platform
win7-20240903-en
Max time kernel
147s
Max time network
144s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMMKSELP\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMAMYVATXSOPCH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJJKFDKGWJQA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHUFDIVWJOWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMKRNCQXH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVXSQSIWEM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGBAQROWIP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ONAIRYJFAQJKTWY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSLBLFYDFWSTA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVEQVFRDBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGPBHMCO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCMRYKAACESAONH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BRSPXKQVGEIDLWB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUSWKANJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WJLGEGWKRAMQBNV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYNSXEFCKDHW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPAQAPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYRHRLJLYBGUT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITVQORGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKPWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPSDHNAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEULAK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BOFSOMRDRTOHKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIQCJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJASKGBRKLUYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOTMCMGEHXTUC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAVQDKFKXHSYPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORVTWHLREBQYP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWLKLHFMHXKSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXTVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHUFEIVWJPWWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUFRQRMLRNDQYH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCFRSNLODRYITYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBTKHCVLMJSEKP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQMLYFPYWGDNHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEPMLPCGCAQWOFF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKYAFO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHVUGOFXPLGWPBQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHHIDBIEUHOJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGTWARKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJTETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVOMPAFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FUTHIECEUHPJOLW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBVXLQVBCAIA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRTOMOESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMMKSELP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVANDRNKPCPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UWMGELULQIQEOFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFRDBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUILHFWUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLCTKJUR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANTKSGRH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJJVSPTOWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\UCQPBJBSKGBRLMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYDUPCKE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSPKTEUETURAMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPXIICWADTPQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJEDSTRAL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRNKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCXQWI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCMRYKAACESAONH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOXTAB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGTWARKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFRDBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOKXWJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYTRAA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BRSPXKQVGEIDLWB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMVRFC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempOPYAT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMAMYVATXSOPCH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe
"C:\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFDIVWJOWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
"C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXIGKF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJTETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUQQFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJJVSPTOWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
"C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
"C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLGPGE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe
"C:\Users\Admin\AppData\Local\Temp\JBRAISOJEDSTRAL\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempUFYAN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXTVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
"C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXJGKF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSPKTEUETURAMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHUFEIVWJPWWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe
"C:\Users\Admin\AppData\Local\Temp\VCUFRQRMLRNDQYH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempQEBPY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BOFSOMRDRTOHKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIQCJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVGEJW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJBTKHCVLMJSEKP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCFGQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKANJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe
"C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRUVHI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QQMLYFPYWGDNHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
"C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQSIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOFXPLGBAQROWIP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJKHQC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONAIRYJFAQJKTWY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe
"C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJASKGBRKLUYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe
"C:\Users\Admin\AppData\Local\Temp\EAVOTMCMGEHXTUC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYLMJR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UCQPBJBSKGBRLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe
"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempXWTTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVEQVFRDBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGPBHMCO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempBTXSO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEGWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe
"C:\Users\Admin\AppData\Local\Temp\CLVDYNSXEFCKDHW\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempHCIWE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEPMLPCGCAQWOFF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe
"C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKYAFO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPAQAPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe
"C:\Users\Admin\AppData\Local\Temp\IESYRHRLJLYBGUT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAQQOW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVUGOFXPLGWPBQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQORGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUTHIECEUHPJOLW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDKFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe
"C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKPWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe
"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMOESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe"
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempKTPCO.bat
| MD5 | 824bcda855a5c1779b5c35f09764b0f8 |
| SHA1 | 7a4587cad864334b7bb2447fc3b19bb88ca5814a |
| SHA256 | 0952fbbef3fd5cd352854d62d984c43a75e090b2485c4c191dc8c2e857df6b93 |
| SHA512 | 285edfd0bdfa0b32400c1d0e733284f70899659f8e40321b3bfcd2b1343e7dcd17555ae8aac9af015ce2add12019ec16f9d63c9e066efdbfbf992b25c997c5cc |
\Users\Admin\AppData\Local\Temp\UWMGELULQIQEOFB\service.exe
| MD5 | c7b83a2a421cc8be4bacad9472693fc0 |
| SHA1 | 6e39a776876335639baafb84c926480fc88ec144 |
| SHA256 | 527f6ed59d93244fef356195451d28c39e8413c590aa303ad99918b2ba078907 |
| SHA512 | 3e51e7650103df02268a2764a345c709af9b6a0ccd3f4509b6ec1af1e9d3ba145dc352d6644407913c39979b797f49679d89c3cbab16e519103cf05072cc086e |
C:\Users\Admin\AppData\Local\TempBEFPL.bat
| MD5 | 06d296f775cca1756baeea0ea8c19981 |
| SHA1 | c44d01cc012cfc820decc11d1130bd7735d7e304 |
| SHA256 | 0492b900c330872577dec7707c8b3b2c38406dd6b9ae943734b43e356d4f8e9d |
| SHA512 | 9a93e9bddf001eda01cacc3af995a069d686b0cf1b530062ec47cb3bc38b44b205335bc4e3929b31fe2fd84482152b800c83964fb3edb0e40854a71223025d88 |
C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe
| MD5 | e49983939fd80e2a8245f55a11de3258 |
| SHA1 | 8ad950b6da7d14af520525b966c51c10e122be4e |
| SHA256 | 5c0ead4b0f6c391ef7b0c37c060bf33a72b43eba729fe380780896d2d8b18fca |
| SHA512 | 0d90aa3f3452492ca3595126f7165adcb745aaafd68f313c53b8001878ea0edfc391fd810956341f5c08facc2ccdfcf851b5e9bc5df2921dde2a5d39a89b94f6 |
C:\Users\Admin\AppData\Local\TempCXQWI.bat
| MD5 | 60040991629efa0a6b89bf48f54e5e33 |
| SHA1 | 156b15affd14cebf74b6f52a9c6460a3c9d0fc24 |
| SHA256 | 58519c9bd52f13af5b34c37e933e700051297aad4aa304e697eafe97daf21a9f |
| SHA512 | a591057de9e7655d2804cd19dff6386548a5cc31fae6394145091bf54df84b36bda80fe10a751620a13443a9a2dc2adedec6727930ec2cb1749b8360aeeebbb2 |
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
| MD5 | 9ff9eb746520d3d526b6ec025ad8a528 |
| SHA1 | 974bcb7fb3c064d1d1aefeb8254b7fb69af05aa8 |
| SHA256 | 3d850fbc9731c81dbfebd95b429467f32be5397ca1aa7f9cd7e6ab42fa7d146f |
| SHA512 | 31fec7d2b18934a4673442b6ad094adc90f1519ebf44a09ce72dfc8968095071470936b5db9454b6c33754ebc7361a903d18dcf7e9f3dc8425d7cbec5ca45686 |
C:\Users\Admin\AppData\Local\TempOXTAB.bat
| MD5 | 67fcc8cc31fc01ef4ad32664320e90b9 |
| SHA1 | 5ebf97f60988904a6ae7041f6611e5165aca94b1 |
| SHA256 | 5c141959b2f85dc7b44f20d615826e50ab785b422390471520e132dc2b88a428 |
| SHA512 | a51dba79e39be19c875925f3baea17887d24a5ea51c4d5ec964dca589f955ec3d827a2f13f03ed2b2e5b6f551a0d5b0960b412d5fc337f217d3e5f1826dfa11b |
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
| MD5 | db89f61ceb20f99d0c99ee113a6d6c62 |
| SHA1 | 46c22215da9b78d99f113368ffeb8b05c31153d2 |
| SHA256 | d1ef56251bea89e9b650efe9f62abbcf18a894625ec03dd857bbe88f4940317d |
| SHA512 | 58ac31167e4ecf9104c8878bf8555b2c788abffa946822272554b13ca2ea30002b4d293e6e13f88b7a2a5de14acbe5b8c199c4b5a71262fd4f05d2e92741974d |
C:\Users\Admin\AppData\Local\TempYXTTU.bat
| MD5 | 980956a3fe5fe8ddda8de7c1fe0fd3cf |
| SHA1 | e9e6968fd02fdce967b5654748d3661c2ea51542 |
| SHA256 | 8c013a7f3be51959e476fd7d7c15a4fbe3ac3a594b4ed14642d3c1fff110a1c2 |
| SHA512 | 9dced64dae35c0c80e8da9b4461783d0e952df65d6c876c251bbd29c42bd34b0708a20da46efbde91f1e9fce943828afad4d0ba5bce414aba215bfa93507db7d |
\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe
| MD5 | 5ffb48ec50bbad401ccd040ecf621255 |
| SHA1 | 33eba7484384e1c588a723fd9b2e958bac21452a |
| SHA256 | a6739fb3d45b4278281b7e54327479b2517f594dcd43b2af4b7d1775b6d899ee |
| SHA512 | 1ab3ea7e1b799d4126b5edde62857983843d3e20e874b41bb9ad9e2cf3b67eb501975fe9ddace0e160ab4ef280537035cf969c0f6ec30b87bdf47d55eda866d9 |
C:\Users\Admin\AppData\Local\TempOKXWJ.bat
| MD5 | 0610d47178c0b5bef82b8a326205b2f9 |
| SHA1 | 08071e9d9a791440330289fd0c5e028f87361cdd |
| SHA256 | 3c85b25e5ac929f398b2a503d7fc0d7937c20e2d0f2deab7a91afc388b108310 |
| SHA512 | e8d34087a0341ac1885208db75ad1cf4603cd9b339fcd2d22568d08f51cd41ee8c02faea7b587cb97716935b961f79e8759519854cb7ac0a77698964e0163bd9 |
\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
| MD5 | 374063cb2dd7a373c1bb73fb38fed327 |
| SHA1 | 4c21e1bfe9110d47f950117ca6d4d5777059e0fa |
| SHA256 | cf2d01456f471565fb6dda5c7750d3c813ea37671dd0f29ef17aa6014e9a6aa5 |
| SHA512 | 3852014244ea4f9efb6625c59a00fb166da67e1754278d62843b4d4744c6680ea82ab9b4a27f23640f4a79432f7a0a21b314f0dcf4f3fa7780aaa233d573766a |
C:\Users\Admin\AppData\Local\TempYTRAA.bat
| MD5 | 5cf0d14b63b7d16194a0d56e4381c9cb |
| SHA1 | d5dbd40881bd015abb0655ded58060bf72fcb4d1 |
| SHA256 | befb076430c0fcda49bb8f801138bfb2f4f11fce51f9788fa46d50486f06203d |
| SHA512 | 515b1b5d6a4c05db0cc3ed8ec5927d31d9e1807b5e6d5aeddf4fa8ab3f9551083c8ad2adff2b2032fb1aac52c98a578d0364628b14f0f7e9bd9f05aef7715196 |
\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
| MD5 | bf8eb92107348e92ce8204e62267cebe |
| SHA1 | de5383a4071b973c570b6562de3482b590e8ae76 |
| SHA256 | 58cfabbcc7c536cd0c8b1cb0c44a0b91488c8b82126e5b2442e4786137ccd6a9 |
| SHA512 | 35b2dc3f5e344025a49136adad3e0320b6cb990c3fb43254994992fa0c8ec9e4e87108664aebe55e01c43d207c27393ea0bdf24a6e7e490f2df8bf0dac641ffa |
C:\Users\Admin\AppData\Local\TempMVRFC.bat
| MD5 | 5d51186b0c695bd0bfcef3b0ada8be70 |
| SHA1 | c9282525e5c0594b0f68704d3f95a7aa9c967597 |
| SHA256 | b4de230656c06e08efbb232d4eb34a45cfd632f0164be479998b378becc80e8c |
| SHA512 | f71bd231afc6f3259deeee28f3bec584c3f76e4d3f35ec8340af2b56507db9bdd09e121d10fc87d6771aeea278ae53a288f1ec41cfdb532c7a891bdf38080615 |
\Users\Admin\AppData\Local\Temp\WOIBHOXANTKSGRH\service.exe
| MD5 | a2c1dd968287e89b1e9049a228c65f43 |
| SHA1 | 0b627bed1042595bd2f6ad9dcadb0ee7a18f9225 |
| SHA256 | 11ac141228c2dc14f5760fc7fd6e3411d20a1357450850042b41ca4a07aec84b |
| SHA512 | 6a0f26768f69cbe1e4c6eb7cdd1dacf7f489f289d30e47ea601e48f9b4b63e70a5f88f863dbd0d379ec9d113e6f3bb7bd65c5971422ab6837051fec49c1d2919 |
C:\Users\Admin\AppData\Local\TempFXWST.bat
| MD5 | f5dddc8c8195b915447e8eca984daf4a |
| SHA1 | 92ac8e13c3544047b426c6a188f1e272801f7f73 |
| SHA256 | b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4 |
| SHA512 | f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77 |
\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
| MD5 | 9986460d1609bb50876ef9b53310cf46 |
| SHA1 | 80c9df2c772fb7f969b86d24ea32ea39e88c0aeb |
| SHA256 | 952a3d00326086176507731a7090c7ab8f384c80291b1e1a3b49ec39de1b3e88 |
| SHA512 | 9c2c2e3b0628c3c3a852619a5ae0a6c61fb395a58f40ae2c6aa5f0c5c7534165a244634be641d0110469867b02545506741bfd01faf7ab577940ef095f32ef22 |
C:\Users\Admin\AppData\Local\TempOPYAT.bat
| MD5 | 2b4ffd7ea29a7d291f88a002a00b2924 |
| SHA1 | cae342ccf738dc45ca7669b83afe01887893360f |
| SHA256 | 7037aa8423c57a149854cce2ff715fdf48d974122f62798ec6a94b0e978dc3d4 |
| SHA512 | 33ffdf6ff441bf3e0f13cb1762a698b3fa4d450399a96eeebbd576ef9885fdae4c956c6dca7eccf04c7ed8b003e9e1d3657fc1dea86d7202828c932424624dcc |
\Users\Admin\AppData\Local\Temp\VONVJJKFDKGWJQA\service.exe
| MD5 | 82aceb4ccafbb1efd56b7522e22695fd |
| SHA1 | 29ad865b37ecff13047033d1d6b97092104067d5 |
| SHA256 | 295d9a1b4350fed9892ffafc564b0bdc64b12da130a8757573835246520c0b84 |
| SHA512 | 4943cb9d1a4355fbdef77d2203729de6d6c4a55dd7188e08faf029be29661e767b5c70d049415dcb5a2482ebf7a01a58656b68bffe485c31c391028a85c9c163 |
C:\Users\Admin\AppData\Local\TempQBUUJ.bat
| MD5 | c872ef42f00e73a0319a155ea74d0e15 |
| SHA1 | 7410c08d0e874446ecc7eff67abe22578e496d92 |
| SHA256 | 356cb8a3f03f52001f593dab167201e1a906ff4a524164aff93eef9501a28f3f |
| SHA512 | 7646ff930bb06bcac5b5ba579e465a8b4f02809ec81df59655a17c03c30e81ad3c57be8573efa8cd45a3b005816775b5d78470e337ae6d5a953cdf263a4c4bbb |
\Users\Admin\AppData\Local\Temp\XPOWLKLHFMHXKSB\service.exe
| MD5 | 6667c9bd9a0598b215a29fe14f4acce4 |
| SHA1 | 384a435245e6202b4d50ed91cc0bd0467aae5a67 |
| SHA256 | 00ef64d070d000ebcc853c7383c4a52f742ccee89b65cbe8bc2ce16fa3f48c9e |
| SHA512 | de71479506a99d951f61c62397b726357c1f82111d9e71cea8f2755375e3c44571ef954fbdd1f835b94042978465a18601c5734a2bbf542a5ac48e72e036a10b |
C:\Users\Admin\AppData\Local\TempBPYLK.bat
| MD5 | fd1d13bda944b76d047292d1506c4e35 |
| SHA1 | ef3550d5cb21aa824c48f67a30c5d89c4d537d77 |
| SHA256 | a5597a65241fc492acc732e99bf4f506184b0097adc2ea3db800882d34aefed3 |
| SHA512 | 302391e10ce0433a050284241d478cc1adbf4d6d1191af2866e789d7e71278cc67d48c0671ab63d46f179de70af8fb66111cc59f475452cff0faa8e7a8d00457 |
\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
| MD5 | ac20b5b1744c20d5a26d3382d7262975 |
| SHA1 | 97b1f0e1b4b2daf3156062a359689a6ce6c1b61f |
| SHA256 | 671fd3f8afb3dbe3a4aa04b68664ff68ec953743d0acdb8b5bf03d93dd59ea6a |
| SHA512 | 719a48cb9ab814a78b50d44c360f5611d71b4bda96911911089aa320cdce2576ea1541013fba93d3c1be9a058c20b697e45d10c9a80d83fe23b99306103aef7a |
C:\Users\Admin\AppData\Local\TempXIGKF.bat
| MD5 | c19a26b98002090a180fb332b32db76a |
| SHA1 | 29aa660be043cb923e3918761dfe141326daf60c |
| SHA256 | 79f2ddd25316c414e1b27ef9feb998d1ec8220e2e27b67ea98dec4cca626eca9 |
| SHA512 | cc5c4530df3c0e36510e438eb9c9ae4fdff28c36fa194de9259de2bf720be3508666858ffb6b30e16bab30b5e072ada016039b869750a33b88073ebb07263ca9 |
\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe
| MD5 | 9bec2b5cb37772fab15229c48f6ac02c |
| SHA1 | ad5579667cec89fa4701a61e71bc12c6f26bfd99 |
| SHA256 | 609c8deb1da39e747d3ef48086023c22d2a5bf199e52063d5d399c08b96b6101 |
| SHA512 | 3e7a90252595e778eebc889ac43c3cb4f2ec3ac79cb5dda46808382fc729f47d2b5daf71df483216d82e04a20d2268ea2c686f7bdb5ab4effa25cc13bfd8a08a |
C:\Users\Admin\AppData\Local\TempUQQFO.bat
| MD5 | f298269d59afbe4f480fff06148a81fa |
| SHA1 | 2e98dad6d4711855e640bb626e8e59e8c52e901b |
| SHA256 | 85dcc0ab7cca7ee9ae5b790e2dcea09edfac85a469a99f33183b195256349c0f |
| SHA512 | 5090fe8f060af6fcf738292dab6f49b25ecbf0460a3b63a3542403d91501be7068fbb6788c65b1bea45318dfaa27f2586abac006170fca782e8877ee3954286b |
C:\Users\Admin\AppData\Local\TempXGGPL.bat
| MD5 | 73d09bb55e140368f9494677b120c41e |
| SHA1 | 1e7f26699f36aa9e3bfecf62e39a566c6005f5d1 |
| SHA256 | 3afc85474bf15cde25f95b7c1587590d8ee24a2765ca15131da34a40c3b2d3bf |
| SHA512 | ad4aecdda96e6ad1719c966def5391f5a0e1964633f21cd200cefd3b7b2aed28d968ea72ba94c1ccc7fb6bb6a145097cee9a7d0f69257710513a3fc854b7be7f |
C:\Users\Admin\AppData\Local\TempLGPGE.bat
| MD5 | b0636b5a484d942d1477c49e0b735d8d |
| SHA1 | 2871ac01d4df783200865e39170489a096f8d9f6 |
| SHA256 | b8f3faf19c88193998220f98b3be87e48c560b6a77f08f375b6a41f357ea772a |
| SHA512 | 96df53a3ccfea43f36765dd5c5046339213d19dab1e16a11e019d560a6923bf564da64c16270dd39b5ead28fce52ceb67d43e08fc0512d85b690dae7ef73a0de |
C:\Users\Admin\AppData\Local\TempUFYAN.bat
| MD5 | 10e58ac500f28d3bd87a6b66ad6b337a |
| SHA1 | c88155419d3fa93423c816a6ab34e355c7be02d3 |
| SHA256 | f4073b688587e96e1eef3fafc77db30f70aba207a4c2636f5183e4f3609b4994 |
| SHA512 | b8b96bfc26895cc16a0756d73e8651eed5bd8b4cc8de19603619692ed46d58c3f8dfb42edac606c51b803cc8c38322d5356de8df370924a043be53ccdb2acea3 |
C:\Users\Admin\AppData\Local\TempXJGKF.bat
| MD5 | 271339213f855c3ed4631e6c3895d70d |
| SHA1 | da2e346a03afe50f27bc7fd7e8f64853be0a0de0 |
| SHA256 | 5c7944d9ea1f7eb95cb93f77662d264e1460311bbfa8c3d2d3d060aba60deeaf |
| SHA512 | cfaa38976ccbddb2096363ddfd6c8e278df4b00ccfab74f1c6e9e2fe695a9d451fdc80cf67aecb533a7d2344b4e9b3eabb13d3c6f62b82aa64c42ebda3b66d6c |
C:\Users\Admin\AppData\Local\TempBPYLK.bat
| MD5 | b92f29720eab1ff33db22b97c2782f15 |
| SHA1 | 0ff6e778d817a7c3f71c422089e60fc5ceb91d47 |
| SHA256 | 4f46515c7b989cd10d5f131087dc196fe7fc49433c9f308b45ff6ef50315de53 |
| SHA512 | f226c9dba08cb147b4851d50a766130e7ccacbbba32c39f5886d2660a61b3d0b63860da9f361e9dc540fbab44dccfcfc0a6e38447e3cbe04e8a09e9892eb3c99 |
C:\Users\Admin\AppData\Local\TempQEBPY.bat
| MD5 | 4e72d3e60112961a57b2a72138c842ab |
| SHA1 | e52ee2b6b90a128036bda35ea6f9e53e8241bdf8 |
| SHA256 | 397dc89b5e6a0077fbccc933a0b0edba8a076de60546e518ab2a878715905c2e |
| SHA512 | a560af21ae0904ab22cc1d6d2c5b430efd45d9a8dfe33fdce24eb85f27d40a97afdca72167757c3f3e400f22ac88237998136706d312f3a8b5941b1d06077f64 |
C:\Users\Admin\AppData\Local\TempVGEJW.bat
| MD5 | c429153eab55ba177d19099e9716b82e |
| SHA1 | 6338cf95201fdf4c4d0670a05132557dc81265e0 |
| SHA256 | e38544ba4ba829e537b660911a49ac124e2dcee2ecd640963e6aa11cd04e5afb |
| SHA512 | 90116849f981f4de0be363d2434345c8efe423f79f826132a73466da55d48c9ccdb0aca5e246f635d1d2bdaec54d1cd86c7a4cc214712caee74d260e8e454e5f |
C:\Users\Admin\AppData\Local\TempCFGQM.bat
| MD5 | f93e33b71234fa46aea76abb934de754 |
| SHA1 | 5979972a4cfbe27f657d7e7bc66d401f1d299d86 |
| SHA256 | 35570e84142acd63a632c0099fab519587f130e429192dc9b879d05a7532a6af |
| SHA512 | 5eccbb39a725717f4371feef4f036971cca5e00916c4b192bed41313c7c1e7d528b79d09c810a034f4b7c7151d1237e91a5de67fda387e5d2eb75c33df4f3900 |
C:\Users\Admin\AppData\Local\TempVHFJE.bat
| MD5 | ae509edd5dcf523ca66bbe9a385a6970 |
| SHA1 | 755cc715ac1c910495d7ebe4938c14b5f3a5c7c1 |
| SHA256 | 9a5316af50370d0e410c04f1e2dee52a446f21fbd412097d81d3e9662df06afa |
| SHA512 | cf52c4cc6246f9b4c0dfe65559a2ef39b1c8e909a7d245ed77e46f696a37ed42241bf097e01809258ecc10003fe2d7fce68f874bbb3c29530b0e7c69fbbdcfde |
C:\Users\Admin\AppData\Local\TempRUVHI.bat
| MD5 | 1ba4d592ec1a40d75455469f95b33c6b |
| SHA1 | 15a872b81fc9500357ce008cdc79e24a40694fc6 |
| SHA256 | d0bc0c629d35c64e6e1c97a5ac4331f420f7f24451a497887f16135462ec51b6 |
| SHA512 | da584451f34396500a3bd52f15d61529e115808dca1558d0cbda98a022af4af94f9dad15fb40e7bb90b501aeb13032e8e95c0bc5428e9366724f6313a75aeea9 |
C:\Users\Admin\AppData\Local\TempDYBNK.bat
| MD5 | 5c4c29a410bd00bbacd2611f885a013e |
| SHA1 | aefca89f9eae0e39d6b8c72f03268ed6fc908092 |
| SHA256 | 1f481099fa4b0c87b95a68a86c643ff38f4840353624b518904e42b634869c83 |
| SHA512 | e4b7b19b4cfd65140b315b5c8ff204c0919e4af50febc215e3a5d67c780ccfa157e78f891cc1f44c928bd472aa1d749ec2a6b46d8e0da13baa707b1220ed4195 |
C:\Users\Admin\AppData\Local\TempJKHQC.bat
| MD5 | b86099f3542512c7dbc00e9321f85070 |
| SHA1 | c0f2b7f78e948bc3b3dc985bf7578151969449ec |
| SHA256 | 2f0c377431e0f2a24518b65ea703471d3d350c57d3cd796922f2477eba885831 |
| SHA512 | 04d42c85b7e35d3cb7345bbb222a862909ea9dbe4830f8872d0932a3d18ec559669ef6676b06000c119c77bef9c34e3dc0119737c49758beaa373a98a676e087 |
C:\Users\Admin\AppData\Local\TempMJRDK.bat
| MD5 | 761523d75b9c30f423b62c6f280a378e |
| SHA1 | 21eeeb6bfd663eb8a888aa5e5b2c825287e3fbcd |
| SHA256 | efe411d82eb3fdb99f8843891b2748be43fff61c331bceba63fd5c5850c8488b |
| SHA512 | 2215a1e746443b6dde24abaca4de0fd008e465a01f7b533c5c09cac50b0f69d062a15810a06174ba2a85eaabf4d0678f7727cdbd6e44941ce4830a0322f0227c |
C:\Users\Admin\AppData\Local\TempYLMJR.bat
| MD5 | 94127c4337ea80ea6f049abb345f04f2 |
| SHA1 | 31f5b87a86f9e3a56997b8bd617d57e29298f0a4 |
| SHA256 | fea8450bf502db38695c29f06dbf5d37abb247780313f9421b82d2ad8daf495c |
| SHA512 | 766755d545c344438e1a948f4ae25bb0a9fa4d96bc28ecd642f57f8d7bc41fa7fbc1953aaa253291cdefdfc9b7c08ad6ee692c7f901a2f8440ac2815e98adb44 |
C:\Users\Admin\AppData\Local\TempVHIFN.bat
| MD5 | bae0445eae1984998b8e8f2e95d61fcc |
| SHA1 | d52837b67fd0715d254589b0abbed61a9e240601 |
| SHA256 | 16ac196a027a14185c2aa74a7b35d47578fb80583f7f4babcd910ac11c386334 |
| SHA512 | 98b89bfc0f41a337748dbf573b6d84bb7939cf60b826e2db94b2095aa385d9af350c4e61be9e4d1fe7d9a9b8efda6f94678ec1e3b24666d5f68e7866e04fbb7f |
C:\Users\Admin\AppData\Local\TempXWTTU.bat
| MD5 | aa10094ff65a0e7402f5568b23ebfc95 |
| SHA1 | 244feb6399ed8c8e2e819e21d366e8d8a039ad91 |
| SHA256 | 4f64efabc8178271cc4a1ca265ef778782b50d3dd09c87539163bd46f88e5075 |
| SHA512 | f4bb4060a55d74dd1272262e97782ec1c365c002989c690a1ee6d6ebba65c501babff3bf24218a49d33f839af6fa993618f29756b39754ba232496efa0f1a30a |
C:\Users\Admin\AppData\Local\TempBTXSO.bat
| MD5 | 1bf4eb48250293512fe2fd33557d8fb0 |
| SHA1 | c78cd22e7b949339071d91fb97511add7f30dbb0 |
| SHA256 | 74899bbdd7dfa2ece99eb1954c0e353ca12316e06495548fcdf8de24ce8cecf6 |
| SHA512 | 4b70793f1f62c357ed670ec93ebc8baab6635aa3b2e33cb5877de5efa0927ed97fcd45308ad5eba5daa14fa0af264f2201c8e4a06616adf686de6d0846c4eaaf |
C:\Users\Admin\AppData\Local\TempHCIWE.bat
| MD5 | c4aab59a6e9f43794e513644788f944f |
| SHA1 | 9f2c271ab850219d3a87188c3a1848cee93001b8 |
| SHA256 | feaaa0448ecb043ab6106f34b913dea22ce6499fc2f0f45c30d399a11005621d |
| SHA512 | 694557e76eb5ac1046cef50aff7824218c4612e93e329a43aaa1a9fa89113a266f71feca021251cbdc4eec57fc8993bbc550495221e9cd7ab614fffd8f25565c |
C:\Users\Admin\AppData\Local\TempWIOTF.bat
| MD5 | ca7c5bcd0b45dd5537334145ce3e2e5d |
| SHA1 | 2917385f44d2886cc09d26748fd890c66275a1f1 |
| SHA256 | 339d3edcd1810beee22b05229c882573ecdc853e769d06a76bcb8c436e744f4b |
| SHA512 | 0ca80c03b35a0fc94c0b8ab410213349cb8e29add7e951464591b2922f5a908b90f1223cda4dd597a4af5ec83e9d1d68953230df10448db8afcbba1caef74ca0 |
C:\Users\Admin\AppData\Local\TempAQQOW.bat
| MD5 | 604014fadbaded9dbd15fa8aae1c67fd |
| SHA1 | 6b796e30f523ec0f8b8b4508cba334ce28a916d9 |
| SHA256 | 5ecd75b87d6a5ba37de4115d6f335ed9c370e857d395e12b4cc130f2e1b8fbb0 |
| SHA512 | 0bcf902a4010221a0867aff7d270471a2117b5e558d66ddfa7c72cb66b5b369daf3c131636a479c87d51a205a7c823f7b5bce482380bbbeaf4804ee9acb1e443 |
C:\Users\Admin\AppData\Local\TempWLXIH.bat
| MD5 | 05ab3e41c1006175a0aaac827ddec92c |
| SHA1 | d9c6617f99777ca69824e580dc6ca631b60885f2 |
| SHA256 | 113dff06b16adff1661340c22a7fff630d2a3ed9001aacae58eaa0931cdef891 |
| SHA512 | a95e7f62ccc886db28770c6aa711013307aba9faba3ad2205a31b7631a2f716ced8c315165fc65faef5e29e857fdfe0f05c19ca13ad5442a6182935519e7666c |
C:\Users\Admin\AppData\Local\TempTRVQY.bat
| MD5 | 075bba071a67eaa4d515b948d126afab |
| SHA1 | 293c54640089b82a5527f11b0f4f9bd82082b751 |
| SHA256 | 0c58df1e1d363beb30db4da96482e62b4e47141aa204f9388b412297550adc03 |
| SHA512 | a59c6570121606bdd49e30c7df73666b6221c69564627aff3fde5e884d2ddb34e165747566dd8b49ed98f880dcc99ca8071f182154d4386eae979bebd04be15a |
C:\Users\Admin\AppData\Local\TempRMUIJ.bat
| MD5 | 971080fcbe388252dffb632abd9025a6 |
| SHA1 | 6b789100b910512d73566a0a8b2e29392aaa67c6 |
| SHA256 | b5817365eb96edda168a8c0fab6876ff593363dea6017b2573ef231fbf5d0971 |
| SHA512 | 9202b0ea9ff52e8e45ce2690ff672b81fc4ed470b127aa0346c75aa4fe686edfaf7e3e36aa96090f5f73efe2a9dcee37e0ac8b23fe0af00d56a0fd8edc5cad9e |
C:\Users\Admin\AppData\Local\TempIACQM.bat
| MD5 | 1725034dce64e5b21bf9bb34f976d7f2 |
| SHA1 | a6a51a02e2e4434a8dbe3be66f59ee9e9198e035 |
| SHA256 | 6b7594806abe8ee858a0469b3bd160e6066e3c8ee725cf7dc6a3e9af9c119caa |
| SHA512 | 9ba942b7912e4f69c72238317d4cb8a1d57c39e193d9523ecf106b1351fe804c67cd5a7473b4faee9da769902a8335d6046ec6b3516c8d699a0b50c62f2055e9 |
C:\Users\Admin\AppData\Local\TempULJNI.bat
| MD5 | 8ca42b41c8e2de27d308a6cc0759a024 |
| SHA1 | 0ca13c792b5c2e0f0b28c31ba19f56810f8e0dad |
| SHA256 | d6e22066c8860f60d38f58320258e5073e2695dfeaea7bc1a1111e2fb11ccb02 |
| SHA512 | bb288998fdd86c53ea2f2e45fcda1a01727eb7698a6f1dae71310c8c2fd695b0a1bb7cb5d74aa9eac3ec61711278a9728c7bd677c736a103e0ed90b4dfb8bc0a |
C:\Users\Admin\AppData\Local\TempVGFJW.bat
| MD5 | 6802e1d742b92a5ca7ef02f9db16d1cd |
| SHA1 | d034a1fe579e06e2b8d5baa8e2faa42c1bbbe37b |
| SHA256 | 513c6b684727277667bdad458fd8639d2d243c797cd6a6a8242fb299455d6628 |
| SHA512 | a35e9c6b2a954c0dc6c8edd5317a28c1a0382f9703e36f4365bdee7439d952d0d887f53e12a535546fc4a3f3078012ba567131d050095cf6d3e9fba47891c44e |
memory/2912-1026-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2912-1031-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2912-1033-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2912-1035-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2912-1036-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2912-1038-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2912-1039-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-08 23:01
Reported
2025-03-08 23:03
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AEJXWIRISOJSDTD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGPXHDOIJSVWIJG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWJP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOERITYIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMJSEKP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYBLRYYJACDRNMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWUMCQLJYOBOQLE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TVLFDKTKPHYPDNE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPKJLBOVFQVFSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESWIJGPBHMAC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGFHCAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVYJNTAGDSR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RPUHLHEVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFPFKCTKIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OULJNIPEFXVEFYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMFLSDERXOWLVLH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRTOMPESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSELP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XVUYLBPLJXOANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VNDRMKPCPRMFIKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFKCTKJUR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSNLODRYITYIUGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMEJYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYHHSPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDEAFAVQEL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJLGEHWKRAMQBNV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDYOSXEFCKDHW\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDQGUQNSFSUPIMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSFSUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXANTLSHRH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XLMIGIYLTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENWFBPUFGDMEJYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJHJNUDOTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVGHFNGKBM\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DAEAHTUPNQFTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVMJEXNOLUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMALULAVRMVGWBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOKYWNXQPRD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 232 set thread context of 2160 | N/A | C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe | C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOBHMC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MGPXHDOIJSVWIJG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPCOWN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VNDRMKPCPRMFIKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
"C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBXQVH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJACDRNMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIWAWX.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RSNLODRYITYIUGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe
"C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKXIG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DAEAHTUPNQFTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLHEVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVWTCO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMALULAVRMVGWBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHJSOB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUMCQLJYOBOQLE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe
"C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYHHSPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSJHS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OULJNIPEFXVEFYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe
"C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPKJLBOVFQVFSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe
"C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBTXSO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WJLGEHWKRAMQBNV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe
"C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGFHCAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
"C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSFCR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDQGUQNSFSUPIMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe
"C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
"C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMWSFC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSFSUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMIGIYLTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSTQAL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AEJXWIRISOJSDTD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDHIRN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVUYLBPLJXOANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
"C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempOBHMC.txt
| MD5 | 70184d94e9f3f6e8777a1f90db341b13 |
| SHA1 | f9102f4d54a9ea9bf8c17752e02757a1a67214b6 |
| SHA256 | bdb37d995521e3e457625bf6f7dc3fe98a2ca277b93c74202a8e14df145f82c5 |
| SHA512 | fb6dd1225d9f379f79dca5e5297a84c3234776b485f4f8a05849c74f5918fcc7e9398238b844124dbda97423488ea383528d44f18eda1286545f554886247e45 |
C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.txt
| MD5 | 2ffa10b8c4647b3fb8af823dd885af87 |
| SHA1 | 9668569e5697e192f78bd6679878beac478629cf |
| SHA256 | 0f151230b680a51b148525075d280cb4c556276aae1b07f27f1647784114fa1d |
| SHA512 | ea078db38fcbb366eb219e3be060bda87da7fb630bfe088ef62cf6a3b8effc0364e33cd8a36cf330b7db3b56cfa93f2c4000ec42c961aa6be90d986bece625bc |
C:\Users\Admin\AppData\Local\TempGFJWA.txt
| MD5 | 6f2cf50a62a16cb7fa6b57880d901e18 |
| SHA1 | c31130c5581bb2c672d184800d61c3e7a3217bd8 |
| SHA256 | d77beddb0fe4ccd067e5ff2ae22ff746338db624a86bebc6067210885984a916 |
| SHA512 | b8c15169106c31ccfad7436e321d1dbbbeeac0c2ca9a2c666e92501da6612b9c004b99616e8c837d92d67097a86d2c15428f9c62b3a50b7fe60ef91e9365e63c |
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe
| MD5 | 06b9da828ef7d50d37174bcd013bf492 |
| SHA1 | ebce35af00f75faf8bdab3b5e8bc2d1c75afe5be |
| SHA256 | 6b458101e004754aef571612742d3bc792e5effa26f63767453b250f292904eb |
| SHA512 | 01c9aa31c0403be7995284ff11d7c1f529e3a67b32b33ed96b941eb69bdada242f3e119363e9c5a16119bea752577fbd99ff2b625d3dcac0f106a6eb9d49708a |
C:\Users\Admin\AppData\Local\TempPCOWN.txt
| MD5 | b9bdb0081d50820c8a9224cdcc843384 |
| SHA1 | 0a24f9900d36d1d32c4bab84d8b771ad20188640 |
| SHA256 | 39a8e2908f0b834e3d206d4fe5bbbdc5b00ebc54c979cb4473746752f6729cb5 |
| SHA512 | b1f32c3d5ccda50f472ef3e5e2559bd83b7439244ba5eb4d752b66bcc2752604e7cb9e888d76d4d2421b472d3ef26dbcf3c9de0f85f41b9b74ef0635f4171d31 |
C:\Users\Admin\AppData\Local\Temp\ORGAXGPFKCTKJUR\service.exe
| MD5 | 6803d5f61a3e288aa963872f7daa94ff |
| SHA1 | c67a976672379913d50bac9c34be3d6661a8a84d |
| SHA256 | be5134a6917602562a3eea76b54c05632943952405bda39154098bfc47093616 |
| SHA512 | 051936e7363ba0908daccdf14f773e915e456b9ea400ce4937981a439e1486de94295ae646b55556884d224a459e876cd86d80ba40cad5ead5537626415bf902 |
C:\Users\Admin\AppData\Local\TempBXQVH.txt
| MD5 | 0421624f831bbfbc55712498f7ac30f1 |
| SHA1 | 2f08a37e248d3dd392af140a8abbc5843fbf8122 |
| SHA256 | 27663237f1252562de4d6ce1a91f02515be5be04b426812066ccec990a2bc963 |
| SHA512 | e46addad1851c2deeef2536d79763f1932a64b53473683915f1a9e5ca188504df1df8890a0b5035b7f745b656700bebcd50c3c7750dbfa8533e99be8dea0f929 |
C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
| MD5 | 7f15128fba5f20375521d65bbb60212c |
| SHA1 | 32f6422960bf1d99ca724015a0d24e2f2e6bb60d |
| SHA256 | 3ade0a6e1cbe2b86e93c262551eefbf270cad8faba8c5f46d1b7fa81f413b9fb |
| SHA512 | 7686e374bfb115687f5c179e5fe4e86300b12c86b590a2e13a4aeeb6dbe3065f607295ded423cad0036d036c1c5ab03f245767f0e4d223eeaf603a28892fb5b3 |
C:\Users\Admin\AppData\Local\TempIWAWX.txt
| MD5 | 1d380f5540941a2d03e8a4cd4aba6bb6 |
| SHA1 | 05571e48a5d8c4e9f85de251c401bb470e4bdd57 |
| SHA256 | efdd646f3f9cafcde52c14e3e8a81af258fdbfb171b08af7c316f7a910ff4d46 |
| SHA512 | 27da3d3c0f07d654502de410f4065fcd8f4c3abead470d2ab895af3bfb45318457a9f0fee4f3ed4ab665926ccf7e5b189d9ffc5646878b883c37aa9b79f485c9 |
C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe
| MD5 | 38c0fb623671cccec28f35c6c0241777 |
| SHA1 | bd180313ace092c802b8188e64d3d9dd735010fc |
| SHA256 | 90b1f567d0bb51c587be7084ce2536129a5a38d4fd2e8c418b231317c90d9d7e |
| SHA512 | 4c283c435fe54035bf4f4e695f135f83f2709434fdcfb129e8ff9b147771b56c2e1e4ed767a3f46c9a911f24cf5638a63f11d7ab02398e691df9cd5c01b0dd5a |
C:\Users\Admin\AppData\Local\TempWVRSS.txt
| MD5 | ecbf0cbab9dad148c5ad57d1ce1f59ed |
| SHA1 | 42a9f5253fe3e05faa59878b2382b77ea8341b2f |
| SHA256 | 169fef7bf9b907f256d2785a26cc1cae9cfb98f3ef15023d2b8827b93d8f5911 |
| SHA512 | 5e5e40a1120d77c18885c99c2112aaec6e03305faca1e6cc665346d6fcbea46f56606808d7949edd8dc0ea3e212bad0d349aadeb07afdf9a96440c50e5c8cc58 |
C:\Users\Admin\AppData\Local\Temp\FOYGCQVGHFNGKBM\service.exe
| MD5 | cae5b725014a82c9ba96b81702c377c0 |
| SHA1 | 702421bd2ee6f9ac197a2340885da83568fe4ca9 |
| SHA256 | 79289bddc0a421473c853f58df17254e485a4a02a744580d59eee6835454f5eb |
| SHA512 | 4c023fc26c78ac24fbf607472a859b66382815f5e9bfb85c372eb85ecd5b4de052d96127846ddd3b7f7da01925929de8a1b8116cae586aeb8e8bb1cc5e92e51a |
C:\Users\Admin\AppData\Local\TempVKXIG.txt
| MD5 | 5cb7a134205578e75c05adb5b04eea43 |
| SHA1 | a0dc3ba15b04f5f31f63788e1731cb00852dcbef |
| SHA256 | 69feaedfc927f5a4b893e3958246361a4bb097c25270680f07f6ef29b12c2bcd |
| SHA512 | 6d598e2b18dd606e7a8e3305529a2239593dd0b5c113001a73aa1f20494d948179c4d73dbd152b6f1db1b1bffde6b58f96cc61bb71ae1da9e887ff4ffece9e2c |
C:\Users\Admin\AppData\Local\Temp\DMDVMJEXNOLUGMR\service.exe
| MD5 | 73233ee8c4dd8c60c96a777193efb970 |
| SHA1 | 1d628262a3b9025dd39df17ab0e1fede097714fc |
| SHA256 | cfef66cce1b9bf1aca1ae57f02a3e60c6764b1bc9d2851c3c96709d62695b091 |
| SHA512 | 67d3ccdaf708c249a570a6ff4f4e75cd8014bbb9136460273e2fce28b04fab2f78c226886632f791d03b5bb81cccadbd9cc8830b601f1599ab6c5dcec2f7011a |
C:\Users\Admin\AppData\Local\TempNJXWI.txt
| MD5 | 6f37bf87416de1c98fafbe87180d9d03 |
| SHA1 | fb17273119e4df1d10c79a78bd0a9872580856a1 |
| SHA256 | 9de1012d1bd2cb99ed801dd9ea89da00edc61dc142c9a41626680d69d0777717 |
| SHA512 | 58f51727285195df90c585a09793f500b4144bb4f19b21da2803e6eba65e08eacc002e21d72b2a7c46c91c05530f5cbb96674112c73315f11e96d7a8774e72b8 |
C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe
| MD5 | 6b95ccaef900346551ff7a469656b1a8 |
| SHA1 | 96c07530ef65f17d6ae7447d646213ddf4e97d29 |
| SHA256 | e683552e7e22a4e6d56ccf67941f7332c2afaf92055babac43e5ce86890ac808 |
| SHA512 | 29aa886e0136d858e077207db7dd407ed0ef839bdb63256b2ff1e0f17efe669b19ccbae5c2958acf2501bc90ee26cfaf049f0d2d6d90feda064ff80e1b53a76f |
C:\Users\Admin\AppData\Local\TempVWTCO.txt
| MD5 | f4eace3b16b0774bb478b9e9f7eaeb35 |
| SHA1 | 0264561da594b48f388d4bfedc24eac48fd8834c |
| SHA256 | 47c5b1731923a2b5c4d2159aba45c2b252c66cf0ff5baf92fe0b1d34df13a943 |
| SHA512 | 2947f33d8726b7d1943b42f5b048dcf9f0bfb07119697b27b9cb7e0a5d2b4668037d5fa705e23bedd54376307e9e3b3722240fa75ed9d631bdb0149796ede7a1 |
C:\Users\Admin\AppData\Local\Temp\SRBNMOKYWNXQPRD\service.exe
| MD5 | c2904726c27c62edcfdba652961dec4c |
| SHA1 | e479be8fc0ec80f99932d26ad3885793615378fa |
| SHA256 | 101e2a2bba03f55812afeedd360d51e643cc3ce7d1e0c15be870305f111f6057 |
| SHA512 | b8b85b6fbd980e5ccb5382e91050569d85b2238d777e10faa141482501ef53f34d8fca82ae3d42cd1e485b469abdd9549541e010babbf47733a379e695aff321 |
C:\Users\Admin\AppData\Local\TempHJSOB.txt
| MD5 | 9a43227d9d25c3b74f5890f01e9d031f |
| SHA1 | a43915501c16406c07d6da843d4351bece3b5481 |
| SHA256 | aca7d0f9b9f8ff095e80b697b20c195eebdf5d581194972b659df219739e74c3 |
| SHA512 | 38e5f238b195df3b540aa20e2afdbe60baffff136f14b50cf9e6b3c3a4d104bc20090468e052a5817cc1d933516dac9328688523865c641d656c34c54d276745 |
C:\Users\Admin\AppData\Local\Temp\TVLFDKTKPHYPDNE\service.exe
| MD5 | 38c6aa80461c2a8ba3ce645864fc5c16 |
| SHA1 | b5776df8f676b12004a7bd71235ccec530cf8404 |
| SHA256 | 14bc2382f2178df41a7b6abce5fab2074e4f50eaefa02703de830bd903186211 |
| SHA512 | 1ca20ef7d1e1f339cf4590f812db917dadca69896c1652b67939b133ab12bac52cae34411af5a039ff85bcf185b67a15dc9bc5cda30390ddff0547d9bfdb1d9b |
C:\Users\Admin\AppData\Local\TempJSOWN.txt
| MD5 | 9ebeb1bbe4a4bc810eb37f9b4285fd99 |
| SHA1 | 870b078d5bd267ed25bd46a3ccb02c6e12015ae3 |
| SHA256 | b94b332175f87071708e53728debf49cd1862922506864f4a2f5d94761947b50 |
| SHA512 | 18ba50012d07bdb3b67a8f30bc3bd2456b0dffd72c2f222765f93e4d342b48e9c025e87b4fec173b4600d75466ef59532dda83f6f112ea68d2be4fd87bccdae4 |
C:\Users\Admin\AppData\Local\Temp\QJYIQEDEAFAVQEL\service.exe
| MD5 | 72f1ff88d03d16c0c0e813fc9e0a41c8 |
| SHA1 | d4e9f91b1de27f887424477829856c3c491efb61 |
| SHA256 | 26bc65e8bac4d820db93588dff096aa7eeedbf436f8fdeaaa9298377b4faaf72 |
| SHA512 | 17697c103342c99444369424a9728b9fdf20bc7fc4cd34fc9075f3039af8c66fe440915d0c29144956fcb416bff66cff37e231b93eb7adb72c9cf9936049ce30 |
C:\Users\Admin\AppData\Local\TempJSJHS.txt
| MD5 | 42ea1a3ef60848997a8e479f243e3561 |
| SHA1 | cbf65e1367eb66d498dc47efa36adae5903ef8a0 |
| SHA256 | bf0e1c29fd8185ba6e5a60134f47220722e669a6924af09c2e6fdbd4748d049f |
| SHA512 | c2aa351c4aee68bb654fdb58f49ceaf666ff34ccc18c0dd7543e12bc4826e767ce6e80ccf3fc50db7569728db412ca40328aa22f6986185332595dcfa328bc0b |
C:\Users\Admin\AppData\Local\Temp\TMFLSDERXOWLVLH\service.exe
| MD5 | 1319be852b3ac93061be8cb620ca7919 |
| SHA1 | e15bae19f15eb9ef410a7afcb67491e52aab73a6 |
| SHA256 | a958dd07644a2a115f7e0f5a46b1c96c3ab07382f6d6cbd83a239046056731b8 |
| SHA512 | 92ce42232e38bd3512b1f70335b9b62dc777c0e44b805e1acb2b1d548051a664c7668544ea84a3491b74893faaac49cbcdc5e9a9a60c4e8f4968c3cf38384475 |
C:\Users\Admin\AppData\Local\TempGYXTU.txt
| MD5 | f662fbbeabc47fd6044be333884d08f8 |
| SHA1 | 6a2789eab411b65025f34c1ef223f3c57ba9b370 |
| SHA256 | 461ca657c06bf7f5612fa2a53dd8ce5948eb219691b4bc9bd13062935b8c553c |
| SHA512 | ca54498fe5f840caa6344bb8e01792c95f2a7a0ff383899c5ee2f03cf7a144da6979e737e529beac0c0848066b2f8cb259cda2464730405547dba92771e6b078 |
C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAC\service.exe
| MD5 | c10080f6f65e39e92b7ca5495f4e9b59 |
| SHA1 | 97a2f2b8d1663b21c41f7d51682f712c1e5566b9 |
| SHA256 | bc04daf6caa6ecc55ce8071d83d4ac397e54d3f2e945ef58785064dd52373219 |
| SHA512 | c9fdc476022c1c946b4b631259ffc07c47f15f7ee7e4747b1fe34022a30de1196aefe704461f3f224d13b42b42797e0a8085a2550351a81e5568224fe72960b6 |
C:\Users\Admin\AppData\Local\TempBTXSO.txt
| MD5 | ee43c5410ff083f25fe89002fbc791e3 |
| SHA1 | d6326230df59d77df3a85811dba022b53d798167 |
| SHA256 | 7d62d099d0f41de498f140ec5675d421e9d416f2304ba756a809064125641b3b |
| SHA512 | 558661a6298c381c12b30a21dba3f87126bdbd37575ee076a70752a5e18e196fb5db5fcc136802c6e588baed6e017bfdf060f045c825d73a4dd0ff9b4fbb619b |
C:\Users\Admin\AppData\Local\Temp\CLVDYOSXEFCKDHW\service.exe
| MD5 | aa924abd66fb2c619c17710212cdf7d5 |
| SHA1 | f3fe74c80568f1572c2184d8071a2e7aaa0aefb9 |
| SHA256 | 5788aca6e9714744c6d52703ed4a5ee7750d711c6902936b951c4a2c4518cbe4 |
| SHA512 | 22513328644341a97e69c9560bf01c081ecea35827b82845bea26bbad89732a62bd4885ebfba4673d32bc7ca80a8b026dd661f4be5b4fd886a54882de4c399a2 |
C:\Users\Admin\AppData\Local\TempSEMEH.txt
| MD5 | 5c86f637d8894a6cf2eb5fc686133c84 |
| SHA1 | 316501888a2b7a55b97ee6fa37b7cf37d702ffe5 |
| SHA256 | b7025229dfd24162095f98f29366125ae11f4eb511634ef8969ad338dc8fa84b |
| SHA512 | 99bdf20ddc96cfc80c13a59c71a25b5900ca800362c9ee079eeb8b213437d1260d83952ed9959193c605f1195d43b203421f7c801da0cc869f453df1a35b3551 |
C:\Users\Admin\AppData\Local\Temp\HUQTXVYJNTAGDSR\service.exe
| MD5 | 42f95c141450c2a7112c51c4c8acff42 |
| SHA1 | 980b66f8edefb0c14b8c5da67fab0f24a1b129be |
| SHA256 | 9284ec566d5387286a58f53534d3c9545c8e68fda235c2516df689a3b13635cc |
| SHA512 | c8cb1acc79f23fa1614176ef78d69b3f01a1bc40d522a09b926f05e1b329f26b925efa0d105313f44d3053438871faeff8677ce4aaf3911bdccd3ecbcc45af6b |
C:\Users\Admin\AppData\Local\TempWSFCR.txt
| MD5 | 35bfbee1dc846547018d21be699effc3 |
| SHA1 | e75fd91255fffb0d4d0f0f65349af6b737fc8bf7 |
| SHA256 | 0c13608f5998a08bf5afb026f729d178758e184233f44771f799707fc4202e86 |
| SHA512 | 14a4964fc902035fdf9c37336c6e36f07d94fb297d905047a74f7049710a81e1fa3ae70882c694db59dc1db348e0ea66138ea90d34ecaf9b4bc908c16d17b8cb |
C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLB\service.exe
| MD5 | a351a374c46058a7020bb221c258edfd |
| SHA1 | fac6dc944e6bf02cb52b37121c0580dad48245b3 |
| SHA256 | f82abb5742acd7f265ba5c793335e94275b9e31941f62d2316095362628cf839 |
| SHA512 | 39cf4c01f90dd6a1efe2eefa8aef1a0d3f3c2d05be2a85caa53165ae52dec0e10a907d0bd0a14427eb8d05f69e69f00716367d4cb016217070f18c30b883fad3 |
C:\Users\Admin\AppData\Local\TempGAOXK.txt
| MD5 | 7ed000eed1ab7f3420e001d25a18e2e0 |
| SHA1 | c53a4d8d38369ee75f7de08af9704b1032aeba66 |
| SHA256 | 6f4c0bbe1807412382dfb5ef438f76d25474df51ca65947fc4b6efd98f49a840 |
| SHA512 | 1ef1d0bd91022d6b1b06eefed48e0adeb5d4d988b65e4fa1819d5ce4d95e56612f73f0ed8f5fd1ef37ed2f354757ccbe0ca1bcbe76196eb265a098741f04a2e0 |
C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe
| MD5 | 6750c4e10c2d462b619e5bef4ec59805 |
| SHA1 | c4b1fbf8747d3fdb7ac66242d2e039a4699bc57e |
| SHA256 | c53bab4aadfaa2774404633bfe0c50ba35478b6477ad595fe93f87e88e02b061 |
| SHA512 | 2a9be692a88fb07962098a864dda6d886ad0602d549217ba9064e3410b9033120d5a28db893ae4ea3b220d16015cc48ee7054a9a9157b6e678201399b9ce53d3 |
C:\Users\Admin\AppData\Local\TempQRWDE.txt
| MD5 | 5f86bd202bfcd38eb1df9dc3f99b3f2d |
| SHA1 | 20eb5c3c335c0ae536940a2687e7a4b19f36ce56 |
| SHA256 | d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84 |
| SHA512 | 4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c |
C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
| MD5 | bc521526298c3bf6e96e01e49beb179e |
| SHA1 | 014c22710913b9cb8a3f387c0264aa67e882e1aa |
| SHA256 | 98097c56d32f6c6d519d086809e0aa94e1de15fe04c87a394d4f418a6f6b55e8 |
| SHA512 | fd919259477930c87d97f0871f7c8937c8c3be061f4a0ff7736e77d87894839c9f49aaf7ebc1d5ee1b793f9638355e89d34f7f4adf300e3fde574c0888d48845 |
C:\Users\Admin\AppData\Local\TempMWSFC.txt
| MD5 | d436191c50229e232e217c85c462aa77 |
| SHA1 | b2aa8f91e2a09897c42675400e041b62bf538101 |
| SHA256 | 9ffcad743b0bbc3436f3b164eeb4a24245c1cbc77f61b527e918a3d31e2485a6 |
| SHA512 | 12a6358d4d810873c33b140f50c7ae47ea0eba0d9ce26c3b37b8a24a52c1c06d2b68aeaed032fde2fee3fa4e836baca9e144d9b56062ee1ee7733718dacac5ce |
C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe
| MD5 | ad1189ce23329fa054bc2158fd43bb4d |
| SHA1 | 5de0c8f870d04d72290b6dcd1a29fba8f2fa5612 |
| SHA256 | 9781054c91a12b59745ecc3fcdbc19fa45fee75b4d21ff17c9c829c152816efc |
| SHA512 | 621b0d539fccfe76abdace9b15cc0c649c75e0693157ed482711ca6f9a871c3704756500f92c9af988c991c7d47259261545196996d45fa0f9390ca0459b9a87 |
C:\Users\Admin\AppData\Local\TempQYBUU.txt
| MD5 | e2fde989efdfa9c12af7ee59baa74dfd |
| SHA1 | 496290188649323aeb029f1cf8f70cae43d00d99 |
| SHA256 | f31507d060c2098a8887e1d7b0fd0027d7c1377c0619d70c81536feb4f0344b2 |
| SHA512 | 6e49925b5f00549760fdedebc04f53716c4943d0d1d0f303ef771a061767b8cda3e6226f564e8641433fac63d7cf33b598615f31c5059779093239d4351fe282 |
C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
| MD5 | db7c2ff2933095dcfae08c48b9eac92d |
| SHA1 | adf538488b08479cff788339f3fb8160d3a58309 |
| SHA256 | 9c71d0dcb0cde4a85abde79239d652decbd2f2dea346fb973132c863cade9dab |
| SHA512 | b94cd0801f4bde739cde970cbf0140a51d0093713780fa4ae67689e1887e406f8a058ef5bf6e7ffff14e97d61456b53166918c24ea971ce78902c1045149687a |
C:\Users\Admin\AppData\Local\TempXDVUQ.txt
| MD5 | 05608828504e3676cef951b8df0129e0 |
| SHA1 | c21932475e83ba219e6025657a54214fc43fcf32 |
| SHA256 | be65e5129ad5455e50dac2a352062c7f82c1c8dd519afc01e682ce7d87dd15e9 |
| SHA512 | 3322f59fa383e0e3086ff2598b50348b6865702f71a63b47a900c3654c29b1a26f9775fe1b2dad31352125f9870e47b042b1b008a20773d8b3ebd21ea3ce2372 |
C:\Users\Admin\AppData\Local\Temp\ENWFBPUFGDMEJYA\service.exe
| MD5 | 0e5c174c5809b1356a71023fbfed7152 |
| SHA1 | d5c446645a7601f708e4beb7dd8e9d015d58577e |
| SHA256 | f3124072b34838e1bd1f1c98e4017701705d22df3cd4e3c65de5921645c1e06b |
| SHA512 | b44b619c449a9f6aec143302a4279b72ffa810451f5f1feebca3a9a8e42ada35aea141c71188b7b8480d58a6ce46114e0c2354cd7ac9c65f08bf882bd425a160 |
C:\Users\Admin\AppData\Local\TempSTQAL.txt
| MD5 | 2d444a1f4b3b0a068f8a2d86ee91ddea |
| SHA1 | 3710de6bbffdf5fb1bf171ba6c97f7af835dd692 |
| SHA256 | bb5b8cdd96c8397e4738b0e337da9392b5d0d15ef6a186db4b7f5d35c2d1d057 |
| SHA512 | 2690efc4c90472096b2fcbe0cd6894c8e02fa19346e653923280e37ca2a0eaa6afd6d487f089266becd8d0bbb0b152f56f619eee05120c40d1ca8a72a892c210 |
C:\Users\Admin\AppData\Local\TempQBVUJ.txt
| MD5 | 878f9cef61636cca20cfb70db6163294 |
| SHA1 | 6af0e6d2f4839baad8de028762aaae888e12e698 |
| SHA256 | 224e5d724d4f06b25b986fee6169b27ae18dcd8060982a5842bfa7a22430dda3 |
| SHA512 | 84b6f14411541b4043692c395b4167e6d619573e1495a2aea63063ff7439e91c5034f75e664159462c7540a1a646560b6af8645a6033756dd804924819ccd211 |
C:\Users\Admin\AppData\Local\TempVGFJW.txt
| MD5 | ac25c8c9ed6bcd533246820219581d49 |
| SHA1 | 48d325f7a561d8de40e892dfc28e05bacd7a9637 |
| SHA256 | 8c5c2f6e28be144dc065d86a1fc060648df942eea0b3a65289dad855126a4176 |
| SHA512 | 9085d29aedd00a6be910a9b4b17484e744164ec6c3c8cf10cc70d2643bd2e1f69fe5299fba25b4a5fe56dc75f16830b4b884f3ddfa26f1741fa8322d5e0d0555 |
C:\Users\Admin\AppData\Local\TempDHIRN.txt
| MD5 | 662efbf888c6d75769e8c5c0dec1d01e |
| SHA1 | 3181e950587a5f94a137cf768dcd15f46c0772af |
| SHA256 | b32b596d5872682dbfc521ee0f94fa698be838962b81585fd54c2523bd621736 |
| SHA512 | f56692d07d039f1af97946589fb878bf6c93a7cb2e7d8fbd4b2f24716cdf0cc10dd904e026894fa5128bfe108058403a6b1ff5fc4e1f3bdd53f5eebc4c484c8d |
memory/2160-666-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-667-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-672-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-673-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-675-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-676-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-677-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-679-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-680-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-681-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2160-683-0x0000000000400000-0x0000000000471000-memory.dmp