Analysis Overview
SHA256
e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
Threat Level: Known bad
The file e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Blackshades
Blackshades payload
Blackshades family
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-08 23:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-08 23:01
Reported
2025-03-08 23:03
Platform
win7-20240903-en
Max time kernel
148s
Max time network
143s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSQTEJOBNVN\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VWJPWWHABPYLKXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NIXVLVPNQBGLYKS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\DTURAAMSXIGKFNC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRWCDAJBGVUIJFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWEME\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VRFSDBGYXTUHMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCOOPKIPLAOVFQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ASKGBRKLUXKLIRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFKYA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVXIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKEXCEVRS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAXLXJHLDNSLBBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUUVQOVRGUCKC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMCNGEHXTUC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\VWJOVWHBPYLKXEU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTAJWSQAVHBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAYPQNVHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCMSKBBDFSAONID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSQTEJOBNVN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GLQDAPXPCEYUPDY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VCUEQQRMKRNCQXH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SECGBJUWRPRHVDL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYPPNVHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\EAOUMDDFAHUCQPB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CQGUPNSFSUPILNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSFLQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\LPUBCHAFTTHIDBE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPWRHUCLC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTQUQXMNAFMNVRR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHVUGOGXPLGWQBQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTHHIDCIEUHOJ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\AEJXWIQIROIYSDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\IVCMVTDAYKEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQAHRNIDCSTQYK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\SFJFCTRHHJEBCLH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSAVYXLPUBCIA\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQWCDAJBGVUIJED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\AHLCNPKIKAOVEPU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXVEYNEJBSJHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\INKKVSQUPXLNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFRCBF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AHLCNPKIKAOVEPU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKEJXG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLQDAPXPCEYUPDY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
"C:\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVXIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
"C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INKKVSQUPXLNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVOTFC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWJPWWHABPYLKXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
"C:\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempCXAMY.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUWRPRHVDL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKBFTL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EAOUMDDFAHUCQPB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
"C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDSTQL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AEJXWIQIROIYSDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
"C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDVTCC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DTURAAMSXIGKFNC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFTBPO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXJHLDNSLBBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe
"C:\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
"C:\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempSFCRQ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CQGUPNSFSUPILNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IVCMVTDAYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe
"C:\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempTHOJO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LPUBCHAFTTHIDBE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe
"C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempVUGOG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFJFCTRHHJEBCLH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe
"C:\Users\Admin\AppData\Local\Temp\AJWSAVYXLPUBCIA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempNTFBL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWJOVWHBPYLKXEU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFVIQK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQWCDAJBGVUIJED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempLOPUB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQAVHBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFVIQK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRWCDAJBGVUIJFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe
"C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWEME\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe
"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempGPBYW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTQUQXMNAFMNVRR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempAQROW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVUGOGXPLGWQBQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe
"C:\Users\Admin\AppData\Local\Temp\UMLTHHIDCIEUHOJ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempFYYNW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VRFSDBGYXTUHMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\TSCOOPKIPLAOVFQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempJOACF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ASKGBRKLUXKLIRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe
"C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFKYA\service.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\TempYRXJF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCMSKBBDFSAONID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe
"C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe"
C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe
C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSQTEJOBNVN\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempFRCBF.bat
| MD5 | 5e2910770ef86d0d741e5b5db5df76a5 |
| SHA1 | b28e09a9386e327e2f533ff7114ea7c37177cbec |
| SHA256 | db7f0426595911fb5c697cf2e9485d513837c4731f3770dbef1ab1e5337441c1 |
| SHA512 | 9acb40418719b7b8fdb19af5316a4b820bdcdd70e206105c7faa8b5ef0bbe18d8ab8851d3edcfeba5d39b5d948d0d0b10b03e8901ded3d8f55cde606bc3fa2b7 |
C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
| MD5 | cb0e7e7dfe89f8afe1faab2781dc4b5b |
| SHA1 | eff84cba73f72bb05c11911bf77a7047f19f9137 |
| SHA256 | 55202f31bf7e3e2fe3d68cd3a8bc2c1f2eeba217c85017d3fe0c7421bc0adbb3 |
| SHA512 | 6babe7251716cf907d000df6324305ab13997c47ffb2e184da716445b976008adf254da115b3ca9364f157bc0bcf729a58fb80b6ae9054d192839cba55589d97 |
C:\Users\Admin\AppData\Local\TempKEJXG.bat
| MD5 | 273e26c247fb0fe490286eb10662e314 |
| SHA1 | 75f2f60a4274100e801d45b1ced17e450fa05a6d |
| SHA256 | 952ea2475d41aa8c9deb26402ce85f45c1bc5aba6f9f4beb7a385c473bcfbaab |
| SHA512 | 758ac276eda0ce611aed6d15307c0cb4172a26301c4e86d8713915df6ab9d19e5010ad3e6f8a1977194376c79d6fe9075407d031eaa88ff8c223ce685d0fbdcc |
\Users\Admin\AppData\Local\Temp\VCUEQQRMKRNCQXH\service.exe
| MD5 | 54605a32e0454059fd847fe2feb01c8c |
| SHA1 | 52eeba47c32b47441d5665416da9385cda2f86f9 |
| SHA256 | 98f89c1a3d7f7d4242be75159af331532b8772716c9e08c5043ff44c48401afc |
| SHA512 | fd5f991fedf4aa03f741ece6885851f2a9469e361f7d8db82b3ff374398019e655e90c05718efaa4ee54a73e49cc8026f68986d9744d4b0b9d19c332fadefee3 |
C:\Users\Admin\AppData\Local\TempGPBHM.bat
| MD5 | 208e3a0f906b0b72f4d8c1627360b872 |
| SHA1 | ab6473eb79f2067297371802228f733fb84a8d82 |
| SHA256 | 3a38af70eb9eff06c24abdadbb3202280c08623bb318b02ade8f808ffc83a89e |
| SHA512 | acdd4f1ea9bff2750af8880e2b1c442d6481a84f30318ffcee3d751feea518870d9156a6683b791452688ef330a82fb0b26d975d54d01cfb71b9097454b6cc39 |
\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe
| MD5 | 20581163ba6e109d8d27550519200256 |
| SHA1 | 155405d75afb9bd561ce0746cc48bf820edaaa91 |
| SHA256 | bef9f735bfdbdd6fd58da42896fae27e98014361d84ae2a5da83cd9c60db9b67 |
| SHA512 | 63c891de7666a60f877fc150d6049bbcdd4277a3c4d00034dc883f9510513af9d0695eaf0964b8ce03e3388297964bfee4410cee4804f7160ca8053b7e714839 |
C:\Users\Admin\AppData\Local\TempVRQFO.bat
| MD5 | 5a2ae5a03652e9babf10380a05acfe57 |
| SHA1 | c8c931e5bf56e0fc6e7d1b1c7a85db29d48aeebf |
| SHA256 | 46dfeb0ecfa51a28207a208d888bb7e4dfce44e59bfdfb2c3e128b8f88fdfe5f |
| SHA512 | 1f3a602938af36277ff64cd4c3cd7e27514ff2b7ca4611d8a7346bc86dcf1a4af8780d05ee5c1f404a537891301968210a9aa3d6dd27f9d87b3a044ac4c25f34 |
\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe
| MD5 | c573e403df85439e15d12dc1e35cc9e1 |
| SHA1 | 30e6edce86ee5b3cdf4e8e4ee97d772d81afacbf |
| SHA256 | 2e12c0fbbe807ce90d384ca17b70318e41d26ed0d5e0e7eb0971ed7f8a5b80be |
| SHA512 | 525efa71d312007e79d91729a374d7c0889d9be93964356ddd45ee50349f92edd25fc5f9ee8f432d5e0766725d8d23d19eab1e8dc5e3136bcf3fa874db084434 |
C:\Users\Admin\AppData\Local\TempVOTFC.bat
| MD5 | bd779e56a78ee71b78bc8a6945dd0706 |
| SHA1 | ec2e1f011e51dd63a1e5708a183d1f9d16d9331f |
| SHA256 | cb8676ae539e6307a4fecec737cefc88603f62e24277ba31cdf2b83030c63948 |
| SHA512 | 1a99b0a7fb85ea727353c62b0b12b4a698ef5ee0c11c9c7e16b50b0e310c5edeaa85e9d01149397db7aa9cd581b4ffac7720ca5bf9bb347c13ae91dc7aa1cc46 |
\Users\Admin\AppData\Local\Temp\NIXVLVPNQBGLYKS\service.exe
| MD5 | 675245d8fb1ae9c7413058c6f8febc62 |
| SHA1 | ec39a2634d861352a08c9f6e598a46123e63805f |
| SHA256 | 8f9ba8637aaad454d14f7c2a0bd78b7d76103a32ba8ee59cad421eda018c2200 |
| SHA512 | 62e6cb1b08dd9dbb69adfcd14995249c4c0125e6b202cc5a0cc0f7b2277d7d7d1c6d5216d429f1c194d078bd23fdb96b5b876347e33ccfee5ab81f3322cc5ed7 |
C:\Users\Admin\AppData\Local\TempCXAMY.bat
| MD5 | e466b7bef8cce718fbb8bc343b27f16d |
| SHA1 | d0b057a7abfc0101b77e241f77518957a66fe528 |
| SHA256 | 691ff9337efd6cc5bcff0305153914456107aabf12afc973729a3bf48110cc8d |
| SHA512 | 39259ca71f33b1d5c91fe3783e942627708ab66c07992c56e01729c384af15bb2a710d3f21a41862941a1378004260d9cb252fe1a127cbf84d74a6fcd92903a0 |
\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe
| MD5 | b6d5ee3553d25076d9b5271c232d2e94 |
| SHA1 | 6d0b9931694743f40d582a751e76e768ce4b1121 |
| SHA256 | 989f93d1bfd0d5715ab6d3d07e54d45d3303867379094c0600176664357f4d19 |
| SHA512 | 0c82ec01f4971f3ea7f7e0fb410fe9d5b4b68393c9b031b0cf88cb8d334706b601ac2a3ec6adbb5c877029137019e979238387b236351e072409260cf93733f5 |
C:\Users\Admin\AppData\Local\TempKBFTL.bat
| MD5 | f4fb54d6842948ff1e3279c9ac2412f3 |
| SHA1 | 7968be99a77ba240d2c73832c0092394fade9063 |
| SHA256 | 9d29f649d1a63b41b7efba55add655ef5696d6156fad3e0ee9e33ef4e047ce13 |
| SHA512 | a1fc67177ec4e6129b04c86a1bb9e74b37127fee5df4d1540f8efea2e6de8de3e7af9fc6b97e7fab3d7827065086dc1ad0c8dbeed1766e24ef8c98b4775cae55 |
C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
| MD5 | 574500a34b1ad8480a87fefc30ba5a79 |
| SHA1 | 51185dc151b09d6f353b30028fa26c7c2b402e64 |
| SHA256 | 200ab15e8723204212a91faac940b498846bcf412b3ebd126924c45ec774c418 |
| SHA512 | 8cb9b5ca1ed4081ea3e91e4c0a997a553345b7ca62bc6391c9f659dd30d6e4d6f30c581245d34d01f04b66433f58f27df3983ab4df8dcfe509ee952f48978ef8 |
C:\Users\Admin\AppData\Local\TempDSTQL.bat
| MD5 | 23267ed96103fe3ce657908f0bac2325 |
| SHA1 | 08e023ca807687389eee680e1d2380d3dc01747e |
| SHA256 | 00e538f0fe12acfad8f07b06e824893f9afc2e4e2298be29e565ed02f360a5bf |
| SHA512 | ff65e792b25850a13bbdc7eec411b3d6dbc6e50beaa38cfc711178238fe2c24b6bef4496e61563e25e1393f9ffa2dbbf2729dadf0ce5c130c77f3e9e6a72850b |
C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe
| MD5 | 38aece243c06cd587505ca6658fde6ed |
| SHA1 | 63763a9aa50505175fb6acc347126a02716b1e8d |
| SHA256 | 1576ea52d98216747a2f93839b1ac4204ff86893c7a7f0b97ab4a88a4dc80d39 |
| SHA512 | 8b9122f85804a79e3913256bc06e0e8c76ec88839bc4d6480c5d7c2e5824c55e3808b42012b15ea65cc1999199cd3ca0fcfe4f83ddbd0d0fdd33fe309404cd0e |
C:\Users\Admin\AppData\Local\TempDVTCC.bat
| MD5 | a3163f7ed04e2cfeff26b7b6fdf06c14 |
| SHA1 | 5f8d1b9f909b5120d5f0a2313bb21d3654ba7093 |
| SHA256 | 064bb4ec0e899180058599bfd9b3902bee1536ce2aad3a3158a52cbcdc145c0c |
| SHA512 | e1b6ff86a28ea05b17b6e053f64a27ca1252fa92c020ec9ff2afcf064c47ce5b31ba0da1f543e322ff15c25376465b274aac96fabce01aa5885aecdfefd8a144 |
C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
| MD5 | aa62ecaed2393b9d0356dfa34ab7779c |
| SHA1 | c53ba51ad98322ea8e09d6c8d2809bc0c73a6df8 |
| SHA256 | da9224e1ea3ffad60ba28e7452490672f318cd5eebb6dcc96350fa36add1410a |
| SHA512 | 1d6dd907f5815fb31a4243e9d45f657fce5eed0bb775d9b605c0721e538775c3a9e0db3ace667dd444f5aa6da5d322d2d06b9571c259200f99494daf851c4ab0 |
C:\Users\Admin\AppData\Local\TempFTBPO.bat
| MD5 | e19cb0f3d346261da0f117bc8fa1b8cf |
| SHA1 | 0f583c2f889938ef1b05acd6b580af1aa05bc0c0 |
| SHA256 | 74e1a79bd4fe9fe26a302d986f9b22e8ed30c1e4e646371a0cbee8d1683cf669 |
| SHA512 | a0e1682e28f35be08fa69532ef4848f66cd9d2b68b006f7e914c5af2d0201dc42d29c89364c77482acde27e027f3388c4cb6b6ee5d2fe8d77ade7af4156235ed |
\Users\Admin\AppData\Local\Temp\FYIUUVQOVRGUCKC\service.exe
| MD5 | 09b74e6094a209ae6711fd7d19f2c93a |
| SHA1 | 6b15b1473233a7bcba9e39ff4988bcefbe073970 |
| SHA256 | a4660a2d66c17d9336e7f00494f796351505cd45202dcdef94e9cd960ba72893 |
| SHA512 | d9de9584c151a69ceadf81684332872e4659b02f6a81aebc7d1a068e2f0ab694cd7f3566df2a23c6dcad8bc04ddb56a52cae51249056964d31e7e5327b020dda |
C:\Users\Admin\AppData\Local\TempWSRGP.bat
| MD5 | a4759c272815e54762c8b6d29f8589ab |
| SHA1 | 2845be5ed3de87aea965d814bb975c240f663fc7 |
| SHA256 | 16b8eff2b6ad710fd19b65ccf37c005466e6c90949bfa5edadcd7a16dd185f65 |
| SHA512 | 894f5f0b056cbb1728dd52175d95eb9779ec27065191fb1c6c1255894d809edddd89c2d709c415f0475514b529ce922063a448d99dcceb138d35c5a390e8b960 |
\Users\Admin\AppData\Local\Temp\EAVOUMCNGEHXTUC\service.exe
| MD5 | 612ebd906b75ed99f12392d6ae645b21 |
| SHA1 | dd6b36f6bdbdd2603a13b4f3e5f1d2d31988b6b8 |
| SHA256 | 9f56cb6bdb906026b1d81d9c4c443e9d36d29297f1035492c45e247eff8ad6ba |
| SHA512 | 64983dbb9404a43cf9df2a53dae0da758e1d1c671bb6ca9687048b2f6e5f1558331279cd6d63f137ead210311953d2f80440867baee551f6ac3d980831248e04 |
C:\Users\Admin\AppData\Local\TempSFCRQ.bat
| MD5 | cbd327f5eb06e76c33435e5fb58e5366 |
| SHA1 | 6c080c7283d67a05ecb8d7fc0f26ddf28ff030c2 |
| SHA256 | 9098f1397287e147e304fb19e44d79c2171f76f9d83831a4e327c8292a095650 |
| SHA512 | c2e3535b5b5ef1185191cb49e28ea055f30a6a292553c1e96459035a5c4dbdc32902d3dcc230adf8defe6d75ee537a4517e3b276e2d9f23c99ada75859ee9569 |
\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSFLQ\service.exe
| MD5 | 14c939481ee7009696ad8277e08b31d4 |
| SHA1 | 665c55578a91878e12256dbbb397f46159cd1320 |
| SHA256 | 32f41333d45769b31effb75d4efa2bc38b3982376060ac6062a4a664e15ea8fb |
| SHA512 | 0cf471b9f7e3909f286c547f95168e6df37f6bf34bda0dc1c664637866a8edd9c0f84a81aa1787597ef332f5e42b5688d93b6c79b86e0cf00493a88f86f97066 |
C:\Users\Admin\AppData\Local\TempRSXEF.bat
| MD5 | 526995ae99ace1c5aaf20971aac779d3 |
| SHA1 | 819282786691057a7ca14b8a14c4a71e417bc874 |
| SHA256 | ad20d330536a1e00eeda324cba7b254446e100ff3c253377f04a363613c3ec4a |
| SHA512 | fc64082794e5ad3623945c81c4ce59af7da2559e7fa2ee0a1fdc8787d5f114f4cc51d1c1ca91762a913ca296c965b55a3a7ab6736d338c0a5b3eb072c1c08df2 |
\Users\Admin\AppData\Local\Temp\IAQAHRNIDCSTQYK\service.exe
| MD5 | ca1412bb8f59fa428dbac0256dff5501 |
| SHA1 | b583db2c6f6be61e92fa010e64719b42677bac0c |
| SHA256 | f9fa81f31a74a1d5b87cbe8c45e438f6f00922d03104e0db2b59eb1b80c220ed |
| SHA512 | 303b6b00b2b8b9fa6011de84dc9fd81128534b3be5d6494e0791e21fa77c7b46f0a967310d7c7d41c14a2c674bcaf2ac9ca020fb6d8896421296b6c414d2158f |
C:\Users\Admin\AppData\Local\TempTHOJO.bat
| MD5 | fb0cc3cec9624b394f34b306f3df2bac |
| SHA1 | 40a7308e51723648db8998cb81022a0eebdca704 |
| SHA256 | 47742b44419123b3dad621e5a74a1cf373b3a88b3e18870d6f876019a4ab0829 |
| SHA512 | 3c3b6e03e0987687a05331e09360b76173a24df8e3a11b6bf691223e28f199c036476f1c79e726a0aaaf086541e8630ccc404b13847a2a4f607a82ee22bef41d |
C:\Users\Admin\AppData\Local\TempVUGOG.bat
| MD5 | 07db573cd441f9ba45b4221854ec2c6a |
| SHA1 | db1343024d071550aaf10c8c4787332cade7db3e |
| SHA256 | 196c4123cefd730828b26167029e7db703616bd63ccb46c94e9051274e9aeb95 |
| SHA512 | 9982f497b48b7f842cf991a727e9fc21705cf0203eb8a7b3dd19d15e9f483e0cef83c36db28eb5bd97b57725d32d782390412cb8fc2ac10f6882b49c024d2951 |
C:\Users\Admin\AppData\Local\TempMIWVH.bat
| MD5 | 4e718d0a98d038fc6a7f4d8e2e11dc51 |
| SHA1 | 8592e2ecd0a09e5433fea27080a4b5ffb7151ded |
| SHA256 | 609dac82e9c98d3f35474c6677ea71dd89c7e8278440ee25ce0756e301aa1f4a |
| SHA512 | 80da7ea6e5d1446b275819de6216d5c021308cf6200d8ee9b98f81e6ff01e1b6d53c8e01c7cb0f6e603f440c4c5ac675b6c69958a4769fbf8311855aa5b5d56d |
C:\Users\Admin\AppData\Local\TempNTFBL.bat
| MD5 | b442dfc6afadce97d581492c2fb4e146 |
| SHA1 | 4080ababdc3cf53781daaba654645eb4e359aea6 |
| SHA256 | a4dd385f951de5f0d9d6f18c3ebbe661564f156d9196c61054e2d4852497181a |
| SHA512 | 4ee21d55c46ed298e2ac1aed3116ced8c32951b704f45942c1018a19ac610a797145bca2bf781583dfbe0b8f99ec27aad6560c99497be612808bc56337570f7a |
C:\Users\Admin\AppData\Local\TempFVIQK.bat
| MD5 | 9f846d611886c8b57000102a0982236c |
| SHA1 | 80222b4ade3d2e00a8c923b62f6edeef38896abf |
| SHA256 | fb13dfce3078689b589679ca6b022a8b7d4f0a262d48a82b169a23d4d19af359 |
| SHA512 | e15bc7849e5e01d9379cbe4030ef200b8db7c620f981c78b61cb7236b0c244ce243cabeca5831fe0558c0d8169a482f458545bb237bc1271492b8d23d17debdb |
C:\Users\Admin\AppData\Local\TempLOPUB.bat
| MD5 | 665833cc5a34da48e2dd94504a8a8079 |
| SHA1 | 1dda78b66734c62453435bb9e5b014745fa3e642 |
| SHA256 | d24962ca514fde2e3f5380dac38255a492260c6e739ae65beb0b5a21082ab319 |
| SHA512 | e7906a2575a2348db442e9f21acf6e6aee45e63b910df34404f5229cfbdcac7f3f168ed2612dc0da3ef89cf50e3cf2838cb6c4567293579155e0b0040675b603 |
C:\Users\Admin\AppData\Local\TempFVIQK.bat
| MD5 | 56aa6055a511c140b666aaa9e9e41751 |
| SHA1 | d34a27ef063a309f892fc8e71a308952501ffe7f |
| SHA256 | 5b9d9ae763ca6596c0e3bb4ddff4f3342fd7a2461e42d27f4405ef46ba792bfd |
| SHA512 | 91c933590f3097aad5af9c95a8e5e0d2b5484fceb64cc8ef73b8c083b9cb6d538f7fea6655391fd430cf070e0c9c927104237172886ff73d2175b54eae95d197 |
C:\Users\Admin\AppData\Local\TempKTPCO.bat
| MD5 | e19b90bfba2c69d2c21ac3776c877917 |
| SHA1 | 85d70a13fc6e4842be8e175522d24be6bd879a9e |
| SHA256 | f26d0a66680e921a772d938e06bdbf148c6c8cf1d28d0e2d6f33b202f4fd55c5 |
| SHA512 | 3473e5d438d56038f4cde527e74c8ea478621af9702f4e6f18d1041f45da675dbece582c6157a46fe76c79a6445d3f8833830ea6d2e717263cccbb563b90b46f |
C:\Users\Admin\AppData\Local\TempDXBMK.bat
| MD5 | f2cddf9b4c6dc1c004b21edafc8229cd |
| SHA1 | 29cdd639f4c179567cb348866c5f6e3dba09d708 |
| SHA256 | 8f24551e222b7f71fe5abde2e4f575e531c22c7b9d65a5493adba78b9ac040db |
| SHA512 | e2bf4e1ecd1e3ea9c31b09da90f2c7fc0c3b0f826f5ff4ed820c793f892fae68af1e6bca0a8418322ac629f765cc873c5ff81fbb59628e3bdb06d93fdd59b0b0 |
C:\Users\Admin\AppData\Local\TempGPBYW.bat
| MD5 | fb070329d6d15d90f18a65741b6b7cfa |
| SHA1 | 0c2d3c17f12d61a4756a3f5f0454202613734d0d |
| SHA256 | d4acf07185f5368fdaa6cd3c2fd66f73372cc4674e21294545da5252abfef25f |
| SHA512 | 400df25f2616cc914d270435c5f020628b1418dee201f59131dd7579a475916eb95c641b512372a2977aeb7099eec5000f1659c78e98530f5b86243858316e59 |
C:\Users\Admin\AppData\Local\TempAQROW.bat
| MD5 | d0dccfbf8d3675fe2c5c43a96bfb9601 |
| SHA1 | 296433852b28405986dcce498a035a421e6f0e0f |
| SHA256 | 605ad991bc8f37568f407c58d4fa640cb52df9ef9c43dcfcd1266cb59294420f |
| SHA512 | deeded30db6df2d53e9aaef908bbc6a4d21517fa177573646dcf37d7612795fd106c6a55f11185c1fc6b395cd61b35160dcb165d522fa3547de9054ef71ed833 |
C:\Users\Admin\AppData\Local\TempFYYNW.bat
| MD5 | ae6d6a1d6a155b15cc3603b65f0b591c |
| SHA1 | fad414a686cf2d48076fff166d85305b7443d20c |
| SHA256 | 6a46a530bbddf943593013e9225240cc859f544eebbd9b52444fdfdd4511cc1f |
| SHA512 | 4edb09c141e263482170fdd25d7abdb79931bb2f40261156333bfb639d75f4eb54b6fdeaafe74fa331b7d30b24c8f1c49b7718d609dc9423295789bf6ca4a2ce |
C:\Users\Admin\AppData\Local\TempJOACF.bat
| MD5 | 9ffa369c44bc37ecb474c80450a73040 |
| SHA1 | 2ed747490b6646a309e137614d91c54e83b5d02c |
| SHA256 | 6e36877eb5ad6afd0b2616caf59d54f4181e3417384416c402a1072e51de8880 |
| SHA512 | 915a176804bad8d830994f15e425fb7149d1a6d9830a34502e99c7a83de03a8580facb45bb9a8f81383f2bcdd38b3c1bc25cb4ffa21729f7bbad2097ab2eddde |
C:\Users\Admin\AppData\Local\TempYRXJF.bat
| MD5 | 5da712d36756298ded5a0df13f98720d |
| SHA1 | c734432282ef504ae8ced2cc68ff7c16b61b3a74 |
| SHA256 | 8ac183b8ca80c0ba81faad4d3296c8e7e82aca4c807d74c110317a69fb1b962b |
| SHA512 | 975268f3db052dc34d7a7502aa8243eec92c9c637e5a76356718478d90327b30a14889a897bd24a17a01153d5ba275aa969d1772d248c357b89520911784ad9e |
memory/2968-714-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-719-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-722-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-723-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-724-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-726-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-727-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-728-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-730-0x0000000000400000-0x0000000000471000-memory.dmp
memory/2968-731-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-08 23:01
Reported
2025-03-08 23:03
Platform
win10v2004-20250217-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VVJKFDGVJQLQAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LODJWWIQHRNIYRD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAEAVQDL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJWHGKXYBLRYYJA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HRNIYRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSXDECKCHWVJKGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXAF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KLIRDJOACEQRMKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSIBYAHQGMDULAK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HYQMHXRCSBRSPYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIJURPTOVKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTXYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OGXPLGWQBRAQROW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMYCHVUG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRNLPCPRMFJKTPC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPXIICWADTPQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OPMVHNSDBFAIUVQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMJRDKPACFQSNLO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LPKSGHYAHHQLULA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGTARNXOJI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BQROXJPUGEIDKWA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QSICAHRHMEVMALB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RDMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HWXUDEPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DXCPFTPMRERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGQH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NUYKIMHPDEXVEEX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULG\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DRHVQOTGTVAQJMO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJDXNOLUGMR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGWVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMDULAK\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHQHRNIYRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQL\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBJASKGBRKLUYKL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EVOTMCMGEHXTUCQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLFPYWGDNHIYRUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YARKQXIJCWBDTQQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YBLRYKAACESNMHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBLYUSCXJDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBRSPXJQ\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQLRWIFJEMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSWKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTJDBIRHNFVNBLC\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVWSQSIVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGNR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPMVHN\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSTQYKR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MROCOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPPWLKLHFMHXKSB\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPDDEEAVQDKF\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFRSNLODRYITYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBTKHBVLMJSEKP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CNSPDPAXDVUQREK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQQAXMLMIGNIYLT\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRTOMOESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVMMKSELP\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWKLGEHXKRBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOSXEFCLDI\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJIVCLVTDYKEYFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJCHOXAAOTLTHR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WHFJEMBYCUSBBVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQLR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\REIECSYQHHJEABK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAUYWKPUABHAE\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GCAQWOFFHCJWESR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWUXINSAFCRR\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1540 set thread context of 1004 | N/A | C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe | C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBDRNM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJWHGKXYBLRYYJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe
"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRDJO.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBJASKGBRKLUYKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
"C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNIRIG.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NUYKIMHPDEXVEEX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
"C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDRYHT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMJRDKPACFQSNLO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
"C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe
"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe
"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MROCOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HRNIYRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJPUFD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWQBRAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe
"C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempORSXE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJIVCLVTDYKEYFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe
"C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLFPYWGDNHIYRUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACESNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGWJRA.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSXDECKCHWVJKGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXTAGD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRHVQOTGTVAQJMO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe
"C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBLYUSCXJDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe
"C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGOGD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WHFJEMBYCUSBBVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe
"C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGEIW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe
"C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWOIB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRNLPCPRMFJKTPC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
"C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJUSRV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LPKSGHYAHHQLULA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe
"C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXOJI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPRWC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe
"C:\Users\Admin\AppData\Local\Temp\XARKPXIICWADTPQ\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQXHS.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KLIRDJOACEQRMKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSIBYAHQGMDULAK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCSBRSPYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe
"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSPDPAXDVUQREK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe
"C:\Users\Admin\AppData\Local\Temp\YQQAXMLMIGNIYLT\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFJEMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe
"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIJURPTOVKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe
"C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "REIECSYQHHJEABK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe
"C:\Users\Admin\AppData\Local\Temp\IWSAUYWKPUABHAE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGWVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe
"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMDULAK\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempORGUC.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPMVHNSDBFAIUVQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe
"C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMOESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe
"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVMMKSELP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDHV.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GCAQWOFFHCJWESR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe
"C:\Users\Admin\AppData\Local\Temp\GUQTWUXINSAFCRR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVASWR.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVJKFDGVJQLQAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe
"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHRNIYRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe
"C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQL\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLGEHXKRBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe
"C:\Users\Admin\AppData\Local\Temp\DMVEAYOSXEFCLDI\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
"C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSRAT.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BQROXJPUGEIDKWA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe
"C:\Users\Admin\AppData\Local\Temp\QSICAHRHMEVMALB\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSCRSP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LODJWWIQHRNIYRD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe
"C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKIQCJ.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe
"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe
"C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSWKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe
"C:\Users\Admin\AppData\Local\Temp\QTJDBIRHNFVNBLC\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVWSQSIVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe
"C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe
"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGNR\service.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYXFGP.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDEPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /f
C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
"C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe"
C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe:*:Enabled:Windows Messanger" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.16:3333 | tcp |
Files
C:\Users\Admin\AppData\Local\TempBDRNM.txt
| MD5 | 6fa2e9edd5f1b2cf91a50fce556ab425 |
| SHA1 | 1ab599c81af314d7fcb5d71ade64ef1d6af90f9e |
| SHA256 | c64127a4b8d2e39e1d2b59bafa74f26d532ab3407d4042e7af966ad7f26bdc9b |
| SHA512 | 8d2d9ad81c5636ca916f7d12af80ed05de97e7411bbd0f4a85be43d138ffd98af725384d6fd862af3eec97ade67118341d848f504cf4c8b21405be4bcafb7fa8 |
C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.txt
| MD5 | b711b37fe1827d094f49245996fb6586 |
| SHA1 | f18cce62ba76149d0212f74818cba48753a8cabf |
| SHA256 | 91ab007af9df49861eb0b67a580eaad8d44c768260621a8652b1bbf2b1fa88bf |
| SHA512 | 9c4afedc3a8ba4972bfdcbbdab53cf7ab50a62dfeeea32c43544a3a86e57081dc2671ee861a8f946cc7e615fcafe7eb87c7548289f376867e61aef9fdef0efa6 |
C:\Users\Admin\AppData\Local\TempJRDJO.txt
| MD5 | c84fae6cade4418f510bef53dbaf1202 |
| SHA1 | adc0e9b7e978c8a8835ddbbd3a0ccdd21f518bfc |
| SHA256 | 242708153ac165985ebed0a13191950afcf8d69f8300d912acc4733f1ae12acd |
| SHA512 | 4b9b9a4a9dfdff6b4d27fe3e9a1cd53df4fac54e602699572cec0539b463d621aa782f47a490e46521cd1d754b5c076739105d33785a62ae058799dfa43f8846 |
C:\Users\Admin\AppData\Local\Temp\EVOTMCMGEHXTUCQ\service.exe
| MD5 | b5a004240d8425c443afc35bcc398ce3 |
| SHA1 | a05785b0d5448b95bc1fdb8d54356e51a2d422c4 |
| SHA256 | 5208baa58cf7293e68ca4b2ca3e2a77e9abbd6cb96e725b5cc5172164a6a4223 |
| SHA512 | a12ebb0e80c4c328814944ff442b166ba55e0acd7a71439071b6c82bc7c095522eb23cd6cd262ff6dadac5aabc8557bd1b2b090909b2e7afbd0e3eccf97b4355 |
C:\Users\Admin\AppData\Local\TempMVREB.txt
| MD5 | 0e84f3bcd40232c8eb14e54587f94776 |
| SHA1 | e7648e0fc12856e52efec01dedf8cb4eba0c9953 |
| SHA256 | ea568b80a63a5b79adc0dc2fee080588c2e7f9747730bc2a2f019671618ce98e |
| SHA512 | 7da9c91d583165b2af80ca23f0f398d5a56e10c2a4d07729c36c2a68b260c26e65b4722093bd03a59cb643348b63572aa12827b92e832e1abe290e60f67a6f58 |
C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGQH\service.exe
| MD5 | 01840a4769bcdf062394f921450ed1ae |
| SHA1 | 2366cf740817c952f7922f880fa134dd32182031 |
| SHA256 | 4dfb87fbf88fbb5cb887fed09fedc76c505fb1289ec8049a895cc3baff03b5e0 |
| SHA512 | 5d4ab327a4f33d9d0be01313e69bb55bfa6796e324366158fd43678d33e7f822d5fd17152748f8bf788a7f8d3d52ef5d1700b7a1d9ab4c3a236f58616157caf0 |
C:\Users\Admin\AppData\Local\TempNIRIG.txt
| MD5 | 826a20596f6976249332de226c6cfdf8 |
| SHA1 | 3f811f098b3e8445eae5da7e9dcd98b2ef5177e8 |
| SHA256 | bce12e777216230c396e60c89fe1ea2bb30f28ef17900ca1c037d7044f519c9d |
| SHA512 | 098f41014807cd5573eef56262adf36b0d5a5082afdd760ce5e07456ab1a7935a6a53b92d4af07f9b42fadbff0a693cbfcf548c62c059bfe26828e5f9745bd17 |
C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULG\service.exe
| MD5 | a22631593e49a69770ded955ef90f885 |
| SHA1 | 2f5ea65ab98f5f586ec1f2ce40a5e34f2880ec38 |
| SHA256 | 02132dda2c1229ec1f370967c88020593f5c287b21ef25a7e1b4b1055106e966 |
| SHA512 | 4a91fb9b1a318854f58d2a203639cf82d8542228f477039485db226ac55b6e589c575fa584e6db6b349bb25765ad43bd7c58f45e638d24c7db6f51a14fdb0c23 |
C:\Users\Admin\AppData\Local\TempDRYHT.txt
| MD5 | adc7a0d1c28b95fb10bf331628342207 |
| SHA1 | af786319d980e4cd7f481e0208bcd7265b0cb1ea |
| SHA256 | f5070ad84d95dcf703f95455d7a0db0c2f4c552d5057674ce3733f01ce60b207 |
| SHA512 | 679455ebb23dcbe3334b58bb48550a2bec1585b3982b1d6be020fa74cd7e1fa03e32e9b33a4eb5ce741a3dc1d282aca4868bb66e2d13177354fd36cfdc797919 |
C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
| MD5 | 3e48773f7ac1202516147971509dd11c |
| SHA1 | 9890451919153cd9bab36c6f5ac54cbc5f1faf0e |
| SHA256 | 5538003bdaf9a280948775fc5e9ca935648899ecfad67cd0efd183626133460f |
| SHA512 | 7ffaa38ca6f1d04cdff3e0a5bc8b220336c8b68ecd64ac0c091aac93d5cebbb2a89d60ee7f26b2e99e78f45403fc6e6ca72b7acf92cb5ee74f7c3667bc2060ad |
C:\Users\Admin\AppData\Local\TempOPYUB.txt
| MD5 | 0b6b760849c7bd9de74e64f9c2f3fdab |
| SHA1 | 2ab2b28c12975c0a6748cedf34261ab55a4c198b |
| SHA256 | 892339a1c3d9473d0b7352a4a7cfe9607924df83c741dcae24220c92bd2a0b2d |
| SHA512 | 9317e2739e7b523a31e1382fd38fdd9eb0498cba45c091c4265a3f87af2c66379b595a1af65b6754366f0f061c4753c5e67710f7340fe656124bf6bcc2c12f60 |
C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPMVHN\service.exe
| MD5 | 9f0fa15911cccd9a450730f1180f0b13 |
| SHA1 | eda0b14882ccf493773dceb173a97a206b69488e |
| SHA256 | 6b8c4bc8f9609a45b324f9823129e18ceaa84e7f18df9dc1ba4d173fad406d3c |
| SHA512 | 9e5de86de04942da978483ce77cbdcdc57dbe85ccf3c8ff685f3b6387eaf659e92694f0866780c5fa9d8b9e42784f86d798923a32efb68853195b285aeaf4ac0 |
C:\Users\Admin\AppData\Local\TempYGOFD.txt
| MD5 | af522a5ea303ea851c24f9829c421740 |
| SHA1 | f5a77928aac462afe7f56199ae8de75e032481bf |
| SHA256 | 5ff4f4614539c82da38c5537d8ffd56163edec2b1dc2af8e41cb98e7baba0a87 |
| SHA512 | 9af85c64ae72327555a0065d5206341edc93838d6fe49e41c95459add623c79acaf9803a731939b1a77526b7084d39ca62255c301550f4fa9d5ac776e7a3e183 |
C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSTQYKR\service.exe
| MD5 | f33a936a804f16d5ccf7ec6c1579c0ad |
| SHA1 | a2014dfe2720d2d02837c34a65cc5e8471de06af |
| SHA256 | 0e3b851354ed62584675d3fd9a0eaeb6049bdb194f16e1fa3cab06166ed0f6f3 |
| SHA512 | 3abb62e96a0f6d39d96e5f10cc48a52ce561447ee3e0b071da16fd2889e88fff9215ece5542f1247ff5e5cd95cc3cedcf2f80496d4b79ecf2b43e927a69709d2 |
C:\Users\Admin\AppData\Local\TempQBVUJ.txt
| MD5 | 7b79dc7eea216022d53f393972e89b61 |
| SHA1 | 0492d08361efc368281d3dd53dbce45872a425d4 |
| SHA256 | d579c56a04a19b8c0798f0fbf1b2b097259581aa491ac42af34ec0eb085feb37 |
| SHA512 | 59be76023f9d1fb5af5f9119ea61169b441fb0127919767e4756a2b8b300a0de9d5af4b13f5d9ae70270c9e3211d840a30f291cb69a4b980692bb2b753468f0f |
C:\Users\Admin\AppData\Local\Temp\XPPWLKLHFMHXKSB\service.exe
| MD5 | e8da65d2bb8c494d853e0667c17dc2b7 |
| SHA1 | 65d2f7da8dc88525ab56ce94cf4d39af00a3fb19 |
| SHA256 | fc2f17030d74479e84fde7c69dfad47369b3f7220289c3dce7f89fbb0f026ddd |
| SHA512 | 0951ae082c46daa3a671171382803c510dc77b9ce3ca79f4e4bfbd9e9cd30f7120a03de6b13c01945a805387039d83588063dc15a2fea477fe25c6df6e6756f1 |
C:\Users\Admin\AppData\Local\TempVHFJE.txt
| MD5 | ae509edd5dcf523ca66bbe9a385a6970 |
| SHA1 | 755cc715ac1c910495d7ebe4938c14b5f3a5c7c1 |
| SHA256 | 9a5316af50370d0e410c04f1e2dee52a446f21fbd412097d81d3e9662df06afa |
| SHA512 | cf52c4cc6246f9b4c0dfe65559a2ef39b1c8e909a7d245ed77e46f696a37ed42241bf097e01809258ecc10003fe2d7fce68f874bbb3c29530b0e7c69fbbdcfde |
C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe
| MD5 | a6d0bf66361dc01a9a2343310b1b1d69 |
| SHA1 | 3e30d106ba8a5e284b7dcad14304105ee0cc02c8 |
| SHA256 | 1a4631951129a3e3a5c74815b3c70145d27dfb6dee1623e1267e8e11f0284ea7 |
| SHA512 | 1dec0647dc1ca6a11b58e70825831c8f346b7a0294747cf937b91f00f896dccb8798e9c7c97ff2b55ca391b428c26e9584c3f7a2ea0f4c089c1de7f9674439e2 |
C:\Users\Admin\AppData\Local\TempJPUFD.txt
| MD5 | 66097a57ad354205f527a8611e0d521d |
| SHA1 | b5dfcf50ce1b17eb8d280c2b7d991c23b79ee197 |
| SHA256 | 8abdbf15859cbef19f04e689075848a98e404baaf4de37a50abce37b230380b1 |
| SHA512 | ea74eb331a4ee32f9640b0f5f205269d6ec5a8b9605a25ae964602064cd8a574caa2a716bd2f0dbd46b0d9b3c1619bc10751aa11ab4af06d2ed42fb3a9a083d1 |
C:\Users\Admin\AppData\Local\Temp\JFTRISLKMYCHVUG\service.exe
| MD5 | f7fb5bc4701114c2eb8502f4c7ab3c53 |
| SHA1 | 731fd52eb645028840530e94fc60402e5d2a0191 |
| SHA256 | a1eba8a24282f9ef1dbda69459626603f2b4940151125246aa2ddc9692f62a62 |
| SHA512 | f4e3f28a6daeac6006c1e53cde9a4e6f4f437b2c70c8ea32717d63ad4ab46586d7a3ddd4ecc53277e362c94784fde3dc029ccec57a29ff35d7099655765bf7a7 |
C:\Users\Admin\AppData\Local\TempMIWVH.txt
| MD5 | 744a5026709d2e515773358787335ddd |
| SHA1 | 30e8cd8484237258baf44dbe7519134890471634 |
| SHA256 | 275ff9d4af6a5aa1439bb2288cb5bb576546130da74f614bd575738da1bb21e9 |
| SHA512 | 7f2de32cf6b2874543a0c05b18c146bbcc804509cbd040f66d6facd63d56f0a765cbc9e14e513cff32fd8cc7d475c8532e11fa135fa94f76c233b369eb54d33a |
C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
| MD5 | afa78eb7d384e992bc3d2eff53715c63 |
| SHA1 | cea87f221bea8e3d463876c3f5eb8b77d1902bcf |
| SHA256 | 1972ec40beddcc0eac2e7677ca0dccdf4a6d864725e770a26aca7ea37472c80f |
| SHA512 | 06da14957dff1c7e4a82e3d973175be30ce9e9e341e3849d03a24958c3ce24fe85ad3bcd3b9ae62f34950d1f1a22ae511e17142f4aad738a9d1de29209401b45 |
C:\Users\Admin\AppData\Local\TempORSXE.txt
| MD5 | 614f1433fbe565374413c79c491fdb8c |
| SHA1 | 27c042d949d3310e3ed482df360a440af8a95976 |
| SHA256 | f6feacdd588ebc36b5577beb6494d1b972635898ab4df10ce41848ffee437ae0 |
| SHA512 | 082322c1cb90f34383487526bf7602b1efeea9053b3dbcbceb1e7a48ba56c3af52dcab39e6d8a717bc2dba9fdbf9c3a7bdeddab42cd47fdf0ded97169328704d |
C:\Users\Admin\AppData\Local\Temp\WPJCHOXAAOTLTHR\service.exe
| MD5 | faa1c13b321003440f1894417b9e72b3 |
| SHA1 | 60e4734f04f3b62849693412d2b84af2ecc26ab5 |
| SHA256 | 593dc4bfcfe9b10423c72f927ec51c93e45a698a1e2b11a2de734d66bd09e6b8 |
| SHA512 | 09b89b813ec9eed289cb0562816243d034d553c70ab1f4e1b828710d5e8674b7db208f0cd17417a88aab7488f5c910e9230bf9a3506aacd46d11fcf3dadae0d2 |
C:\Users\Admin\AppData\Local\TempHIFOA.txt
| MD5 | 65051c70fb370f0677d286ed2bb6bbc2 |
| SHA1 | fd7d7addbb9b886bb624ed5943299ac1b5736fee |
| SHA256 | c057dd885e2c0d5fcc08c30e83f212943a4ed1ad4f301dfab2d9ccf2dc6e6aa9 |
| SHA512 | fb891f6c8f8ff0921c96a17fa47f43136c5d4f384d954d0ad325c903f54990d96c1efee4f69b79fc267a96e87157b7dca4d805799d9f05a0584b1f020014e145 |
C:\Users\Admin\AppData\Local\Temp\YARKQXIJCWBDTQQ\service.exe
| MD5 | 7d469346060ba30733fcf972d3ead2ad |
| SHA1 | b41f698ada0483ad44ec54b5b802012d3c68b325 |
| SHA256 | b055c8829fbfa74df9ea916e0e4e74d4f34fa45fd49767fc9c30898ed8467e2c |
| SHA512 | 4f6f76e1b883662ba8618425c807e4cf85bffe16a78e607e41184644453f4a3e68a3e10dca96e98eb363021df99208a31007be8869045ab707c304effe7ef0e2 |
C:\Users\Admin\AppData\Local\TempXQWIE.txt
| MD5 | 8cf657ee18ff90831120c9ab8a391242 |
| SHA1 | 1b5943769649c6f011a26190d57915b340441fcf |
| SHA256 | ceae3950d64bdd606b5d177cf82023520e05aefa538ae9752dd66875e4bf6b00 |
| SHA512 | 5e49079d50c85bb2c15d893dc1bc7033792e420ce86a3c43d7627c89ac3ad50cd46ad1e42ea2e64cf0acf4a1499165cdc047b34bd06e3f3f4fd7bd3d2929b23a |
C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
| MD5 | 0e8bbf799aec17349b686278849c66b9 |
| SHA1 | 48f976a6189278410789bdeccfc7854a45cd32fd |
| SHA256 | d7c9ee3f5156b2a6ce7fba1367716193310fcbac616204b24f4fdda6ac36e388 |
| SHA512 | fbc38484c8b37f518c6f1e3d2d4e60a5096ffa08cb17acdfca5fe02e0991332682b057b95d564237bb614e403e0c13b5e5b22b04ab12f22331a72818fa39c969 |
C:\Users\Admin\AppData\Local\TempGWJRA.txt
| MD5 | aafa596022ec916e16d728991c445f33 |
| SHA1 | b74870573178579c6257ffbbc49ad226dcb9737b |
| SHA256 | 6a3917efbae6a89e372b72356fde1ddfc5a6399272cbbb25881e107747c3fc69 |
| SHA512 | 18e061d778bd0655c293d67b05b9723028aff20dd932e26af826f50b3979f9e0be121eb5e9f95a1de85b4c47ce25fb60d118ce918ab27e8cd194d34730a9c7b0 |
C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXAF\service.exe
| MD5 | b4073c9280e41ad9a573139efa7b3542 |
| SHA1 | ba95c3f00e262aea13d50db17bd0c8f4de9d5740 |
| SHA256 | 8664ee45d8e448fd1f3df051db89acba3d0367dbba737041e5e574f2174345db |
| SHA512 | 39461f6c0efc5e0c02833287345a0575e855d3f19961292ac0fefdd904ca4410c89acc1005c1894c1f6c1bbb0db5ece131a34f50957575415ab741d86dc9155c |
C:\Users\Admin\AppData\Local\TempXTAGD.txt
| MD5 | 3cf525dbf29f25f34df23201d08fce18 |
| SHA1 | 0890f015a03ebf0b241fc3f586fbcce07e080662 |
| SHA256 | de0703967a2d9f0e376b5597e2c3afc2db7bc40ed7762a64fa4abaf1ae30cc32 |
| SHA512 | 8a97f87963b63ebfa214e5f4a76ba01c89ef2ea4ac686bb3dd879acd6af7b1f28e1c1aa08fa5fa295c0ba57132135e5779623078fca541816edf973822504ac0 |
C:\Users\Admin\AppData\Local\Temp\DLDVMJDXNOLUGMR\service.exe
| MD5 | 93f619453f1ab2ccfea52b733177724b |
| SHA1 | 50b181091fd2b625ce72318829d2b19a644cabb0 |
| SHA256 | 4bb6aaf5ece3c7d885ae2161344ca2600b12075b933b963fdc59643775087948 |
| SHA512 | bd2cbbd7a339586748d58c1a489d95de6a99f17d953ac5b9e5051415ed6b24d96fe5234716f67e7e580c08ee877f5d04cdc1356e3fffea33cc9fdcf439047637 |
C:\Users\Admin\AppData\Local\TempQRWDE.txt
| MD5 | 9b570159134045325ae16d82147020a5 |
| SHA1 | 5455f8b560bb5ab16f9405bfc031141c4dcd1ad9 |
| SHA256 | a80b5e8717edf443f6577ed46e4370efff33d07b477f8b753726a958f36fe9ed |
| SHA512 | e26345a5f1806f93766dd7b9d00b1712e16a27f11655884e3e27d26a7b932ff95cff18bcecb5b0560fcaa8e15dd773f44924bc80b3029418b0c3229b1a13c410 |
C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
| MD5 | d6eeda45170c43449f0b581926883578 |
| SHA1 | 769e69a6142e83ec668259a5a85717c6381e7432 |
| SHA256 | 6c8e56b9a796c4aea0c4cd89805b57e16cdfce4c378e084e06b69c5e92031515 |
| SHA512 | 80495f13c7b650c653c4c09a6b81255029577f4eb6b0fa3af29573d7316824fbd1ee995d8c3ce3e8eeb210130f6277ec91333426892168c4b107d2c20bc9b695 |
C:\Users\Admin\AppData\Local\TempJSNWN.txt
| MD5 | 3aa1f329efa98263ae6cc7490d68de80 |
| SHA1 | a1dbf8a2daf345103f9b40ab592015ecd1bf2247 |
| SHA256 | 7f36f38822581f1e739154d1aaf807c671e26fa73e6507474034732ea3d4b61d |
| SHA512 | 7cdd827d7dd312388aa55eeb73a0e5606ca1b48eb3c8c954f16f31b6ac24af788f9a47cda3283adc6179d7b7a5a9ae9e33b40444c571a50a8e7dcd61ebc2a4a7 |
C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe
| MD5 | 0a0930eb722649f8597f11af153f4e73 |
| SHA1 | bdea61cfc664cee5be455963a119e0c243e380f0 |
| SHA256 | ca24c5374a07dee14a18f64d7462cbb556e0486448b7f093d9bb9da95424ca87 |
| SHA512 | 148933ccdaa587dea5dfa555c2d022061e2eff2a61fab7bbd5a501d6e13ad37b27d6537a2c822553b61f062ba842e23fa20e706bcb840f9f38beadd3a044897c |
C:\Users\Admin\AppData\Local\TempYGOGD.txt
| MD5 | 4b6b4213a6274deff4ca98e7bb0fd4ab |
| SHA1 | ad0b1b25e8b71b3c14c40e8a064d72aa88e3e6a4 |
| SHA256 | b60d1d001ef0e51c969f6f40e26bed2b518e09345230e104370aecd4a1c5b7b7 |
| SHA512 | b490f77f739a0d4e8f2a3f37a68e67c133a44ce9191343044910f23f8add242c4e9e2d5f6924e501a1058c71bc04b21f9fa18cd5ce3ef734be68d4bddf90a1fc |
C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQLR\service.exe
| MD5 | 6db66dcebc78552254bb4b8a02fe372f |
| SHA1 | 524a1e5fad999138cbb3d0fdb4440bd3325b3e38 |
| SHA256 | a22cb7710ff5f4910142ba36cfb2b4fbc1c317c92c06f12ebac7548c86499524 |
| SHA512 | fdb9725855823d7f9fe2488da0c410bc48f412d21d3519a9ece2b61edd548d95e3d547ed7c9a49b538c9ddb3e3cd4b8ae559771cf8246e1b041486643b02f567 |
C:\Users\Admin\AppData\Local\TempUGEIW.txt
| MD5 | 54b154c0074045c0b65130047455e866 |
| SHA1 | 6cb37d98075d62318d5dee038e950d05cbb0f5db |
| SHA256 | 2d21b38c4c487ca8efc5582b062d720de64658d9ca8dac2fa857c4148d206695 |
| SHA512 | cc53906aaa17be744adbeb782b13989a44d9cf77a3b3e28ac6f616085318f9287bd5bef1ddd208628244556bddd4d4cbb375dfdf1993c959f6c0ddd57e406f96 |
C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe
| MD5 | dc1528587a43c4c1a6f607ef822c1536 |
| SHA1 | fe5bc1ef92bde67fec479f475cae6b47215531ea |
| SHA256 | d2164cb270f0595661850d582aa2ba8510fbf3b8c32aa4faf980a5c094f88944 |
| SHA512 | c5089f8fc2fa6a3b87c75de641be693410465f627a3f186f3cdbfc0122c747090018a7586b34e7cf8ff3d3aea4ee6b3cd230eafa0010736985fe7b30a1a87f3e |
C:\Users\Admin\AppData\Local\TempOWOIB.txt
| MD5 | 8c6e9ab42638a703b50323eb4618a1ec |
| SHA1 | 5f7db0ce1b8a409aed54ba74a07dc14aefa4b0c2 |
| SHA256 | b481ac9a779de2bba017d298d5c89b027bd384a8acfa73d39b2452d402a9cede |
| SHA512 | 2f573af84dc17a35e21972d2a18bde3407b9a18655d195b23c81ed91c641309d3f65c1135b2d908d0ce43c5b2779525e471313863598bb09a5b9529e57a5c7fb |
C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
| MD5 | d4fce83e0f10002d817251788de66bb9 |
| SHA1 | 10a834c23b5cb11aa364a4c4901851adbe6bb358 |
| SHA256 | a1295835b81d680455c358c86c6355bc4b99950d49afef7367c156f10d2e19fb |
| SHA512 | 9eb7619e475f5257b0b83b1c35129d08b0b7ce7e7ccbf439bb717ea920a2f2ee072ea251739bb2f7d33030a1de868bbd82a4700fe2da90bcedd22559efe7087f |
C:\Users\Admin\AppData\Local\TempJUSRV.txt
| MD5 | 1ee484831f631cf02e6151a3adaa385a |
| SHA1 | 9021d396e9d54d48211446a539e7913e6c3de55b |
| SHA256 | 7c533bf5a46fea75032fe6c4ed8a3cae26ad9e3fc767ac9dd6bd48c775d44279 |
| SHA512 | 5476d0cb15e0a1508556b8dad1a9df0bfdf4b6fe93e9cdd92d03a9fc88769f76de78634164b49a622665db052b630e3b02a1c7bdd6dbe185dcf75de78a4ad6ec |
C:\Users\Admin\AppData\Local\TempMPRWC.txt
| MD5 | 5826b21bd1acd9827aab11fa4ae96f80 |
| SHA1 | 70dbcf9b36551660a8101cf41b3d223306a8a912 |
| SHA256 | 4837e9f3bdc83a08cb1b271cf3ec8df340f9f366fc4f3bc9398a1c05f3251f0f |
| SHA512 | 961b179a7a08c6548df904d249a39055fba8987a5d76a2d8ad26c717472b61797dbefe0a8079337d26551f6d19de118c4fccef25f6b90cb52e84ebf030c841d6 |
C:\Users\Admin\AppData\Local\TempVHIFN.txt
| MD5 | bae0445eae1984998b8e8f2e95d61fcc |
| SHA1 | d52837b67fd0715d254589b0abbed61a9e240601 |
| SHA256 | 16ac196a027a14185c2aa74a7b35d47578fb80583f7f4babcd910ac11c386334 |
| SHA512 | 98b89bfc0f41a337748dbf573b6d84bb7939cf60b826e2db94b2095aa385d9af350c4e61be9e4d1fe7d9a9b8efda6f94678ec1e3b24666d5f68e7866e04fbb7f |
C:\Users\Admin\AppData\Local\TempCQXHS.txt
| MD5 | 5037eb92e66a2c05e7d5078a8a1143b1 |
| SHA1 | 4a388c5871ba342bda5d0aa51ad5bae27b732d8f |
| SHA256 | 382df9b3a1a226397b05dc0774a41a46a3b28f8be91a16cc62b23c3238f1bd93 |
| SHA512 | 63f98ee3fc58a56a94d7560a88a356fa0d2d39d3ec0826c868501b059b8b7175767ec3a01f9605bbbb98caf82d54830cfe7e4893018cd20420db1bf72850282f |
C:\Users\Admin\AppData\Local\TempQVGEI.txt
| MD5 | 3ea11b70a23cf32f40c930d247ce49f5 |
| SHA1 | f47f06e80b041991b8c9b357b1d3a47a444e4014 |
| SHA256 | ef2e242f3d41094edc4a8f7a42283fb7636c3c91f25adde5b661524547fac631 |
| SHA512 | faed7053581bbeb36693940f324188a4b63c334f89299fb9ed5c012aaa87caa177648a9294d67140f01e0c485eb976b8af5289fbab989d6cce6ec7bbd269a8ad |
C:\Users\Admin\AppData\Local\TempRRCWV.txt
| MD5 | 4e1bd99e24df2894bc8d6ca5770c579d |
| SHA1 | 5600d1a3f6c3e7edaf7cb21e2140548cff9f83ff |
| SHA256 | 690c45e0963cb87f5a01c5c56b9496fca439f1f82c53d6654610568c599f89f5 |
| SHA512 | 5c7484f19badf65018fcad73d0ef6a292b959eb9e8bf810748b355595a96085a59910718377b07513c7ac4d688582bee7058b382934d10caf591c83bd820a5de |
C:\Users\Admin\AppData\Local\TempUSBCV.txt
| MD5 | 1bdd43fd176c6a51eb3d368fc62a282d |
| SHA1 | b8686c37cf50a944d5a573a09735f54f7cfb1459 |
| SHA256 | 3e67c3f8a8e5cbcb8bee910de4451b20a5fd975c48cbdc3f454f01b6865752a1 |
| SHA512 | b9c52bb7f4caafc7f3c894af10b6b7a62a407aa9944721d1a4eac4ac1aeaa219cf3d5f172c1ad42eb68dabffe40b8b1a561bf1a6d9176ff63bb4cea903e23a9c |
C:\Users\Admin\AppData\Local\TempPYPEN.txt
| MD5 | 89e522433b731c85139482d45f788ec2 |
| SHA1 | a7c7a82cc9f450613d5574eb9516b8bfb3468c7d |
| SHA256 | b813aea977c0e97dac7254217395f1e7c8fc3496a4c024320c9ed30d6ad5ce5f |
| SHA512 | 4a8d39ee33e7d49146e2747bd2d432fd45bec1678e4c8cbd97a86bd5f27f3c71dfae1df8c94e801e8a1b14425d91e8b94965302c786e9443a1378e54835f3e52 |
C:\Users\Admin\AppData\Local\TempYGUTF.txt
| MD5 | 1fb3aeea25d3ac5c3b3862b15b20e5f5 |
| SHA1 | 59debac864640ba025d397706c2f9ca73fa8c95b |
| SHA256 | 0f48fc9fdbe9a498dc66e95000b6ef3afd22994ce4102a4de6445baa77e7be25 |
| SHA512 | e7060eb7ae87e18ccaa49c6c04ec0e61a2c4cb259572f8e2fc57c5abcb942bdc4e6b9f7bf739a1aa0cdb33fde64bf482bdde01e2a6c16c44cf92927b26a4512a |
C:\Users\Admin\AppData\Local\TempBEFPL.bat
| MD5 | 5d5193981fbb091f2db96343213a1540 |
| SHA1 | ff915d08eb74f807c0f4025cb9328452915d57b4 |
| SHA256 | 0507bc248992b8bb2868f818afd9557ee243cf4a23ec0600dc075bd545593611 |
| SHA512 | 22900c727121acdd2e26815c64739c26e94de8e96aada530d44006b47162cefc8200b44829f5da5a3332e4227738a6fe2dab62772ae5987f7521a971bae2dce3 |
C:\Users\Admin\AppData\Local\TempORGUC.txt
| MD5 | 6fbab6998ebcde0fb2d77e94a8d48a4a |
| SHA1 | 114790d9ec86e848a0320b012114fd1ec8a9ac72 |
| SHA256 | 058bedcbeb05b6ffe92cf33a62a3ba718497ea8a9c478fe89beee82b3cf188fc |
| SHA512 | 43a73aee74123e2d2cb687c80ce6bdc52029a1537f6f8a7c4beab9d011cf0d2018a6aed97f97217a2f16b7e7e06cc95f0004c141eefca656432c285c824cd0b7 |
C:\Users\Admin\AppData\Local\TempVGFJW.txt
| MD5 | 6802e1d742b92a5ca7ef02f9db16d1cd |
| SHA1 | d034a1fe579e06e2b8d5baa8e2faa42c1bbbe37b |
| SHA256 | 513c6b684727277667bdad458fd8639d2d243c797cd6a6a8242fb299455d6628 |
| SHA512 | a35e9c6b2a954c0dc6c8edd5317a28c1a0382f9703e36f4365bdee7439d952d0d887f53e12a535546fc4a3f3078012ba567131d050095cf6d3e9fba47891c44e |
C:\Users\Admin\AppData\Local\TempDMDHV.txt
| MD5 | 8be720d3cdc5c62641df5ef56fae71ab |
| SHA1 | a723734b68a48265dac3e7eefc87d0561c1dfaf5 |
| SHA256 | b98594696bf6f74fc972241084b34888a162de79897092e79281a2747136274c |
| SHA512 | 40b8586595edccbed2200722990d0aa933bbee9735436083a586550d7cff6db35d986976a1de2beba0e7f5314d1b49294c88e81682897c6dc1ab13a4b9b1d79c |
C:\Users\Admin\AppData\Local\TempVASWR.txt
| MD5 | 83f2239c58729035bb37f589e00bb176 |
| SHA1 | be8a88b50229293129567784e029ba75c3780898 |
| SHA256 | 22be063a91746ef1516216858887c5d1e2f5679bdd2e5a2a7415cc3d5a2d2911 |
| SHA512 | 7251675b46a0e88bbd86f1ecc2c4bfb14d6722044f32cf753d398d90cde7f0fb8c19958e8c3b9a0c9a1cec3b1cf367ead99504a93a2bf38d7faca75d79100573 |
C:\Users\Admin\AppData\Local\TempRSPYK.txt
| MD5 | 7de2ff60a6715c2a2852ea89a4475ae2 |
| SHA1 | 4319da27bb462d257abd0d1cc0aaec15d669f255 |
| SHA256 | 59e987f8f6aba48305c22970867cfc80a2ec7283dd22a3504d10a824fde3fe26 |
| SHA512 | c6e91b2dcdc34d856fc81405f2056b4b338a523af5bfbfa136ea76cc188be88765f48fb929d01f2b58fe1c1a5131d8f1523b09b9a9dc1d9a0bd3d12c04616590 |
C:\Users\Admin\AppData\Local\TempWCUYT.txt
| MD5 | 37d8942a5ffcb254da56c1cd09b6dbb1 |
| SHA1 | 7675d4b9064da26c2f4b8caa977a6b486071b367 |
| SHA256 | 442bfbedb2c1887a9a772b7fdc5a054cb086151bcd66bfadc8deee2cd8369cd7 |
| SHA512 | c257781d935a2474813176dcec7a7f60616ddce6a1956dec158a1763c16eee624d8b336007d2fafd7715f7a45bf7a2bbbb3652d9228dbfa8c0c04027e1d43324 |
C:\Users\Admin\AppData\Local\TempDGHQM.txt
| MD5 | 0a642b13e305d30ca155412d35b152af |
| SHA1 | 781496d9955791faa48807abc37e66baaf0169f5 |
| SHA256 | 1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797 |
| SHA512 | de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578 |
C:\Users\Admin\AppData\Local\TempXSRAT.txt
| MD5 | 7b71f34c8208404aa2e362f6497994f6 |
| SHA1 | a639bcaf7db18b375c7cc0a497398637f607880e |
| SHA256 | 22eb4aa65d75d6bcb1a5130d699d34e07c75e3a7dd4f398d46caca8422bf4a51 |
| SHA512 | 3adc219828e23f0569daeb14fd2f9bfda9f24f8e441a7204fee7003ae13287f873bdb417092b1671c79a8f54836f4969b6b31eac362006094dcc2331f519e165 |
C:\Users\Admin\AppData\Local\TempSCRSP.txt
| MD5 | eb7cc1ad6286fc8443777b3813b1220c |
| SHA1 | b1a5fbb6caf2316ee52dd09f487ad347ffc5def7 |
| SHA256 | beeaadc6ae05d441e5ca5b64a4208c2f80dda8e18640860d49757abc77825c88 |
| SHA512 | 5257486001025dee01d7c7a2f91b9b18c29a2f3785d3534d05423b9b89dc2eef643956d843efc869abc5e9d27bde677b238c68f33d034fca92135fd579fb1dd5 |
C:\Users\Admin\AppData\Local\TempKIQCJ.txt
| MD5 | 3bf0ca3ba9863d35e7db3e7b2cd31b7a |
| SHA1 | ea10955b351348e554138f493d3a22c60c44c2cf |
| SHA256 | c4c93341d1268d21ddea7d6132776d3ae6d2cbe38c232579852cd2138a68a764 |
| SHA512 | d062c276cf111712a5cdc8a6ea648b1bf4d2e2ce312be4235dec436112234f61e43693e9dbb8850e35a050b9fd978517c1ec2bc6e7b8fcb4ad03f490d50355fb |
C:\Users\Admin\AppData\Local\TempUGMRD.txt
| MD5 | b22132539dd436d0b5e7e9332b303beb |
| SHA1 | 816341d0d9bcc592a70cbf867c7ffc44b75c0544 |
| SHA256 | 1f83c1c4e9fe62a8c51b5a794de6ea2a1b46fd3caa7e303c13b398f4c75a3058 |
| SHA512 | 31ac6658660f0ac369b201e3ce563658ef64a9b1f53307be642acf7efa1c88ddd6ee9208a5a3c2136a60c5717eb63f4ff11d66e1df1ff932a26253493e0c47b1 |
C:\Users\Admin\AppData\Local\TempCFHQM.txt
| MD5 | 19b5c504d50be17ed858500e872957be |
| SHA1 | 20714841324a86dacfed2fdac8089bff4c7a1f48 |
| SHA256 | 1a6c9ce78a7cb656d62451f28e019cdec09c8e8b0344fa7455a2ee4ca50e3ff8 |
| SHA512 | 3b312ecca4648d257da7419e8dd6554bf19a6992fca64a578d425f385c44a5352001505916725623603019a4d2ba229a811823ddd23599d85c2018f177c32d8c |
C:\Users\Admin\AppData\Local\TempDXBMK.txt
| MD5 | f2cddf9b4c6dc1c004b21edafc8229cd |
| SHA1 | 29cdd639f4c179567cb348866c5f6e3dba09d708 |
| SHA256 | 8f24551e222b7f71fe5abde2e4f575e531c22c7b9d65a5493adba78b9ac040db |
| SHA512 | e2bf4e1ecd1e3ea9c31b09da90f2c7fc0c3b0f826f5ff4ed820c793f892fae68af1e6bca0a8418322ac629f765cc873c5ff81fbb59628e3bdb06d93fdd59b0b0 |
C:\Users\Admin\AppData\Local\TempVLXIH.txt
| MD5 | 38582d0b8684e515acc8a0b855142358 |
| SHA1 | 091d9a23d9ea9a7fa0a7583fc3233521f038d3f8 |
| SHA256 | 86ace41294290c8dd92509de6b1a6245e1ac20c41f4f1d7501be7ee721223776 |
| SHA512 | b5b207d182e0c3b8ceb79160238c24e6af6c482485d77c2b2b4bf0130611db60c503c2b1f6bcf4220328862c7ff650a3ac4f508dede00b8e50e3dcd92241a633 |
C:\Users\Admin\AppData\Local\TempYXFGP.txt
| MD5 | 8f13886a6f8f3d09c63c819d864c70a1 |
| SHA1 | adad140373f9a9f5c6fce07572c4e610c1b389bd |
| SHA256 | 62dd21100ab5ab21968ce7b9984e867875dd229354f5d78cfd2b8cc8a4614434 |
| SHA512 | 17b3ba19af960f32a632cf16c12e3d5bdfd948c2784bf7d19803bec8d44e7f33e0c59771bcf1ca4f414ee6f68d6ff8001ac22a8b1a57da2a60147af852ac6aa5 |
memory/1004-1171-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1004-1172-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1004-1177-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1004-1178-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1004-1180-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1004-1181-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1004-1182-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1004-1184-0x0000000000400000-0x0000000000471000-memory.dmp