Malware Analysis Report

2025-05-06 00:16

Sample ID 250123-3rd9sayqav
Target 161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe
SHA256 161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81

Threat Level: Known bad

The file 161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Blackshades

Modifies firewall policy service

Blackshades family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-23 23:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-23 23:44

Reported

2025-01-23 23:46

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKJPLBOVF\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAXLXIHLYCMSKBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KQDAPXOCDYUPCYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKHLHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQLFAFUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRTFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXAANTLTHR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAYTRAATJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBRSPXJQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDQSNG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAFMWMRJRFQG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OKLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PQLJMBPWFRWGSEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHQCINAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDGSTOMPESAJAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULICWMNKTFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQLKQMCPXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XOKJWDMWTEAYLEY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNCBCXDTOBJD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKULH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDQMKPCPRMFIJTP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFYOPMVHNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBFAPUNDDFAHVDR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YPLKXENXUFBMFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMJRDKPACFQSNLO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOIAGNWMSKRGQG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKIKAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWIJGOAHLCN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVSTFLST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOKNUDPT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PQLJMBPWFRWGSEC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HRIFTXJKHQCINAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYITQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSVUWIMRFCQQE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RNMGPXHDOHIYRVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQEHDBSXQGGIDAK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLBHPGFQN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKJPLBOVF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOKJWDMWUEALFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCCDXDUOCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VWESRDLCUMIDTMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJKGELGWKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GYQMHXQCRBQRPXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDBJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUIIJECJFVIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIWVHPHYQMHXRCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KGEUSIIKFCDMIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOAHLCN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4388 set thread context of 1536 N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1416 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2672 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe
PID 2672 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe
PID 2672 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe
PID 1476 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4408 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4408 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1476 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe
PID 1476 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe
PID 1476 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe
PID 3876 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4300 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4300 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3876 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
PID 3876 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
PID 3876 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe
PID 3564 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3564 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe
PID 3564 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe
PID 3564 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe
PID 3996 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3664 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3664 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3996 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe
PID 3996 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe
PID 3996 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe
PID 1512 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1512 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe
PID 1512 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe
PID 1512 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe
PID 4480 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 860 wrote to memory of 600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 860 wrote to memory of 600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 860 wrote to memory of 600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4480 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
PID 4480 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
PID 4480 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe
PID 3668 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe

"C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRTFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSTYF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YOKJWDMWUEALFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXFNEC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAYTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWNNLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWESRDLCUMIDTMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDRYHT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LMJRDKPACFQSNLO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PQLJMBPWFRWGSEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHFJX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDGSTOMPESAJAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQSNG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCOWNH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDQMKPCPRMFIJTP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXXMU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVSTFLST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDESAO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WAXLXIHLYCMSKBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQCKBF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBFAPUNDDFAHVDR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSUFG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YPLKXENXUFBMFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYYUU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PQLJMBPWFRWGSEC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQCRBQRPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VNMUIIJECJFVIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe

"C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEJYWG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQDAPXOCDYUPCYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSFLQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVOST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XOKJWDMWTEAYLEY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe

"C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIJGOA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGPXHDOHIYRVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBRSPX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHPHYQMHXRCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKULH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHPHBK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KGEUSIIKFCDMIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGTSF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQEHDBSXQGGIDAK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLBHPGFQN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHLHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe

"C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe"

C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe

C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKJPLBOVF\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 218.99.81.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 192.168.1.16:3333 tcp
US 8.8.8.8:53 158.161.55.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\TempSDXWL.txt

MD5 b07e48b1f638dd640c14a14a934b0455
SHA1 bcc8369e5164b9acb4407d489cba493302ca67c9
SHA256 df8c9179a60882e46374afce35a3f58b415167e62a87a4ccc7b68693dfb1fd32
SHA512 f958af503cef954be743f206ea8c80e623e9dfc89347208d593ab64a9e26e556a44bbd1d6690ac0a8c29fed29f0e9fd6b95bd3f6dd358dc749bedb2b6f48ac19

C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.txt

MD5 f45590b2e46d8f1535fc96737eda9d39
SHA1 4b564e572cee0dfb6c653ec91fdeef317aee837c
SHA256 086e38ff32a1a6785bf8275f5aee6e4317481464eaf735f2c5be3e4e26815443
SHA512 32b553ce0e040fe02ac755972635ee98c8390680f934b154786733317ee4f165450d44759402f6a9af403d04797aff294917679687d158621390223faaf55b4a

C:\Users\Admin\AppData\Local\TempPSTYF.txt

MD5 e2f925ada659214e13ce42411a545e0c
SHA1 917854dc506bf1ab6c42c6ea37c6c4790f3e368e
SHA256 99199ecdf6676d6f3b0f6d556afd786b3141b13cb611fc69442e1ca86430087b
SHA512 16219b5531bf9f8b56d3091984fde42094682363d53bcb24eef88753a16cb55f5da954cf4c843109af2e3398fcb9cf1f3c9c9255a3f5c877c972a034f9369d68

C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUOCJE\service.exe

MD5 b5e670d9c73bb76b28ce5a0919e26684
SHA1 b33eb1f5716b172b68e9122674e620781a79e136
SHA256 abcb6a5eb48ddb295b13bb0820bb3c97c7c46c9349123768834fcfa7c49a6120
SHA512 970f855079306c10894d4104e730c79deaebb830522625cc7a40082e641178a00fc8addb32bd74cc951589fafce797fd700183851760680386fbd4742cc4ef2f

C:\Users\Admin\AppData\Local\TempXFNEC.txt

MD5 e7c5253411098caa8e1794378a7ab8be
SHA1 ce77dd128887e0b00181ee7b5bd0c198251768ad
SHA256 637f177c2cc9445c7529d71c7c48ebb25c9394ee6195c697aa0705a181b7858b
SHA512 352e2decfdacbf9f9bdef7735c2dd545ab52aae9d64e830b74f8980b2dfd0681dd2bbe6075b5838109ec7f88ed86da098cca6a374efbac42488aa30437478c2e

C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRSPXJQ\service.exe

MD5 dea1038d49d05f1065848f3fd7723a41
SHA1 c81ba0dfc82360aeafa760ddd7be59490cba8a07
SHA256 919c498fe7044f0bd459f2c64e2905ea70af9e489680f539fc2469662b2346c7
SHA512 84b64c39a38be6692a9bc12035077665c4cc186b185c367a642fadeea0f209268677c8ab51729b086c8a26298ed570641e4fed0a539470827651371ca45f77a9

C:\Users\Admin\AppData\Local\TempWNNLT.txt

MD5 6462d3130785d962e493a51e3ed77a7e
SHA1 f2f306a12bc3655f7851588dd6e906cba5b7d1c1
SHA256 d87f406f408aa2b1cd0a4017452a088569b98f481c97c436f501d775b2481c5e
SHA512 0629f2363b21f73c8c80b9680326af8a8121472de98dcbc7496602d96acc9a9e5d561c9cb1fa51d07222a0e0a0eaa85260a4edba8fd2e6cfe10bdaf414c6448b

C:\Users\Admin\AppData\Local\Temp\WPOWKJKGELGWKRA\service.exe

MD5 b7d0c86d12bdbf343c83ec43c1819565
SHA1 00277ae141487dbefade88c9a2147ac93b4391e4
SHA256 70c91f90c3a156bc8bc63539914ec2580566be07d2fb4586151fdf073faa763b
SHA512 4a69e8ff1b0bbab7ecfe6208a207d9d3b4c5120222851bc333246a7df038d810514281f7131e788aa903d7e132bc471d4d95157b61beb9a48689e09b173bb812

C:\Users\Admin\AppData\Local\TempDRYHT.txt

MD5 3030ca0a75ac38426d0040b651469bee
SHA1 9578755322203fbb2af34cf2eb3ee24245fa3ccf
SHA256 85f14d817d3a7244ee76c0d3a6ec4362d46ca81f23f8131e62e973ede74511fd
SHA512 38715beb4842676ac131ddbb0f4c44361aa332509ca90e830c652257e7221e3321284902b8e93087071c0fae4f7c9a5b3b45b9bbf78cb756f909304d36ccf0ff

C:\Users\Admin\AppData\Local\Temp\VYOIAGNWMSKRGQG\service.exe

MD5 e811dcb440f4a10745075f89814fcfc0
SHA1 1fa919b7741fb4a202718c036864cb4f27d8938a
SHA256 263ff22180a5d59866760fc967330a337d546adf6cba7a142274fb5208f00e34
SHA512 70bf1d05279c12a51fd1d2fcad82adf411fbb69b33f97b64305a2b62805291d1164ea80baa9cd8fdbc2365640781780f46c01e77fc81b9e821820d0bfa6b90de

C:\Users\Admin\AppData\Local\TempGYXUU.txt

MD5 39335c28016757e9b274bc6cd390e60d
SHA1 d6a79f8b68d344279d7b96e3a2be7fe1113cfc79
SHA256 902d33bb1f4a6290580a0961016fcc1f784198c69f9999df29f40223f6ccc95c
SHA512 6889cf11d39ffa38421309a7e7c05765c6921c61e63ed98561af9d747ec7ec394b7f59dacb7298874026ea970ae2be65645764a182bbeeee1d98c7b5213e5643

C:\Users\Admin\AppData\Local\Temp\HQIETXJKHQCINAD\service.exe

MD5 8af3e58a7ac9ec8ac10c150d07667b9c
SHA1 6f8fceab61fc6be58b084999c9112f532d5bdf32
SHA256 bde8554b38e10c630dd064a99f87e73d6cf55793e186ca7a044fa1d5f4de5539
SHA512 6b078a0d410554f50f2f95ac1cf815138512ac190ad99d625b1a5808567117c9e45928f7271bde9e4d139f82a0db8a01089f23c9a7061ca327095ad2b49fa25a

C:\Users\Admin\AppData\Local\TempVHFJX.txt

MD5 ea269f25ae5997e7ee7bd2b64a5a6712
SHA1 6d5dbcd8eda3422d6ad82a24e9a1b4702d6a4162
SHA256 5b630afcc89478dd3c57b171f3d7fde37aa35f6ab3e3f91e4e12c08d726e5f29
SHA512 11cf2ae16054f1660854f89553823c250ac10dc6625ac6ddb938ae004f2a875802bd522d2f65ea531d2f6f71b21f36acd267cf1ffe12f6b8f827c5cd04bd5357

C:\Users\Admin\AppData\Local\Temp\CKCULICWMNKTFLQ\service.exe

MD5 7b7eef7140264a0a42ec0f1ff2634333
SHA1 13a43a19019ee700563ec5e4e9884bb904023686
SHA256 2029c92b5d9e80a1ad53212fb906d4f7404eea9fba746e2bf3d9de85a74e6444
SHA512 deac2e39270b0b705f9c00c8751ef98da2555e858d78b33f9eb9be49159658dd0ff595bf0e2e02ad5cf7e28bbbe06d44116f97aec6a8cd44fd3354c4e2401c12

C:\Users\Admin\AppData\Local\TempKLUQD.txt

MD5 8d8c8d488d51a8fcc66f861dda99b129
SHA1 db806fc32eed50c10919b3461deea6e652ba0bf3
SHA256 6ddbce74ad91c50eda389fe8cb8e9b6c1a85b8f4391a3d0aa5bf89363a24d9ad
SHA512 acade8cfb15ff28fa9b16f42a7703abe45de63c671e9d756ad42b360e4fd8c27a5a2464312585ddffaad0f42f9fc7937ef48830c6fc35d6d3fa992df0455fea5

C:\Users\Admin\AppData\Local\Temp\VYNHAFMWMRJRFQG\service.exe

MD5 ffac0aa6ff5fa70740e2f8d80dc64b24
SHA1 0bc77d9b2a292509f763850f91802b9d34553df6
SHA256 b912b513b584ed0259b7c37be019c3b4f925ebf42451cd89b1777a5ecdcbb6c8
SHA512 920188951d4b6f61303bc5b18dd83916b635ad0a86d358d07a394590f4bfe7440278eb7daa6df5ec7bc032ff5780cd186e3212d1aaaa6d90533eadecc47b1e48

C:\Users\Admin\AppData\Local\TempCOWNH.txt

MD5 702e34290e9fa279ef73dd13d3275b21
SHA1 b15f09b4e57ddf5ae972586212847d796bffde13
SHA256 52695a2b537aa3ca6d635d716cc50e9231c3f6ee02874636cfb610f3b90a8716
SHA512 6ab1dcc57d4d109fd836e1eb1d116d398d8e100a1b35d0bcc26525ac6b8885205da24f1667d729e270f2e9ec6e4ceca4bf2b6d24dc9ac053ace0193473aa80f8

C:\Users\Admin\AppData\Local\Temp\FNEWOKFYOPMVHNS\service.exe

MD5 0df1c9e6ed8b78499c57e9a5cc430035
SHA1 e36e84befa1eb74bb66b5caec3284f4ed6c411e0
SHA256 55f3e4c27351b6c8903e3207bfe1a096be7a630143ea147c45e9eeb12dd13861
SHA512 39337f8432b660a5679d11f82d3ab86095238aa352edcaef34b5630c62eec79d64e0d94a1eefd9e9e48d25c2da7da4a126b074fc3b12dc3df74bead0ffd958f6

C:\Users\Admin\AppData\Local\TempEXXMU.txt

MD5 e5de1b650a040f7ed8e3978daabc5c28
SHA1 db4850e5559f3819fac04fdf8f26e3e49236d3ec
SHA256 2b2495ce7a09174320c02e2c2de22fbd6b9a994ee0db0a431f91710d99e1ee1b
SHA512 d6086ff2a215c267d9b1d4107ac792d39dba76cd172f4a4160a90100b70986a8267ef229b8e82deec6e19e62260297de9a2bb8305fbe8e387b493716f5d7ac6f

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOKNUDPT\service.exe

MD5 88729a6b7060fd050d49f75d23d8fc9c
SHA1 f9a00b115dfd644b49afa1b56a125783c32d7cc9
SHA256 08ea89f6613b0501758481c9ecc46a2ef0e48892ebe3bf9df4b418255055997a
SHA512 8e0a3db62942f28bcd4f836c641d1cef40cff361308786dfba87d6f9cb17e59eeeadb3d1b5c36b47a8066e22b4b5e115db0e493d1ccdd13e67874fd890b9533f

C:\Users\Admin\AppData\Local\TempXUASW.txt

MD5 bf1648cbc7b072f01b385e4f36b746d3
SHA1 f8ae6fb2f449fefde2aebe6053ebe7d300e4873a
SHA256 06f98a403093fab8c8eb5582b0bb2d6edb62eddebcc61f9e5f8e7e2ce3c5d33a
SHA512 2bd04cf45ac1fc42f8808780e88f9fe28aa9e1c93cd73fb7a2e8a6ba5f06cdc8fcad449753a14152005ec627072b31f196c69cd87452033b847ad2f74b770add

C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJB\service.exe

MD5 d0203261a86ec64ac8200a7b543c9410
SHA1 2acec899766daa1f1c154656fc76ae14c4c5c0dc
SHA256 6d1353d087b35601aa74e74e8c0a5f71300ae0cf47cf6d5507f777f11b87bfac
SHA512 1261917b6a6ab70d790fb12b013b072f1a791f325378f5db20608fd149501e20455a0344dbbeefac2d98bbc9067eae942de3d39222b3cf8ce7cae8febf5de0d4

C:\Users\Admin\AppData\Local\TempDESAO.txt

MD5 5b8a64d8a40c0ee634f051917d11e111
SHA1 e803fb652a18a07cea05c4174de8361269e8193e
SHA256 0f7ddfe9ea42dc3c0b9769896b24b77eb92e5aa47ea797462d56e89242db8c22
SHA512 183d901404e67e2b839a50daa7de077716297d5c818407897c297dba7133d2c9ad15f74b75592140233a7e4ea2dd44fe6a69727ac02680ce585feb55503c3eae

C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe

MD5 d5e59b6cffecc22684be06c79f95b6fe
SHA1 5b1761e22162046b7ea7a682b959026220dcdca5
SHA256 d976f6c5ed4c6e9e2b6c494e4f0e771031bca283d177c6a65924160165ffb5c7
SHA512 28672e2ea52b54fc9ef02db5a9b610f38bbdb059ea9f59188ca5c21d1f11c027d3fd986658df6500691306de4f23928bfa017956f41401f1ba2a35230865aa0c

C:\Users\Admin\AppData\Local\TempGBIWE.txt

MD5 9d8a73676ceac800fa001ece1f4e52f3
SHA1 789fff73252bda26653a511337e96d9121f836b7
SHA256 aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51
SHA512 b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df

C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

MD5 8ed51e66c459184e54d29ecf3cd56772
SHA1 2b1da0bdddea723b6c50857ea697e0ac84b146c1
SHA256 cb31ee8df4baf82b59969be56620b72caf148e34ed9ee6e6f79c7bc562ba0acb
SHA512 3639a4ad20acaa3eeb7ce29936089e27b81fd18cdc7a05fceaecac35ef80b9145eaf646b93131968dd1285650f005035fc031100d1767738938ad26cc2fa0228

C:\Users\Admin\AppData\Local\TempQCKBF.txt

MD5 727c280853323aa338ac5c1658850aec
SHA1 8ff305b6c59782594dc3b07e87824cfec7e0b15a
SHA256 ba7a00e68bef5a7f49a60caf5e4f12cfee2c71fb7f0375711fadee5cf5e56bd1
SHA512 8f902927105ab166d21e1ceb98302bb66f972ca30cb7e25a9df57dff4ce360a486f831eee7893977463e0716237376574a4855c3a006f0dba84daf207b05805f

C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDAJB\service.exe

MD5 b6ec8d2f930f69f291a9c0d49f22d8f9
SHA1 7d02e8db77e599265946f9b247cf1e37db9e0573
SHA256 e982c6d4e877146ffa44cbcfe5f269a77ad4fd6730f294dd19572380ba21fdf8
SHA512 a2b86c58c8ea1d399f74918c15cefb402a3e075acfc045853132d82cd485cdb354223130fb1ffc6320783d765ebc859fdd0a0a6e34f5d5cdf56041969db947a4

C:\Users\Admin\AppData\Local\TempKYGUT.txt

MD5 1c95cf0a551ea20f4178aae177d34802
SHA1 20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a
SHA256 8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48
SHA512 82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c

C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe

MD5 d8c0b6d79c4eb1deb2f8b5c1f26bb400
SHA1 1bd3f4b204a3842f28c6fe595c146236a7a94da2
SHA256 57622047e61102f86585cacb1bcd8cbe97e2499ad0f006cefa2860dc2cc5e246
SHA512 a796f5d974fcef91a147a4b2ee53add073b92f3a5ac04041f4d1a2a294ac9c6a33e7b3f35fcfb62fbcf473645fedccb2006f4d4ebfdf67b73bcc244108967e8e

C:\Users\Admin\AppData\Local\TempPSUFG.txt

MD5 a13ad58714ae41a20ee66abaf5095dba
SHA1 3223664be857e3f9e5eab0f6349b457061d46598
SHA256 bbaed2cdf98917bcf60c42bdb9269a8ae4a12cb3006f94a2ef662ea00a66bb1a
SHA512 62c4e0e750dea9ea1c83405de1da38eeeb18cd89a9910af5c4cc3eee6cd1668f78a93fb9b8ce66713c2c83fa4dc9a269ba00c7e9de5d1e77d861f8427a52af76

C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe

MD5 88cf92e3cf1230b6a73fdc74c3d26e3c
SHA1 5aa94da31ba4b631e892e5b3381e4f58d6117f29
SHA256 aaafee4f81a55148a38678024320d9dda902bb15b12c65c6b3f20338b6da1394
SHA512 3fa291cacaacb092826d97f4883dfb1a3a4eea4b8c5f199358a6e6de8890b60ddc2c94bcf12443003d5899153a2bfb62535b7503f76c2fea475d45997645baf3

C:\Users\Admin\AppData\Local\TempGYYUU.txt

MD5 64ef0a5f2dae6bc9694d2c6ee143b0e2
SHA1 8fe595557178b3cbffd98ebbe2e5760599089bb2
SHA256 c9185571f05b3cbaef9de18c484cd98c22f093cc5ef0c4e85cf9356657a1e3a8
SHA512 cbedf8cfc71c119c6c4ed1eb0d5e11fc4aee365e594a3fb823f8bd970efd4e4fcf3e15c9142aedfcf3b8412b82cdfd9f4fab95ff755257f168ff055836d64806

C:\Users\Admin\AppData\Local\Temp\HRIFTXJKHQCINAD\service.exe

MD5 858b28f509f521a14866ecb288b1228d
SHA1 54d92a8a744a18c431e33a9ce7ae5134ff3a1ce7
SHA256 56aacc47d019d3f9f26a1436b867f0e72f3a6ea594d7597734c2639451e794c2
SHA512 cb2813b6b53883523bbc20bc5b929708385c46bd811f143c824eaf248c494bd524ef0698bad660d45f1fd3f8312998ad33528cb03280124319e892bfc354c290

C:\Users\Admin\AppData\Local\TempWSRGP.txt

MD5 b87c95e66bfa0468b23182d8e7da564c
SHA1 46a1289d495aa22a197a059eef1fd730ce95ff01
SHA256 42bed674dfa1861d0e52fd01cbef9c9091eeb8242642e0febf5c01012b48c261
SHA512 07e3deaee31c0f0c4e2639c105adeb1f7362a80bdae026f00f687f8fce71229a502075e87479d787aa70ba23167915ed18f3f878668c64f30afe6c6d5cb19b32

C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

MD5 16662a2e8ce7ab63ffa2d1ef7789835c
SHA1 17f45ab0135175b3d268010026c7d92a1f9955a0
SHA256 956b50bb44f3f774296b32c140d1d305a5d8488a40dabe3cfbf7f67e6da4cd7e
SHA512 ebbc6358c0ca77f500a2cc8512de0b3a3d936a7d2e65c4e69fafe4c9d9895d63b03ca566adc022aa3452a351604317d1d4fbc1047484c454a8e12602e5643d03

C:\Users\Admin\AppData\Local\TempRCVVK.txt

MD5 ff63d8e96cd28976f42345b2809c73e1
SHA1 e5b172e153c6373f1c4c65550f6b037c2a07577c
SHA256 9fe75f61c2ae4c8c2590dc4a9a6d4e6136427bae61eb2dc9f669768a64981768
SHA512 9132e2fa180702b9b64b1163aeb324d5c73d9f530e62369f23756421adc7fcd7128b6b702993117a697f370e9a494fbaf9f0ea1ae0473dd9f47fe7dbd7c7f306

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

MD5 aec09322cfe169fd5336079ef8e0eb90
SHA1 2895d399d46682e26b95a42793d705e23522d713
SHA256 b26f2d653d836d9195d20d5e34315a6e5a092b849af0bde3e6d974ff682ea732
SHA512 359d8e3a633be994c4385b27c7fdd6c7b69aff3921b87b140d0840b25ab7b4754fb9467f7aa641be5fd69592f70835f5d28a0ec229bc32cb28803d2760971afa

C:\Users\Admin\AppData\Local\TempGAOXK.txt

MD5 3de21354830ad144224053367fa701b7
SHA1 bf585b0986cf375d209b247f4144e387e1c33866
SHA256 3a53f36414dbf3c6f90ada6e7fe7cb8d04b4c37603a6d53c16a0e26590f70cd5
SHA512 03b49213c8ac793ec2fc7949a178fe1640cec478e9e4d57b7e9b522611e17fcc2e62251a20444e4c0f44955fa75a313493c4aeae7f7aa7b75a81aee168fe9b2f

C:\Users\Admin\AppData\Local\Temp\UBTEQPQLKQMCPXG\service.exe

MD5 cf05a8c49b83cef8318e367ecbaf799e
SHA1 732cc20008a743fca26b6681a931783689b054b4
SHA256 b18e0fc9c14d875c146ee55d2719a6521bb937eea3760b8ebe5d2949fa71693a
SHA512 33bca586193d84e82fa7f4748e2de384e53bb966b0a4c43ba73857176ef1c5bdf1ef672979bfd342d5a675479acff73beaea8911ec2ba5f7396cd4e659be1178

C:\Users\Admin\AppData\Local\TempPUGEI.txt

MD5 5d5ceb7316daba9b2fd663bc7eee7e8e
SHA1 71e6ff54f62c8ea6d0175986d439a8755e342858
SHA256 e5cf4d0f638e4a27d0e10bcc2ff21ee331adc6d5424cca15bbec8573fc642256
SHA512 6798493031ffa663aa63447c2f7afdb9cac7c18626b9c5d7919d7aac55325f620857279bc178476b254f6adf429989f69ea71580fbfae2672455646cd7ebe3c4

C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe

MD5 5a4d9252c75641aabaf2bd0d34c02c35
SHA1 831004a42152904a54abba9e26cb385901c60c15
SHA256 bd4b6bc85b37d4c0645e3d4367a08b0582c01be531bc03af150bfe6a8e8039a0
SHA512 ae0d6848928b10e56e8813427c1f3dd03ba91b035c88599071adc21837ce5669a0de52d9efc729e62b9e08c770cc021761ce54c376e27c847661c0cf76c489b9

C:\Users\Admin\AppData\Local\TempXSSHQ.txt

MD5 b382150ebe8e7b0b867dc451c7c5e37e
SHA1 b27fbb26efd43727407da42f06787680ffd14347
SHA256 d70551357f835d50b85b7d3f116c9e07a2e366085fe8b5c4184c2c1270e7fa41
SHA512 a9015933e601008182986a68dfd0cae0ab83720bf81254f42da47d4916a406dcf9c59fcde429b3cd41faa9d7d3b5d5c5e773eec4146aea4945e1d440757c552b

C:\Users\Admin\AppData\Local\TempNUJJK.txt

MD5 af4e258c4cc598bcfe6c26ac8d0ed9f2
SHA1 19bfb329f528ae3d9cc8954bf995ac5ac0feeda7
SHA256 a89e9bb8f759daf9c65b56ec457e819d25547e8f958ba0cfbc6495a2ee25be3e
SHA512 90fe2690220a63f7bffb5f5ccf4d979faa7746a26ef6e0b67d5434d6f8b4ff2dd31b35e9240ebad105573fa08dc86cc4b99b2703902561d3ca01d8c805e9e564

C:\Users\Admin\AppData\Local\TempEJYWG.txt

MD5 ada7f03d0b97fc42de56b4339d148836
SHA1 6de435827ff4a5cf284dcbe48441909c700b7bb7
SHA256 17a24b806e1617d7a525c702dff56680a97691c9a4a75e4cf3eaf8023d0f5143
SHA512 f1c52920c7b4b89c95d192cf088f7df468e1ce53dc332aaa56ace7f232741c96b132e37f41565f1521aac8a3bb0901be7ad521e514c693a95f897903ea7164b5

C:\Users\Admin\AppData\Local\TempKSFLQ.txt

MD5 b26c8cc3ca5f915507cdbd939df6cd98
SHA1 41df0368c5141d0135229e8b792c94bc18980b4f
SHA256 f524ba0a509958fd34d65982d56b0c0da42676ed927bc88e19ac90a611b839a3
SHA512 57278b1b8023f38c0da26b937adf984b850efc224b9a1f73731a80a69e3235bebff9ed8c5d1b6a725ff89aa887f2b13bf5af20a3dd6eec7efff4b3ca9afee655

C:\Users\Admin\AppData\Local\TempFVOST.txt

MD5 8a0cbc4102ab78c68eca0c14405073ec
SHA1 6bfa878b56631995369f213095beabe6311f7421
SHA256 a7cd8b58c2e9dd1b623a6d715d755e5c608780dd9b402ba7fa508f553fbed4c6
SHA512 309089ecdcb3ccbded487091d7fa660f332231bb298691ea3435ca99c8a8b8803789119a5c2c5cf2f2daa8d18b316fbe9c0689f624a2796d2b6b4bcf890dbd05

C:\Users\Admin\AppData\Local\TempIJGOA.txt

MD5 c9c726646468f9efe76603e7264fb914
SHA1 07b8f6e7df613f19ad1fea10ddf8342d094a6fa9
SHA256 d54c17baaca196a6dff46734719910189c49a3159ab5211f4e6dfb9591400a0c
SHA512 89011453a0fc3f8ca9afb2362f829003ccaadb9187e4fdfebea263efa7e2d26a35701aa30f15637a4c7cdbfb9c03f26da13bdd6cf393104b903483c46cdfc936

C:\Users\Admin\AppData\Local\TempBRSPX.txt

MD5 d3213841806caceea777ff87e0167695
SHA1 31bd92efa6ab0d27ad6cb690b425db8e167528b5
SHA256 e1ff61f68aaf669aedce7ec0f607bf6755ff98f3f7f0369a5dfe40b415281a2f
SHA512 f49b894249b54b486d1a90402e5415621eb0a7c8eeff2c4d3bdc43166cbc2ddad0bbd969ebd6d67ddd9a33f38bff7d2ea997ecaa907e3e4e31a98571071127bf

C:\Users\Admin\AppData\Local\TempLPQVB.txt

MD5 5f03c17191959612e6bf0978090d281f
SHA1 d1a3a1c55f0205a157b7e2937ed34ff4190d8fbe
SHA256 cb703a76099495b5a7492268f5fcbaede3f7c5889aea7891e60fdc4249ca2831
SHA512 f33fe7482a8f2bb96d3afd58169a8f47caaab7c62be5776c2cd1d9c8df6c36d4b007d5ff11bdecf83b1e742c4d15a0cf10359aa08c257cf3fa94c2fe0a0f2662

C:\Users\Admin\AppData\Local\TempHPHBK.txt

MD5 c3d5c80056e15329022822b1a2e9c07a
SHA1 7d0a6630471ea4df07d24b79dce309002e8b345f
SHA256 1f29bf6438a7ccf0a509c0638f61115f820aeccf1ae6f1e62a493f8763c34afd
SHA512 2f80f557479f6d4986616fb33c3259ce7296a3115105396e9bc8ad2a1ce48119473eddd5f891ab3d487d8c134a90cad1a6becf5bf28685d33f04c15cb1905517

C:\Users\Admin\AppData\Local\TempYGTSF.txt

MD5 f72a7f69bd6657883ffe810979af1dd3
SHA1 5dcbb20a195ec056456c94470898ba95cf3c544b
SHA256 675a3c2c8c9ca63d1d6a838458c63e5cf6a5cccba9f6cc98dfc14e374e9b99e9
SHA512 959c6d785d1beeeaecffe641c2f00d12ddd8f5896a541e7e256245ad359f674943640c1f4b883be1bae301553b46950ee7891ad41da79be7dd0de4f7187aff01

C:\Users\Admin\AppData\Local\TempXMIRI.txt

MD5 05959d05a0fa736535e57fe2f9ebb730
SHA1 c99f7dd647f0a3ba00b32c76f8c2c84183d4c77d
SHA256 de688d5c5c7f5837303192535bcc42014289f8d7d76c58da6095106f80c4ac51
SHA512 93c0139f7ba22d868a6a8b1adeb6d5c04977d85df6fe0620e77d29e29ed82c52e20ce33ef819f18045565cbcbb79cffccc1a38763e194e6e046b45bb875cfdfd

C:\Users\Admin\AppData\Local\TempXWSTT.txt

MD5 5edada1ff7b2ce3d1ba6887a7c0c3a48
SHA1 ed961a9ec7ad40824677714eb51e32ab68f91eeb
SHA256 b61eff900cfd9e5d15ffdbfae92331a8d2285e108ce8ecb11d292788908b24a8
SHA512 69308b8e1e121670b35a1e5538e451aa86ade7a1a5eeb5062b27dfc55a97726acb51437f46d71244100c554e4f6bf83e8343ef343adc849dbdd97cd2f1e50d9b

C:\Users\Admin\AppData\Local\TempUFYYN.txt

MD5 b6eac8372d1f99d11f4ee17470920a3c
SHA1 5e5550580872ab274638e4f754ef29ddb72a77fa
SHA256 d12770eee6818f8a2d60a1f18c5c13fda3bfa8396b3f2233724934f8ec5c7763
SHA512 9f432fc06979df2437634c32f225bacd61ff0f926b49caa9410ff06dc6a3b9da6e8d1992d36c899d9c8817038b2250218261e13b652cbebba53c484af4c04503

memory/1536-882-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1536-883-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1536-888-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1536-891-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1536-892-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1536-893-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-23 23:44

Reported

2025-01-23 23:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNOLTFMQ\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXSBVXLPVBCIAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOERITYIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMJSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNPFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWNOLTFMQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUJTJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SFNEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXQGQJIKXAYFT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCULICSMNWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHGIYVVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWAOESNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYHTQNS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSVUWIMRFCQQE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\UTHIDCEUHOJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJWSBVXLPVBCIAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABVSNAWHXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLXOYRQSEINBMV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDXUPCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPDAOWO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XXKLHFHXLSBMRCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAYOTYEFDLDI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKXGHSYPNRMUIJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAEAVQDL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBKBTKHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHXUUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEPRMKMCQXGSWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKKIQCJN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\KQDAPXOCDYUPCYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACWSNBXIYDHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ESSGHCADYTGNINK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVTCWMCHQHFQO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HYQMHXRCRBRSPXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMKNDIWVHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MAVRMAVHWBGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXNYRPSDINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVPAQPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLXBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\BCFRSNLODRYITYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBTKHBVLMJSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYJAKDXCEURR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIHNJMTDO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPKJLBOWFQVFSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESWIJGPBHMAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2948 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
PID 1972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
PID 1972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
PID 1972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe
PID 2816 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2816 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
PID 2816 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
PID 2816 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
PID 2816 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe
PID 2772 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2772 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe
PID 2772 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe
PID 2772 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe
PID 2772 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe
PID 2592 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1580 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1580 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1580 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
PID 2592 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
PID 2592 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
PID 2592 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe
PID 1724 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
PID 1724 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
PID 1724 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
PID 1724 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe
PID 2068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe

"C:\Users\Admin\AppData\Local\Temp\161b88c74aaa2dc6105cf0d33c003001dbff9fd495511494eec8e8e9f6bedc81N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOLPKS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDXUPCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFNEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe

"C:\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XXKLHFHXLSBMRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQWMKO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBXIYDHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKTFLQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCULICSMNWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJJSNW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGHSYPNRMUIJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHHFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWSSHP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTKHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQVGEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXRCRBRSPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJXSBVXLPVBCIAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPKJLBOWFQVFSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIESWIJGPBHMAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGSWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKUQDA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVSQUP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ESSGHCADYTGNINK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MAVRMAVHWBGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXNYRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEJYWG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQDAPXOCDYUPCYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVPAQPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe

"C:\Users\Admin\AppData\Local\Temp\BTLRYJAKDXCEURR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYHTQNS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe

"C:\Users\Admin\AppData\Local\Temp\GTPSVUWIMRFCQQE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe

"C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDPVMJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABVSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIDCEUHOJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJWSBVXLPVBCIAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUJTJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGEJW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNPFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe"

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWNOLTFMQ\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempOLPKS.bat

MD5 4bf9ebf7456231a305cb90bb1dfec04b
SHA1 cf29746638f8a435a640514ae9fe04cfc3d643fd
SHA256 19cb655bd25868a95249b402e9f4c80d05e89664f3733db2f4f3698e145af463
SHA512 0e1c3d34b9faa99d672f1706bdace4e922605160c3de146a65acb56bd34c128202e6ab62ca366b0b5e446e287a193af740c23293a9cb538f8606228d52a4b58e

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPDAOWO\service.exe

MD5 ad9fd9eb993ee9d7bed406251c0a984e
SHA1 0e04fbccd53af56a5e63c66e64a98e07300d90b8
SHA256 4f277874512d6fc429cd94a2afc9ad25c8ef17ba223d1d5614ad0200a7b44f61
SHA512 1cebc45a5cfcbf686e6a694a3e001818e285c66d67f224ad3c840164f40148ba24d6d6d75a63946a84519d21f3414ba3d72bc5f1ded04ad57743d5cd36efba8f

C:\Users\Admin\AppData\Local\TempVHNSE.bat

MD5 ff557665b57d32a1d0d57febe9e3ae15
SHA1 fc9a0b568f1f1fffa70b59b2c03247faab516782
SHA256 fd67bb00ddb9e7208443ed698310f77eee63ff2fa1f5f6f434fdeb498993e86b
SHA512 597d26df5000871b3e1b339baa304b0c5026e7f378f0e02b83c78497bff7e3f3835904bb57438df903fac516e85a8d5eeaacb58a0965943621e43b25195b9838

\Users\Admin\AppData\Local\Temp\HDRXQGQJIKXAYFT\service.exe

MD5 3676bc6839df9c1bf92d1263a8b200f3
SHA1 0b8e63c37bd904a299f0a9f1ae2adb418b575912
SHA256 815cfb6bf56a04199c44612816cb0a1f708dbede71fdc0fc38565d2b29edae6f
SHA512 149a50df3e2f771bd38ed37e08852856be7a61e6e7408bf938c423dafc1724360408eb697e4f79c9445b0dfcbbd8c41de452f0c203e5d81f1ec07bfb151c0d28

C:\Users\Admin\AppData\Local\TempWCUYT.bat

MD5 f14f65a51922cceb01f79b7baf0fc4f0
SHA1 0c58371e5b61d929c770c82dc432f27daec53956
SHA256 4f9c96fea692435be2bfc5faf4bf4f4d4d1f541ab8987bb73f5c9a09f4633dc4
SHA512 db41a1bdc10804a936dcf21748268a6e406c5ea1ff4ef57a83dae942f1f51a07eb5da53c678b6895b2c4932c574473c0c4951e70ab94a48d5be284321ee97622

\Users\Admin\AppData\Local\Temp\DMWEAYOTYEFDLDI\service.exe

MD5 bfe9248b030e141c13685852201ec4fc
SHA1 645a64bd3fddd87a0a6f7a63a6c13cd350744325
SHA256 82a2a333c89767720771b68136a27dd22a926bcdce09d6ae427a16513a4bd27a
SHA512 b6f21b03a6dd82a489fe670aab0a780233ea886f93101873251b404ec3e29d5d6728176c0a741ee34453310719cf6a6d5b9b62f1e45eee6a664cd23bb72b093f

C:\Users\Admin\AppData\Local\TempQWMKO.bat

MD5 0dc97faab010bf174db702381c9ba478
SHA1 a515e6ccf579eda7e6aaae83ab4117c18cb73290
SHA256 0a4fcae90e3b4dc146f1f7a0a9fb11ae9c7ed566fd6029eca327b296929071fb
SHA512 c1ce922250bfd779f2eb09d8745c712af490d93e2ef6376b8a7ed624be9758208b4437990fa4a0cb53e426e971e4696ba358556e23cc7811bea22818ae4af716

\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

MD5 8eed8d03ad85803aed4771912d611482
SHA1 db81b3b615e7a1fc015fd8d00f41953af22fa0ec
SHA256 69b03e83834cb1fa8294fea57c7cd2d790e61ab7b59b3a273f6dfa674fccb1cb
SHA512 1762f4e77903f387c389116180a4466c7da95baa8d915534e7cc372bf16bb0cdf4df77a4f8b3ff999850c17c36f2d47d535fbb4f986a91d18e367045e10c5973

C:\Users\Admin\AppData\Local\TempKTFLQ.bat

MD5 d55e6f40d7cd30b45c4d53f24c07ffa0
SHA1 858e175f6baa0cd28d08af0fa4a81323378c5444
SHA256 e1f38603ef277b3320508246e951856963b81f2e98862f9ce6bbce6d2d631763
SHA512 90b2938eefed287196c17a415d01882c0b8ab07ea54e226762f76cd86fd395ca912c880c88048a06fb0fb89d09b63c1aad8732910a5d7d395d978bcb5f00a584

C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHGIYVVD\service.exe

MD5 d5f4360aaf2cc327769a75d857b0d386
SHA1 f545fe874f94595645bf725df2b39e94044bc456
SHA256 35b074085cfccc31a050ef13d28d98f1d596becf53ba5ff0d7054d8abee7a838
SHA512 cfc168c6a16e0119a769170e2541948b93ab791840c53c8f625574d77ac63244bbccb6c2abc98a0d7676ae9e1685c1b3779c7439763cbdfeaf356224c3965d3a

C:\Users\Admin\AppData\Local\TempJJSNW.bat

MD5 90f9d90f63324bf9badfa9a326fcebbf
SHA1 af2e43a04ae0ec176817b1e36dd9ca32ebe6ad07
SHA256 c01205e63f576371dfacf06fa331b24a01ef0f2cea9c36338c8cb9eafcbf27d5
SHA512 6fa356dcc471bcd3bd149ccbcb5c03b26044088d60cc2874a3710d579131b980176e2fd1d6b53c7c40f97278c244f7f4f23b16009fa1851336557bc0cf73fb34

\Users\Admin\AppData\Local\Temp\QIYHPEDEAEAVQDL\service.exe

MD5 5c610ada6a4a0c7267400cbea202205f
SHA1 89052e5fcb2fa1d4ca545ddd84e06328790df5a4
SHA256 e0df19c9eb8bae068b6fc602ee8ca8b2bfbd3b7b11a5d018224ac862becd91c5
SHA512 ea4433dea3eea00ae7447a698c4bae2b7876a7de46e656fee72a7d110d0b1ecccdff98089921fae7c2a10bc7ec0c99934061f0c31336b063f53f208fc79f6402

C:\Users\Admin\AppData\Local\TempVHHFN.bat

MD5 f3d85b1490cc1409c6bfce0a010ae5f3
SHA1 b376eb0754003174f008dedfe3630f349fcc08af
SHA256 e5e0628933cbf4d42dd18f33809c3ed733a310c3b9f78215b2e90b3cd581cd2a
SHA512 c4746df7a565fca73690936004acb276c8354f3935525a50e2b690dce42224531a9b1133f25ca65eb1fb798cb9cb2d4e0edddc31489e4425ab06a8d6b22dbbf6

\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe

MD5 8322743a47f8ee339b4b9c76f47e0ee3
SHA1 0c19e631275e1852ad24cb88a76e492a3de1f67c
SHA256 07fa79c2844314a16c26b685e338d78da1543ec48517ae5bd9ed5e13f808a98b
SHA512 9bf8594e7fa59213c7afd91a89bafea42ba24c08b56f71be0c01780e72a195617ca964793274d3b7ef41ee9a26504b4ffeabdcb9ecdf89bf1883f9cb04ac1320

C:\Users\Admin\AppData\Local\TempUFEIV.bat

MD5 80fcdb7f0d083ecadec5420f5524c4df
SHA1 04f86b3afa07b6fbe7e2591bdb3799cc2e78750b
SHA256 743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa
SHA512 7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe

MD5 4cd83155cecce673213f902ca5b9e17a
SHA1 a6e4e450c5ab58957f67428b298aaf27392e4f83
SHA256 2b563c97556b9fb2e30c3d814f8652e4d0546f20630f204ec45cb7aceef44d1e
SHA512 765cfade47e19f886f7a00da3d686045cf791670e215b004923cc277e2a63fea23d50f62305ebd0b401fc71949b06214c07f1ef5000302b7884d8a0440b25e0b

C:\Users\Admin\AppData\Local\TempYGOFD.bat

MD5 1c8a1be9bc3ebb31b2592214152bb854
SHA1 ad9dc2375b15466336615991e8f93396679cd5c7
SHA256 8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb
SHA512 0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81

\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

MD5 022b169d1e086151326d71a2b92de51a
SHA1 d7db8891855c200ed56a0f3c9863de0d3678b844
SHA256 c19ee64b62d0f53f81d551311068d0c3fc63d3ce487699406718d3c23c6c2339
SHA512 57bc173569a30fa87eb2ea4989aecca8325b11b97134d979cfbc9c9bf6f07fc5570361ba4383ebc2d92fc7453481d277c4c3ce00fec19c812843aa5c39487a8f

C:\Users\Admin\AppData\Local\TempWSSHP.bat

MD5 40fd2eb397fe6438934c7f2717fa4b27
SHA1 dd83f066f368c414a1f4379271d1de36847c1aa5
SHA256 935322d22cb8d3a8cb22dc881d77bb0af719fc0a3bd7abc154c45274d5c8ffea
SHA512 aa59d8b6e5313279b59b9c4ff9d5392ead400f43cc450b0f74d42997c7a6c6841b5cf6296d9863ec94b97da627b6fefb35208633886421d3701bb924ec26987b

\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe

MD5 5c042da6033abc6074cd9d2f2981f17c
SHA1 d204bd415b19a4d9c00ad6d316f0fded8f441705
SHA256 d63fa41f0e5db4e677758f1f31e5e8d56f2433e6366af6c224cd4478e7037d0d
SHA512 4aaa3588de6c1961fb2665f8a1e48f521ff0675ddfc65c569028e1cee8a25d1a56c90055a29ba7e49115f4f4768130dee8ffb857ba0a327f82366af3031c7c65

C:\Users\Admin\AppData\Local\TempMJSEK.bat

MD5 3f2a24c78a1e0062c3333fa133c76e55
SHA1 caafb642051e937a2658adee1f4553a4109af72a
SHA256 9694f3dfc741c18a643f8518244c2820f3e20aaf7cb099c49eba1013d922126c
SHA512 fa33c87b432c960f4d379cb104b9cb3b802629dbe852d94f1080b1ee017e54839c07f020f19b7c57703d025be5388a2128cbc09de9f81d591c7a170015d41e5f

\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

MD5 a3cf53030f08bc4263bdc06fccd83ac4
SHA1 e43817d102e92e928f0f35159874d32fd23778e6
SHA256 ddad055af5291634668d0a107d29ae7d9a6e072fe266a43aaa84401df7c4310b
SHA512 95693d9359054cb50ed59c70d12992e7c9e17413f6eef7de0d767695aca2139b637cf42588b515ebb8ce35131d28d2bbfeaeaf97f8df27b7f048b59410416a4e

C:\Users\Admin\AppData\Local\TempNOXTA.bat

MD5 2f639433a90ffd80f88b06472aaee1ca
SHA1 dd95f3059098502e98cb1f11ac51b756c509fb67
SHA256 1adf52f8a0dd36c614052aa308038793d2c314af5e50719c6d987888c77f4866
SHA512 24bf0e75536c0e50be3e88c7e95ef7fcf6f9fb17e54620d35e05bbaf251556a81a552f0d5cae5d1c1d8d79d62d87e3ee591e3126de0c0fedacd2c684820db5d4

\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

MD5 741ec9fcaa526c688db6f17ae25b4c4f
SHA1 4aac1365b27edb0869281b68e9036285443299aa
SHA256 b416e86bc3d5133e86d6e63ebdc76e2ffa4433e10f1316038b3f1a63f3155b39
SHA512 9721a9d541c26103dc151c23a9785fdba691f9e0afe3c49648d27760bebd9a6eaabb2214a7b94c67611aeb87d03dd318b21a7445f1d4195da124434747fd8b28

C:\Users\Admin\AppData\Local\TempQVGEI.bat

MD5 ff9abd1864688e58231b836533082825
SHA1 4e9d65dfa8db6c9f9d03821b9155f362e16596f3
SHA256 f560c1de0c8a6c41ee379d9b0c473782792f198e767ec0cbe8b4468ef090a342
SHA512 88bca29511ddb1b282d9ec78c3ee07a8f8763e1c5df58a6cc8c37a12cffa75117f3ec916399d21fbf72ac1f7cd7a860b55d4770d9f9b698906d7b9eeaba8c7fe

\Users\Admin\AppData\Local\Temp\KGUSJTMKNDIWVHP\service.exe

MD5 c72d801462f1a79b04260288c27c80d5
SHA1 b5d6769237be8d097101c4480915be15208c436a
SHA256 389d730ef161ff5a11fa4cd6a4a18b4b8c2fa15fe70bbd86fd2e6e89b3a1a484
SHA512 684508043baffd5da06fa358620c68b6ea438cc34204d7306e628bcffbda3f1b000d9e431a38c0ff6182e4fa4e497ea9401128f654db044ba04e6fdf3bb69595

C:\Users\Admin\AppData\Local\TempRVQYM.bat

MD5 4dd0704bf70b7b2cd6dba3eba341befe
SHA1 860564bfcb7fe35b15edf5cf68ea9d234451c946
SHA256 1d257f770fd370cdfb4a94abc88a1f46f6779b26afc818fcb46fb7d30db5b1b7
SHA512 3d7a3306837482e3d979a2c6cddd0279d713739a7acb27d602d124ef253056cd3ae8ae5a911ff57d21e7d7d150a83aeb1305e07f8273c054820d22665915be34

C:\Users\Admin\AppData\Local\TempGYXTU.bat

MD5 6e31c43788d7301741672ff4f3bf894d
SHA1 6eafac35c57f27c3a82a823234c33cf252297ad8
SHA256 f491f70f2aede6268defd75e90807d8b78950ca0b8e06f36e24132e6332372c5
SHA512 e00289ea72da234d58e338a41a2b8fe3a120bc27afa68b8379e0c4f21362188a876d7ed5cb026987f923464f831b313013469b603418df56a74e726f5388f07b

C:\Users\Admin\AppData\Local\TempEDHYU.bat

MD5 6ace3a1d3c3e050077ebaa5e3386d2e8
SHA1 dad913340c8192b784aa438fd4653ba816902d06
SHA256 65554738588a1fb152c213282328a472df15c728258091973231b602799c9e04
SHA512 d89db4790834504db4c6889d79e778e7c631ac51e30b47b45258b0fa6c2ffc3e9d87a973400b64a68f1e6a3a3c37be85a09be59d9b0de39d6f03da8920d663c1

C:\Users\Admin\AppData\Local\TempKUQDA.bat

MD5 0887f8a053b6634da227e398c394d81b
SHA1 7e302400941306dbb1fb3a489a23add27b1209d8
SHA256 2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c
SHA512 e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8

C:\Users\Admin\AppData\Local\TempVSQUP.bat

MD5 1faffc24a0f82a32b5098ebaba7e5779
SHA1 e565672cf80edcca0869335def7879961b3f133a
SHA256 976506a63c340ebca8a3df8e58eaed7c86d43dbab986067b68cf71eb3a682dfa
SHA512 c2828fea9899cfb2f33b6c737d7fb158b942645abd256800da9a2944a937fb2e58fec82a978c95fd22869c7cce2a5cc81b61ac59c3c7ffe04fb5a8a889738cd6

C:\Users\Admin\AppData\Local\TempJACDR.bat

MD5 d1f2e014c99667f1790fb29c6759c62c
SHA1 ba5add390cbf847484cfe9ef87ee50ff6705c531
SHA256 f7f2f97bbdb25c9b940ccc189306d8cf2db72688d4a8e779f70088f3f2357f97
SHA512 39ca1ed5043e399af93fa00f90636360e5a8162e270b8ca1617ab7af51c78051d4c989f1f6f32b9d78bc6b6d4557ee0fa891488c127ec7d9aff17aeeddde072a

C:\Users\Admin\AppData\Local\TempWCUYT.bat

MD5 797a05802a5f3d6699024252559afe38
SHA1 ab85f1b33d35de1a5d5f55187c816bb4237eeca1
SHA256 16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074
SHA512 73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d

C:\Users\Admin\AppData\Local\TempOVLJN.bat

MD5 e95acfeb457237af6afe96527da371f7
SHA1 8bc3b050182199c2801b82e3d0667c83d723aa37
SHA256 d5749216b228c5451b89f8d627155996545936afa22e06571f5bbaf77b30815a
SHA512 972d3bca56c1517464dbdb84afa9a9df48201010313582bffe921f5d586f703d4979019a6582fde443477895bdee0db983d9d3aae13c1bea987a45d2178fb0e2

C:\Users\Admin\AppData\Local\TempEJYWG.bat

MD5 6b5c47a03120f6484baa505809363ac7
SHA1 f47dc43b7a3c5ee3935b2603c323ab80deed9cfe
SHA256 69652aac0f2bed2d1139661efcf3c583f885bd643acb9421c1ab2215dc6b76a2
SHA512 8dfd82f42deb4c52b78db1d6bc7304fad8ba5f2661484c45d90cee320a15f82a62f8b5ba326dae62520c0ab82c7665fbcfce2824fbc7f5704c845cbacd192520

C:\Users\Admin\AppData\Local\TempGUCQP.bat

MD5 9d8c823aa9d6fc3f009d667a0b5c2aeb
SHA1 9cc26bc83d1c543b737c4880b73e40a6ed254bce
SHA256 980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4
SHA512 66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42

C:\Users\Admin\AppData\Local\TempWIOTE.bat

MD5 21343373fa3df55d7326902ef73a77d2
SHA1 18c1af04af5f2a7699781f70ba94599e0866d9be
SHA256 4c4fc3782a2dabc1adf075d4b2d1898d81994c4077e8dfb8dcee670243d41911
SHA512 6a856d9fe66d101a76ae0119d1a18b36dd9802624c6759b53948fc0ee6c8b225369b3d4e6203a3d17988a0a252f8082d033b9cb4e86ec25dc73e38468dfacd4d

C:\Users\Admin\AppData\Local\TempGPBHM.bat

MD5 9e578c30d5abd782192c456c0842e749
SHA1 b6d0203ff08a568627ea690ad5762f1a4c333113
SHA256 c05d870d95723502bb6fa7614405ccf842932240675b4c4f539a3b66740d5f2a
SHA512 23301b106ca4f3c463daf119ea2949c9a2d8bbca9a3430f55e2056a76d289a1c06b1a221527229c9b4fcfc2ba55045c2da972d7f2b01bd9317afc35193c440cb

C:\Users\Admin\AppData\Local\TempNUJJK.bat

MD5 408103db4ad9374528e4599b6139e839
SHA1 d978ef5d7ca78c78ba70647e9e4948d7b62a82cd
SHA256 d8a8526ae5fb68c815226e1671330a8f579af0970b766652981ef7e8c144af68
SHA512 5b79f24248eed96faf5237dbceb8341c8b52f9a53eb9de978f7782dcca5322b23103de153890712c33f651dbf80ad54c11ce8c55b3432fe7c7494ec6d6b663cb

C:\Users\Admin\AppData\Local\TempSDWWL.bat

MD5 f12eabc05ad07e28998bba3d0c4b7517
SHA1 21aa28ea0e9786833d2cea38e7f8176560945456
SHA256 d6ed466f36738b8d14060e25c85244877190aeda44d43d0bd7b71203a44163eb
SHA512 e25d3d9b2ace750368e8a212701ef5415922669b72231abd716faec01db65ba14ae93cc3e5d8d9c4fd65e9edc69e0c6650268b6ef2cd9d1d0445a58b23f1561f

C:\Users\Admin\AppData\Local\TempDPVMJ.bat

MD5 ed9689e07fdf60cab6c2bca4ade0a238
SHA1 68b7b1813ea1e258adadfa1703feb2535fb94988
SHA256 908bbf857152b33eeffb703091070e2fdc14df83a892787e1a618962face28b3
SHA512 55eaf7d70572cd9d28ea9debf315a6bdae049672db74a7a5f6baf0a80aecb4e03b430131279e440cdd32b15f1c2fc7c05d0a265e8f94269a72f10ea18d6dd581

C:\Users\Admin\AppData\Local\TempRVQYM.bat

MD5 4d890f959a4d385e04d772ea987acbae
SHA1 41689789e4ff64776249ca571f2cf25d73569352
SHA256 6d52454135cf46234a716e74e7b284df88f76661ab37c31c21f56b62f9864ba1
SHA512 20f75f9081b01bc1354a411d3d8e3f7862f05fdd8b9dd5578e53e372d0456d4aa3850a4c71357a4a22a3fa6e695ce210e17487de535b6484d4f9183710038b22

C:\Users\Admin\AppData\Local\TempNOXTA.bat

MD5 a15e4aed73dcc45f662f2fbd31d1de31
SHA1 c40ea805fcd1fbb8a644045a5cbef752f84fa2b6
SHA256 f4e5edc4ac3d5fc73fcc6c5aad72fceb96c9581b0a9bb1043c7e78316bf07f51
SHA512 7a5fb4cd4715b33b075551ab4dd52f798878c69b6be91645a2d957a363cc4bec7a2950840ad220334eef3137a10d2c9ed8c7796bdf1c613f401cda1429a9727d

C:\Users\Admin\AppData\Local\TempUASWR.bat

MD5 455c8a6689513eaa82789d6053a1c49f
SHA1 316ee3812705351df713e6c2e2fd8137d35a7d6d
SHA256 a8d343b3418d974a4a3c11511a5f827664bc00e103b3d2a8dfbaba0701df82e5
SHA512 6f03a8bbb981589a1df53ffdd53ed07d77aee6a1f1b2b63bd0c2bc516ebc6698a7c5d39d712ba4fefdec248af97c2d02ef2c683bee8d8180c31e809f6b5aa5c5

C:\Users\Admin\AppData\Local\TempUGEJW.bat

MD5 c6ad413703313815cb7b72e3d5e4d387
SHA1 702afd950c3d5cfbf13ea5e27932a792ef9c2e5c
SHA256 28d8d55a537d91dfd6c059ba0ecd06b85cb84da39e4a2ba1a9a3794dc8d61f84
SHA512 f1b5250a66c6b97546ed4caaca5cd56924a9471c91063e08758ac349350b28b5843b4b1831b425d3e9054609ae421923bc0354687fe7678f66702fa93cb79bb5

C:\Users\Admin\AppData\Local\TempGFJWA.bat

MD5 6f2cf50a62a16cb7fa6b57880d901e18
SHA1 c31130c5581bb2c672d184800d61c3e7a3217bd8
SHA256 d77beddb0fe4ccd067e5ff2ae22ff746338db624a86bebc6067210885984a916
SHA512 b8c15169106c31ccfad7436e321d1dbbbeeac0c2ca9a2c666e92501da6612b9c004b99616e8c837d92d67097a86d2c15428f9c62b3a50b7fe60ef91e9365e63c

C:\Users\Admin\AppData\Local\TempKWHGK.bat

MD5 5afdc54e0196cc5ab4ea6bccfc4f6092
SHA1 8377d18b05d5424aa9ab36ab527fb133d9e6b581
SHA256 5d43c8fbdd4e5f11bcca6a5ed4fc910b9bbbb671294783503e98928423b9cc19
SHA512 fcb0d4ba0ebfdbe270a8950cd347afc1c05eca3cc11ee4bbff2b97298ad00e2e5d01bc3296c5009fd01c78d8a6cf0ac388327d258ef7a9a1d169baca70bdc17a

memory/608-882-0x0000000000400000-0x0000000000471000-memory.dmp

memory/608-887-0x0000000000400000-0x0000000000471000-memory.dmp

memory/608-888-0x0000000000400000-0x0000000000471000-memory.dmp

memory/608-890-0x0000000000400000-0x0000000000471000-memory.dmp

memory/608-891-0x0000000000400000-0x0000000000471000-memory.dmp

memory/608-892-0x0000000000400000-0x0000000000471000-memory.dmp

memory/608-894-0x0000000000400000-0x0000000000471000-memory.dmp