Malware Analysis Report

2025-05-06 00:16

Sample ID 250124-afkyza1rdl
Target 5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646
SHA256 5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646

Threat Level: Known bad

The file 5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades

Blackshades family

Blackshades payload

Modifies firewall policy service

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-24 00:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-24 00:09

Reported

2025-01-24 00:11

Platform

win7-20240903-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLFAAPQNWIO\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XXKMHFHXLSBNRCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKFYOPMVHNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\USRVIMIGWULKNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGLDULKA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OJHJNUDOTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHHFNGKBM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYMKJNAEAOUMDCF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLFAAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KFDUSIIKFBDMIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPRVTWHMREBQYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWXAKQXXIACQMLY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIARJFAUYKLIRDJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFPYWGDNHIYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWBDTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBULLJRDKO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKXGGSYOMQLTIJB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEAVPDK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWTEAYLEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSPYKQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMIURPT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDRR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTGIDBETHOJOKWS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCHAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\NROCOWCUYTPRDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLKMHFMHXLSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHTFDHYVWJOVW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XKMHFIXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEIX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMFJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTECHYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTDPPQLJQMBPWG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KOJRFGXGGPKTKIU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMAL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDVMJDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\IMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHCRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXUUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDMDVMJETNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFCTRHHJEBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWVDXNDIARIGR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNJHOJMUDO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUVJWHFKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWGSSTONTPFSAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGOCCDYDUPCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FABWREMGLYITQOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GTPSWUXIMSFCRQE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCQGTPNSFSUPILM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWPFPJHJWXES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKIKAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWIJGOAHLCN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\INKKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSHGHDBIDYTGO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKYHHSPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPEDEAFAVQDL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WWKLGEHXKRAMRBN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CMVDAYOSXEFCLDI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGUBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOMUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJVWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\DIXWKLHFHXKSBMR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCSBJSPKEETURAA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYRWPFPJHKWXFS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSRVIMIGWULLNIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULKA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHVVIKFDGVJQLPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWUDXMDIARIGR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJHKWAXF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QOTGKFDUSIIKFBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNEJBSJHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2556 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
PID 3020 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
PID 3020 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
PID 3020 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2240 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
PID 2240 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
PID 2240 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
PID 2240 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe
PID 2188 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe
PID 2188 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe
PID 2188 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe
PID 1740 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1740 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe
PID 1740 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe
PID 1740 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe
PID 1740 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe
PID 2436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 808 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 808 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 808 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe
PID 2436 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe
PID 2436 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe
PID 2436 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe
PID 2584 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe

"C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNVJKK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWREMGLYITQOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe

"C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBETHOJOKWS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHPGAK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KFDUSIIKFBDMIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWSFCR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCQGTPNSFSUPILM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFAWPU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWXAKQXXIACQMLY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDVMJDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVHIFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFPYWGDNHIYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMYUAS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CHVVIKFDGVJQLPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe

"C:\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XXKMHFHXLSBNRCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSTYEF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWTEAYLEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INKKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe

"C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYHHSPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QIYHPEDEAFAVQDL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBOWCU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXWKLHFHXKSBMR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe

"C:\Users\Admin\AppData\Local\Temp\JCSBJSPKEETURAA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQBVUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NROCOWCUYTPRDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLKMHFMHXLSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWBTYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WWKLGEHXKRAMRBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe

"C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHCRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXUUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMUHNS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe

"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJHKWAXF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSPYKQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SEMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCYRWPFPJHKWXFS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVMJETNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOVKKL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMIURPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHBPYK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTFDHYVWJOVW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "USRVIMIGWULKNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGLDULKA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCUYTP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFIXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCQVHHFNGKBM\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UBTDPPQLJQMBPWG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOTGKFDUSIIKFBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPFXVEYNEJBSJHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVLXIH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGUBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOMUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAGUCQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYMKJNAEAOUMDCF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFCTRHHJEBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe

"C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIGR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe

"C:\Users\Admin\AppData\Local\Temp\RQBYNMNJHOJMUDO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEFOKY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSRVIMIGWULLNIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XEWGSSTONTPFSAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRQUHL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KOJRFGXGGPKTKIU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe

"C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMAL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTGMRC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIJRNW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKXGGSYOMQLTIJB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEAVPDK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDXAMY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe"

C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe

C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempNVJKK.bat

MD5 b9ca59e26c1a77eda59f51dd6f4bf0fc
SHA1 7d02abc2beeeb3328373e4090600fd48dbae19af
SHA256 c41f4f6f20c47cdbb7bb3ffb71794da45b11120bce06ebf4f0298c81bd0baf89
SHA512 6eb311fed928e42bf99554eead7dc25276d924fb058c5d4afa71e861149c45ac01b3103d4a33195fa499513cda55a64a4f7f98b6a34bbe16057859ba67e217fc

C:\Users\Admin\AppData\Local\Temp\GTPSWUXIMSFCRQE\service.exe

MD5 dd626e2123201536d212262892baca53
SHA1 bc077279aa93a99e125873027f712329845ef490
SHA256 7a9b71cee517fc5d0ba857167f1f288556dd450454d46126be517f39eeae5090
SHA512 0071229e22d0d5afbd13821bdd3bf928a0c6f2a79a5ae365205e369ad86ccdc9b04af4574d8427bdd872d93da070754f511a1d99a665766a977e5b077d7ffcfe

C:\Users\Admin\AppData\Local\TempQUPXM.bat

MD5 f022a6bfb903b26530ac84a9a43b3c58
SHA1 1eda6994a37cfc0e5e3d2aea4face2e852ae44eb
SHA256 48647d0ec174464ad23d0bd7fbea8b963a0ae29a2dd1ed84db2170a68cfa00d1
SHA512 ebb95f75a6c33db0be819e0a614eec1ec742dc9ce7f63727b642291a9fea24ba39d59e7984faedeb3b8cff6ed082052c26ff833cbd7e4e76b26979b6b5611665

C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe

MD5 9caa3ebfa69ec5768825f5fd8ab681d7
SHA1 0aac76782564d4650e591d6a9ea636517ef36d2f
SHA256 63a04cd0a4010512aec6b45a1666b3a1789a5c70eaeff19103abbab80c84e07a
SHA512 db120dcd4274307d60622354ed784d245f3012e3295464ff35454d80bac7e339f7a6c1a8f2a9759c58cd378883873aa44f0757d02c4026d2b01e801dcd91f7ed

C:\Users\Admin\AppData\Local\TempHPGAK.bat

MD5 0e4a5a30058cb9a2ebb8f89cc52152f9
SHA1 6d641bc3ee220ae92b3345ef06bd0f43f1f55dcd
SHA256 a0f35e0d7598d3df85db4d94be5d966f04ef7f852d1f82723f0051358f0f12e3
SHA512 142cb720355037fdc5b16703354a6a0d630c4a5a6a2d5d30b9f18a8756b5a5565b7a6d2ad628c7eab52b8bb3c9dcc9bcac11f174cbb718ab71094c7c7fc8b173

C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYP\service.exe

MD5 8fbfa09abbe5351ade5771d6f3a40dbf
SHA1 faf133c1212d0ded1eac91f05989bb299a1dac82
SHA256 d89865f59d2989be451cd583df89049829d94f7d973c8cf0a8a22b41d5928d73
SHA512 f0cc880c7604c02b089cdb259463aef3ee289836a3e2e6aed500a7223f15d02c4ef55dedaf0b4ebfda0c7a1f182b20903663b28450f9287e21dee0e323af1bb2

C:\Users\Admin\AppData\Local\TempWSFCR.bat

MD5 c3e602eec4e2855a45d273083e86ff02
SHA1 ec87c91fda6895aa12edc739dbebe1f7ebbefa11
SHA256 2a97670e942ee1a6ed0faa445e47aead7f631f2b2381a41acfba990376d849d0
SHA512 78da6c852ac0da879ec7433ca71bcd52f93cd9167f678561dc063d1864623bd5a8604921a7ad5e1da4df63f5bc0e05aebe8d114583cb3603c6bf449d6494b9db

\Users\Admin\AppData\Local\Temp\GCYQWPFPJHJWXES\service.exe

MD5 7bb0819574c1c823c3d369a9bff23976
SHA1 badef2d39b1b9baf6619bd77d128c788fffa0aa3
SHA256 6cfc1e6e144f1d732f69ff15f6b698916663f5502bc89256ff6633ac7de621e3
SHA512 4a4cf332182072aa74c81adc0589c13fac8714fcfc81111f7d8f24774f8816026fa8f782b990dab66b13b385c166f50d8d7e0a89e1882be64cdc11be79102925

C:\Users\Admin\AppData\Local\TempFAWPU.bat

MD5 4b5a624b6fa5d47666c8e124d1a670d9
SHA1 cd9b50bc7b93cad7b71201ff592331c0dbdb744d
SHA256 25f128cd7e62116bf991e67a6bafe0459d2615b03912401b3f69b6c9a9f7be13
SHA512 691c28dc4c1405423c7a723309232a8c2c5cde28d1b764e557bd7eb0db30023d53a5d646b33c96c82da43096ca4efde9f68df5dd5903c1354462a9102e238629

\Users\Admin\AppData\Local\Temp\AIARJFAUYKLIRDJ\service.exe

MD5 1c458353cb3412b36ed1968d2da12b2a
SHA1 b9aececf9a86506a592bb420db226e5fe70e84ba
SHA256 0b6b3fcf6d2bf9747a94b5d1228fcebd24f8a396870a004838d727712bbbd7bf
SHA512 4522325c71ee963b39739867fa6d2433450a492a660aab594bfefad2e6a8cdba0760ccd9b40ba24844870709c29b1770dffde6b1e68fdcd2c3f24172032a6438

C:\Users\Admin\AppData\Local\TempXWSTT.bat

MD5 5edada1ff7b2ce3d1ba6887a7c0c3a48
SHA1 ed961a9ec7ad40824677714eb51e32ab68f91eeb
SHA256 b61eff900cfd9e5d15ffdbfae92331a8d2285e108ce8ecb11d292788908b24a8
SHA512 69308b8e1e121670b35a1e5538e451aa86ade7a1a5eeb5062b27dfc55a97726acb51437f46d71244100c554e4f6bf83e8343ef343adc849dbdd97cd2f1e50d9b

\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe

MD5 88c8b60ade560768c4eacffdd69596cf
SHA1 5d843c33880630c8410db0c1a09f657fa9b1b9fc
SHA256 a7fda66abcf5dd757b6a3d172d7fb904a7fc4bef3d05a2d8a2a6f76a00b4177a
SHA512 58e19d636b1ca5776ae9d8fff20c9604995d34ce0e661805a4d7aa68626c3b2fc205ba02d79b0d175dea5c834fcb1082b5d0df18ed595046d8374102f84fb7f9

C:\Users\Admin\AppData\Local\TempUGMRC.bat

MD5 1ec7e3ccc363d8da29003f6ca9f20bcb
SHA1 0f0f489d7aa81ef3940691225309146a6831f60c
SHA256 abcf81cc40c7d02722b4e7ec09f9acb87ec53d01704592e4cc80c829f87db94c
SHA512 bcdf328821e26d27e9f8d3736e33601e50ad69ea511f3f57fba0d2b5318955418deceb86fac03ce316b0749170f34293870c2a4cbbf2ca770fcc8d98c9fb71e2

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

MD5 7118640264ac3942338572fbcb0c55f8
SHA1 e72f405509cb413b21eaf6ec015f50961d7fe837
SHA256 c13adcc4c88182194b0214f3926897176aa42d30d107d52f9edc2fc48cdce04e
SHA512 d5eb976ace7b4a8178ab7a8fb30707cd9c9f0c0139b652d639ecd4f907188d0f89f6d4defb890b8bdeaa90a9762a7661867655ddd1e60ebec0791b5b9702283a

C:\Users\Admin\AppData\Local\TempVHIFO.bat

MD5 4606048e5d2a8bec9ba1d96dba6e135a
SHA1 b606d926fb419e78ff482e1f3921af85c84ba49d
SHA256 0d8bb0454fd2b2d08be6bbb730efa743051dc967a44ba372b68382673d449a0f
SHA512 74fe96f720f345b883d7e024bc291435d1bd57156e663ba35e2279d24e032ec6e11c027f14235b36186fcacd268bb688f9adc9846ef75cff48e9c78d3bba2d0a

\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe

MD5 b21c60d618a95bf7cddf1f6ef6813e35
SHA1 3ed8d0e0d606f57d6cf76e9a59c3ff1635f20c4f
SHA256 44e8790d047276235d83360409517935e6bbd33579a2de17a867dc8e72ad23fd
SHA512 a633abd203932008c0bfb2d2f79b551d184b91e0e326d7e86318a27346527aae977568426fbe005c8a8ce4d1ba3069267f17de7fce9d2098044c40b8909df51e

C:\Users\Admin\AppData\Local\TempUFEIV.bat

MD5 e801d454bb705b69e1efd1bedc2329e3
SHA1 84091aeccef7f181fe4962a7ee4b7770add66a98
SHA256 e65e7921c9c60dc183340e13e770e2a5d41c6ebea39361f7a5bf7023c174a2fa
SHA512 a94db39f5bd02fddb589f92ae8753eb192750a90f6b46ae510084a22872d7784ceef63a8c53fef29cccdc3e05408beafa6a8f0dccad5947447e6cb8b17981167

\Users\Admin\AppData\Local\Temp\BJASKGBULLJRDKO\service.exe

MD5 2fb6289d048866e86403f3f46b7feedb
SHA1 dc277d8ba76a1dbe946fb9dbec52fb27d2b5a2a9
SHA256 ba385e439b403d0ecdbd1aa8af6985684d4da155258888c8fc83b2bf58c372a1
SHA512 fae144d61d3b9edadee17e5930bfdbcc0ef777e809eb85ed049fd3ffec05f6f49ba875ba85cdaa44c207522b8b128a46659d152ab127cdda9e93e9a39f9a13d5

C:\Users\Admin\AppData\Local\TempMYUAS.bat

MD5 5d67536cac9d4735f6bfe16681d51409
SHA1 921d1d3fcb12b99614b48221ae9aa7d4d8da1b56
SHA256 3ae573b4b5b2ee31bd9e51453a3e3f91f983e356825e46a1b2db27c0d070ba1d
SHA512 82725f26a44a5697214d232d84111fa083f8347f27e9e1a0efe444938b3895828034be948f63f097b20549ba3611cdc9cd8e2ef70c63caaa8055838f9530d9e8

\Users\Admin\AppData\Local\Temp\MOEWUDXMDIARIGR\service.exe

MD5 417d31206c9fa70d28c64119e390b5c7
SHA1 fc6856b7856c6ffc904760cd02abcdb2689b0285
SHA256 708ccc54c00054e87b10682759fe47037e3d6242e3c0e7fbd297a0a453f57464
SHA512 fbc231e2279eea3bf05082024b10b98cee2fd8213b7eaad391aa024d3d1934a8ef4b662051c658a60d38f47ae5b4dc9db63f056f1476993d40468080002d5923

C:\Users\Admin\AppData\Local\TempWCUYT.bat

MD5 8e64ae3f0105d344278144bbf9a1aaed
SHA1 c103c3e8992c6543839032fa6c999a30bf01248e
SHA256 680becfa86b0364b2df3df794da582c48799376fd96439d2ca883635ee8d1711
SHA512 137e410b703165e6fd68a9f3c1cf1566e9e1a7d87972c6212a205af674194bf2568f7bd83a90e52fc9269d4961d91036f8607442e12278b6b58b3a6a1acccda6

\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe

MD5 df1c2337fdade4e6621fe43af0cf8f44
SHA1 4dc70d2072d4e2bf5582c98daf6c0959b651e39d
SHA256 a1f61009947cfcfdc54badae1f68b2c071a89cedc128b93b08cbf54b229ac806
SHA512 e826ccd4a6c3646080d35b8450c7f3ce8ca03d50bb9078638dcb59cacdce186ea094ed5a49a9a83d8b9b236d78c773c3f1f4468cc8a42b4f3646d710ca3f9044

C:\Users\Admin\AppData\Local\TempSTYEF.bat

MD5 4573a21f42451a14faf5facf42ffd274
SHA1 6718528373c249e9c14b48ab6e3555e13af5f24e
SHA256 13a8907d5761782606d4b373d7cdf80b9d094c200b8d173e1a294397d525cbbf
SHA512 c7f37c87295e9da90d37ea893f9bd7f34477d1bb835659037e82688145bbfb78385171890662d0f64b443a3ae9ea149eae87d64701d2b55ae1701f61f057484a

\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

MD5 e0266e36fe8d91349018e0110017c0d5
SHA1 df33eff5b1577abadc6b5986fa6a67e6f1e3a0a6
SHA256 789683f69db89f26b586a1094233bff4b6d18ee5623383fbc3a5d5e5c5aae46b
SHA512 a04ac216b2265d75f7f0b1fb23414e9695645c0444bea879a2e9009046255301d58192cafc16186df9599d2d583d77e09e9a957f1e2f700f28eee0fa1a049e26

C:\Users\Admin\AppData\Local\TempVRQFO.bat

MD5 191357fbd0c2c09a0b9124f3a3404b07
SHA1 1d7f7d1c71bc6a651cdf8edbb0a8f5e586719ddc
SHA256 d589b5e3e36ea4166a1c75d2a2c6d7cecb723ce7628e3e75da5a5cfa29e1b01b
SHA512 d43268a54bd5d7b7bc0b47615059aa40d9688a32912ae3e653c41150fe7b6069ac6363523043c5f0a55744bfff32212c995ddc865202b51cdb880e4a13bed79a

\Users\Admin\AppData\Local\Temp\TLKSHGHDBIDYTGO\service.exe

MD5 ac44355c320b55f190efdd8173d4bdb8
SHA1 c802b2ae8dc0e4976ac090b2130beac9e86ee17a
SHA256 de784effe59a7b46f27e18a5379a7ab44a7b7f5180e2b5b315df7a3c25b82f89
SHA512 fe01b65a02f0d5e08f69fbb70821ad9f8f55b542087ef5deba562121fd53fb79407c27360e6e3d6cb6b905ef5e82f5b984cc678dc88d581aefc5cbfc68364091

C:\Users\Admin\AppData\Local\TempJSOWN.bat

MD5 ad49e8f7b0949e71b589ec3fd874e326
SHA1 eda2caad0f07e9d1fc5d06e138f16974b1180237
SHA256 3a2005ea06d63523c9a70c07e7acddaa697a046a825c5e24c763ec5ea63772dc
SHA512 bdb68d66cd4e3280284dac30151f5f717aef46b0d8be8130d872c40ceb7cb68435c3ddb87a5b2e3062f40eb6196675459c9fb0e410058169a3a3dfe788eadb47

C:\Users\Admin\AppData\Local\TempBOWCU.bat

MD5 6a822ca04b6bd05c7694fe94c84b7a7a
SHA1 babbe92eda6016e11fbdce6e6440ba8ddd633ac8
SHA256 12ff58777d8f23f0a40698de40c3c3db9fc81b1cbe9a39d0ad958fcce3c48312
SHA512 120b4ec568d7fbe64218f12a7d6cd8df0b4d33082a747528ccd6d017551ec981789685c7a810981ab7abf6128d1cb5f815f42e0a28f9f2fe489bc6380dd4dfe7

C:\Users\Admin\AppData\Local\TempUQYPE.bat

MD5 5a4384ad153eee40e71481f1b84e2979
SHA1 c4f6eaf1a1a7e034ead8fb98d9f946ae66547733
SHA256 e24020f861db2b12a14f5de1030b174886ce889fe47e68fa46f555d2484ec935
SHA512 68a15ebf11eb0c7e315606916b9e3420d6bdeeb4cb0ec9b822fa629bd0ecbbba379c81b966ce5c686f7d47b51dc9d1752faf4ded1fb3c3b3ec11aba06258cf09

C:\Users\Admin\AppData\Local\TempQBVUJ.bat

MD5 878f9cef61636cca20cfb70db6163294
SHA1 6af0e6d2f4839baad8de028762aaae888e12e698
SHA256 224e5d724d4f06b25b986fee6169b27ae18dcd8060982a5842bfa7a22430dda3
SHA512 84b6f14411541b4043692c395b4167e6d619573e1495a2aea63063ff7439e91c5034f75e664159462c7540a1a646560b6af8645a6033756dd804924819ccd211

C:\Users\Admin\AppData\Local\TempWBTYT.bat

MD5 2f92e0d7753a32279044f3178eb02a9f
SHA1 255dc3664a10103b3a1204b75db75e6d097aacce
SHA256 6075d7b53384296ae6cb790c4a29fb9c7cb931d092c48d5a99cf7085b0724d20
SHA512 834832ee66bf26458d4009fc74c39d13cd813c6c76105bc364943a4bec1e372707691db40888bae70ffb7f0186be95ff7b839fc28dfb43486a41b28119331e41

C:\Users\Admin\AppData\Local\TempMJSEK.bat

MD5 28e6280656f4432f6c5cf2f7d1efd4e5
SHA1 e9d7fe148d5eb7b565137843359fb0feef7fe28d
SHA256 df6d7e81b8746e9ef08d113859c81bd6554252f7842c8952e529c272b52aca6e
SHA512 ac26c666b19df427db6fc0c858ab698dd3e2ef50118e43134ebd4785614900b814a508970effcdfd90f850328bf3925c2cfafda37e01cee2dce0e624908e296f

C:\Users\Admin\AppData\Local\TempMUHNS.bat

MD5 11ad762658723fe1b07038c8e4abc9b0
SHA1 6b1230f97f32cc96cb804b5f8f298db5256d61b6
SHA256 50785427907723a9a882eb1d1445f49c12aa49c2c91ebbd6ff09907d535b6a72
SHA512 772ec9d8d6caa163e5d2b1aeffc90df81ea74a513117b85389d5e880e257de1cc6405817cf340474a71e4d9fdab3a005610e563b37586add9416a5cf4575da88

C:\Users\Admin\AppData\Local\TempKXFOF.bat

MD5 f5e32640b80a435dead33fee40e71f4c
SHA1 e43db0656ee9805498e1bb9f416440adb48a4717
SHA256 89e0d74c0f0a3411e1758fce5992828b2bfeabf24c228a7d04cb3b678760667e
SHA512 37f5ef386f4cb358cbcb2f4a98e3524e53fd262968679059d00365aff0a1ef73fc0e3e693c131ebf79c1c7d21b6c7d12aeaf2d7f5d15ad303d2db585972cb0e3

C:\Users\Admin\AppData\Local\TempUGMRD.bat

MD5 ac925826b0b8f1ddb98b1da4ff70ef3b
SHA1 0d1b92e0cc4b6bd2b0f2724e1881ee403ec45d3d
SHA256 2b80898fa01a26ad6a62c25ae716d0c70df6a85fa80ae949f22bc8337ab28eb8
SHA512 d3e9066723291bedc356a2d5b12f4cacf7317826ed248ecb5d1d737907b05c5932475565d3eb760f6da546c88042813023ba4a5d8b214985ea42714aa590244b

C:\Users\Admin\AppData\Local\TempUGMRD.bat

MD5 219f106e451b011dccddcaca90490d58
SHA1 342eb6ebcdfa782bc23927e4f7ca713bb3ae3cba
SHA256 388eff31270b914b02916004acc16133d2711f37430fbc675ec7cca655aeac04
SHA512 f4f7ab0d495318e591f178d12494a43220cd9dadfe8d77f7e9c57c41918ff2cdaae4fafa12830cd922401a56a467bbbe8da8cfcf192ca3b1ef8fa6783ee552f4

C:\Users\Admin\AppData\Local\TempOVKKL.bat

MD5 d5589ec82ef2cc43314bf46f81eb5109
SHA1 8bf20b514f48991fd70a6ec1725d49eb1743c190
SHA256 8e21f38d067597422034365b0e588c1c4b4ae06ddce290548ab4d71bcbe183ba
SHA512 d392e4302e23939bb99a4aabc07311c1da817efe8131ae21d78e625e7d7b7a4360180e108d0124958eb7b7fa7e2a59f4a58c76847f309d947c73ca462ec8d4eb

C:\Users\Admin\AppData\Local\TempHBPYK.bat

MD5 67975c64e002bd96649f93521bafedb4
SHA1 3a26ba200ce1871a064030becfed26d3bf51d1e7
SHA256 40934c5fc5a8347071e337c87656a659caf82664fd1848ac13edf332eb49417a
SHA512 1b23ec073702d2a28f1f3cc0b98f5d7c9670642c29c41d3675fbddcfa30b50e0fd039d91f74adc3f480888dacaef5abaa0fe8241874a121b3e17b71dce16f0f0

C:\Users\Admin\AppData\Local\TempEFOKY.bat

MD5 5de5ed8b1982e32fb6ef975b9d945715
SHA1 2f9e0efb9d56594156f8a28f1f4fd59800c105a6
SHA256 9c8292d2ad3614079981a665f67c412974f5dcc67a3597edf3b709d413362c8b
SHA512 4f9f1680b1c89b074b5f6806809c917e62405c0d731e348aed5aaafbddbc7b1d4c26fbbd7670aa3d4b4f2b0f79e778e96617aad16b3d3f9e446862fe2786a1f6

C:\Users\Admin\AppData\Local\TempCUYTP.bat

MD5 6c81cd95fa1e622550bcc9503aded9df
SHA1 2bb370eb566277968a8b4ce91e4ac4bd3cf841f7
SHA256 f737f02284d240e78b8cb7cac731e3599964d2e1cf9e249090d1121202b79133
SHA512 30522dbb6332cfb6aeba6ae5772a44bab5301a875a945d2618fa3b1740917493bcfd2e7c491dbbe238bf8ec4cee0f8bfa8ed80aea932693fea7edd144d309727

C:\Users\Admin\AppData\Local\TempXDVUQ.bat

MD5 1a81a51970096ea7f7fb5f137e158e8b
SHA1 4f81abb5daf7f1d60cad004d323a057cdd71dd81
SHA256 c8473aa3472cc5d0b6e482cc52db55cb4cdc6289f16bbc4887a227edce326c33
SHA512 1262a27b7b68dd29f4fbc8558fd5aa745fa59541b7bcf649f547b594df3141a9de0d87577acb7e8972dc95bcf2c98c58ff7e9d54da19afb2ed349f5384f9d244

C:\Users\Admin\AppData\Local\TempWVRSS.bat

MD5 ded3c38f382d017e98ce088c506edee0
SHA1 1a65a0bc027dfe0c4aa4bfb7f04c4f3357633804
SHA256 a048547fda8dd55721ed75dedc35683603d7ddbccec7e8b679cc92bf735ed105
SHA512 4127194d220bcbdb64c44e98adfca9e34d98815f6e3dacddea7efdcd83bb5fc154444fdccdeb276ba83eff9e407bd5e90f57ab6b47eb0275839c756dd84fc8db

C:\Users\Admin\AppData\Local\TempGAOXK.bat

MD5 9f691ee97a44abcd5a7c47325aeef6bb
SHA1 69dadc35482966bd0a3e5f1cc3b1b5e881a64f8a
SHA256 920d6c80a55639bda7bf2aa25e33987366879564a7234648e0464bfb86c5455c
SHA512 ef83c0b83355866119af7a7e895481f07eb615e6fd147851000812b929401bb8beca05c3ef3b8fdd2151637bcbba64cbc0961fb723247f65a8ffea5394079e6e

C:\Users\Admin\AppData\Local\TempMIWVH.bat

MD5 6222fb334c7941f4196254dd714daa57
SHA1 831d3adf30de025a64cb66a1448b751a4502d5cb
SHA256 8a75cc94f984696b5879fb5635859327a603775cea14519b352a1a4abe3620c0
SHA512 bcb10782f6077cc4fcdd12dc2c3a5e50f1958a0b028af03e2889242c8823078455dad042284a57e828abcfc6dd0a8cc613f49f93902a3c67921984013a1cdc42

C:\Users\Admin\AppData\Local\TempVLXIH.bat

MD5 012997a6b29f4be215639a6dc38f1bae
SHA1 084fb01e80abdeb2c7febd564062488238a9229b
SHA256 a0dda3dce2f03606114b8d4d8dbde8159e9f73f6282d1984ef449823837e2f49
SHA512 7cf25d312f8aa7da637da2df94b4c61bda90366e2aac7b7f82282a2e4c35d6f61cc9dd3d92fe16ac1b00b5d0bc5a846355e6c18e334c8fdde832e463369433ec

C:\Users\Admin\AppData\Local\TempAGUCQ.bat

MD5 bca2f09465511ff14c2160dc23215f7a
SHA1 79e48ebacd35f46072296d9b75972f3d2dbfb8ed
SHA256 9e63cc7f7204a55ca293b49417b274e331764807ec0f54fcd9880b0b3c9c963b
SHA512 1aa9a48392275e3c2a762a99f6e70a11c5a7ef9ed0f855d7d7f8b09d0f1596508f94b72dafc38f08171239cf03e962d9fb8558d32e64924a062cd1b297d7ea9d

C:\Users\Admin\AppData\Local\TempLHVUG.bat

MD5 36b91e7ec0e9fc300fdc3617692a4fca
SHA1 8b3c99b391236fa9b9d3996b1305d832875441e1
SHA256 a906ae8d4eeb0e74b9b94b2cbe8bfb70e3b0516b7319b221d632cd3249392c7f
SHA512 da5f81d424e70e1e04c3ed4aad71da3287a44a26e93f82b34ff577fe7ffd0a1f6ab7e821d702201c26314f294c361f9abbdaa48082adaf0e7036f14b05d1acac

C:\Users\Admin\AppData\Local\TempSDXWL.bat

MD5 c26a343b011df42b16a20eb1e4b21ef5
SHA1 0dfa155e2a600c60d6aea6b62fa10c27c158ed79
SHA256 c00ea0b40282a342ea5dc7b6f7b0dd8ddfa38da65187885a09b2248e05bf6460
SHA512 e8c62eb5b6ba83728fff93efe994b9e4b237b050671f877301934169d1e469ee15a63007fa16af308181ad5b662121ec9d51fd372fe2d5830cf5cac2778a21c9

C:\Users\Admin\AppData\Local\TempEFOKY.bat

MD5 eb1981947d081f28fe8eefe71ba83464
SHA1 518f6efa878b2ceffc45965cee66ebc1358beeca
SHA256 ea0eefd90e9492d19be6d6a5b40601452f3c18cb5febc5f74c6a6ab2dd8081be
SHA512 27932aaf3523fae850e9b71981d1a573b86f6e838de12508ad3c3410fdb6cc66f3f0dc79394d9e803c73dba22f28eb5afe32c3d65fe00651ca55f38d7fa6f93e

memory/2124-918-0x0000000077630000-0x000000007774F000-memory.dmp

memory/2124-919-0x0000000077530000-0x000000007762A000-memory.dmp

C:\Users\Admin\AppData\Local\TempIIRMV.bat

MD5 c29b65e2d961463ea3a891d4853c8097
SHA1 084ea68f1e7dfc34469a56f244daed956777d943
SHA256 f22fd4efc0bd3b02c6465be47f31ea9eb84691a0c71f87307045d0bac798177e
SHA512 d3d04f5f4fbb5e9d052777beb71aebd6a36a73510e0f53137c6dd91122dc0b3055ccb7bd9085b86c8c9058cf1e658c5cadc431fd46479c1aeb2cb366cb924a70

C:\Users\Admin\AppData\Local\TempJBDRN.bat

MD5 91f84d7ba68cac13d00da85ee81d9325
SHA1 f4142af9ed1387c57bd08e42660f6fe1a9d81b6c
SHA256 c70d8c41edb692e56c5c429eb5d95461654780180672e5f54ce02c76f2a88c0d
SHA512 b8766f657e4027e422daaabc0ed0ac556d1474dd3ed354a7c5d4b23839290148585443143482022353875bc46c53840b44f5df6ad7bfd04bf044a90259ec4dcd

C:\Users\Admin\AppData\Local\TempPVLJN.bat

MD5 9070a3a91e63272c3d38d7770dbf0b1d
SHA1 5ec82741f07aaa3ae2f7c612145911dc8f047f60
SHA256 9c30edddba00879913701b1245f4e462a7e8b5fda8b13936c8291f615287d1c7
SHA512 641eb7635bf6b3910746b836b31b7c21fb7f68a04d77347f399ccf3303c8f006d77ba2197f0860007c737e1021bd7035dc4c52c4e362f384c99dde1da0c9823e

C:\Users\Admin\AppData\Local\TempRQUHL.bat

MD5 c07049cb7fbaa4602b2ede84aea06920
SHA1 c46b352a9d062470ed6b7b9dcd08eef4c036409f
SHA256 b59cc3c2c4f1a6113b7227d935839dcdcbc92b44e128c15edcbbf80cec0f4c7c
SHA512 1670bf96874df989e1ced0dbe30554dce574a78e7868205196c6b6f77080e83e93fb3f49467319e5982dce490b28da62f9d6cae127bc02328ee25acccff255ce

C:\Users\Admin\AppData\Local\TempTGMRC.bat

MD5 2787afdbe11d921ac85738a66cbfe809
SHA1 32bc245503d9e670703531b8391702795cbb8f5f
SHA256 e9626c32c43d56c08542e17855b078f23b1af0ad81a1be24ae20d81e95a673e2
SHA512 c0f6ce57cc0360548ae0610256b96a9f9a7aee2308dcdb36daaf0aee19c696aefcc1cbe29977c62bbbc181d0b0f73f71b1a709517e71d2077d98361272d0e869

C:\Users\Admin\AppData\Local\TempIJRNW.bat

MD5 1ebc655db6056107e60d23320bd2792d
SHA1 2632bbf3415f0612ed52c4789b6515166bb9b4e9
SHA256 df15ffe26a6fd33fec5eb3f93ea273b4794d7e85a36bd947df1636b1862c3018
SHA512 904e444bd1afe4ce1c7279c6fd05923ffef934aedefbbf640f44b6089c3b553ccc2e3b4a21c0f32e188717fca95cc9b946d404807adb1defe9cd44cd6925fd08

C:\Users\Admin\AppData\Local\TempDXAMY.bat

MD5 1f1d8e37cc450a99ddac87c7cb1f9a86
SHA1 031098a964f57adccfbc899b05f332bd80dbc259
SHA256 8ff70b00b060797307632716f7cf8022ca98950d439be373e5edb3a805f03891
SHA512 b87f0443f3710186636c4dfbb59e0b4f6b680a4e01f2c1b342025dedac022616d98e8f0f73ee8d974799ad7ded018ede6d9466a2375710d1899d4070ca341692

memory/1452-1100-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1452-1105-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1452-1106-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1452-1108-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1452-1109-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1452-1110-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1452-1112-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1452-1113-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-24 00:09

Reported

2025-01-24 00:11

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWRAUYWKPUABHET\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQMYOYSQTEJOBNV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOESIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYOYSQTEJOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOESIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGTAJXTRBWIBVXC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXANTLSHRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EJXGGRYOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGELHXKRB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SENEWOKFVOPYOPM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDRXPGQJIKXAXFT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPAQAPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYRHRKJLYBGUT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GLYHHTQNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLMIGNIYMT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UYVJVGFJXYAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJPLBOWF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCCOULJNIPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LEUDLAVARMGBGVW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYBGPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRUXWYKOTABHES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVJVGFJWXAKQXXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDWGSRSOMTOESIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUUIJECFVIPKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKXTBWYMQVCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUCDOULJNIQEFYW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVBRMHBGV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NLPKSGHYAHHQLUL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRSPYKQVHFJEMAX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVJLDKKTPXODMYV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYOYSQTEJOBNV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BYGUTFOFXPLGWPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOJIOKANVEP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSUGKPDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UFDHCKWAXSQATIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGYPMGBBQROXJP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGBCXSFMHMIUROT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTWVXJNSAGDRR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KBVTRVJNIGXVLLN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBCXDTOCJD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHDBDYTGOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWRAUYWKPUABHET\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMYYCUSBVKYBGPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDYCQGUPNSFSUPI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXAANTLTHR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XNOMUGNRDBFAITU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMMNIGNJMTC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCPFTPNRERTOHLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBGNXNSKSGRHD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAQRO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTYRHRLJMYCHVU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RONREIECSYQHGJE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKDXCEVRR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GYPMGWQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRISLKMCHVUGO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PXLMFMMVQQFOBXW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WXUDDPVLJNIQFGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBRMAHCG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DEAVQDLFKXHSYPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORVTWHLREBQYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CXTOBXIYDIXYVFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRTFJOCOWNB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSRFGCACXSFNHMJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOFXPLGAAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLNIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMFJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4968 set thread context of 3988 N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOESIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYOYSQTEJOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOESIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4148 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4148 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe
PID 4812 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe
PID 4812 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe
PID 2472 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4620 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4620 wrote to memory of 1208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
PID 2472 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
PID 2472 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe
PID 1848 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5068 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5068 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5068 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe
PID 1848 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe
PID 1848 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe
PID 4160 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 1400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4160 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe
PID 4160 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe
PID 4160 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe
PID 3296 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3468 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3296 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
PID 3296 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
PID 3296 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe
PID 4308 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1184 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1184 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4308 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
PID 4308 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
PID 4308 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
PID 4536 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4536 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe
PID 4536 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe
PID 4536 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe
PID 4368 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe

"C:\Users\Admin\AppData\Local\Temp\5365b9d6f85016ab575b60b3aedf3eb3f7bd2e8622735f2b8700a989f8dd2646.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSOXO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYHHTQNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFFYOJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUCDOULJNIQEFYW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe

"C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTLPQV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGTAJXTRBWIBVXC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIPTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAQRO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQAPQN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYGUTFOFXPLGWPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIBDQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UYVJVGFJXYAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe

"C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAJUSR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NLPKSGHYAHHQLUL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOULJNIPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempABKYG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RONREIECSYQHGJE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe

"C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPUGDH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYPMGWQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGO\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIIRNV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJXGGRYOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHNSE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SENEWOKFVOPYOPM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe

"C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempANRRL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PXLMFMMVQQFOBXW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBYUSB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRSPYKQVHFJEMAX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWFFOK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQFGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUYMPP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NVJLDKKTPXODMYV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYOYSQTEJOBNV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYOYSQTEJOBNV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYOYSQTEJOBNV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPAQAPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDLFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENEYB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UFDHCKWAXSQATIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe

"C:\Users\Admin\AppData\Local\Temp\IVRUXWYKOTABHES\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOVKKL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FGBCXSFMHMIUROT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HUQTWVXJNSAGDRR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLMWSF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IDYCQGUPNSFSUPI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPJBHOXAANTLTHR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBCQML.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVJVGFJWXAKQXXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOESIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOESIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\WDWGSRSOMTOESIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUIJECFVIPKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWNLPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXIYDIXYVFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIBEGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KBVTRVJNIGXVLLN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURPTO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSRFGCACXSFNHMJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOFXPLGAAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOQGU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XNOMUGNRDBFAITU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVREBQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCPFTPNRERTOHLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBGNXNSKSGRHD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHDBDYTGOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe"

C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 170.101.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 184.115.23.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempKSOXO.txt

MD5 6234f28bd47bb65b789c7e695c5d8fd4
SHA1 ea7d81952c87e57607fbf951d2dea0dbbbc6e26e
SHA256 f49d72deb69719d46f455541f4c1dc90a22cb384b364cfd2c2fdb91028769599
SHA512 18b5fa95959abe6d25835c48d7a3b25ed48d36407bb4d5e1eb23173ad113329663844c3b06a73505fa722c32bb39a8007e89b2949841287d6f483905d56e4915

C:\Users\Admin\AppData\Local\Temp\YRQAYMLMIGNIYMT\service.txt

MD5 65c104db14d97f3fee80ea552a6dc822
SHA1 ee7c04fbd00b4c69292429180c94a6d7a556fe2a
SHA256 11ef3a7bf95bf8b7db9cb576fe5d8a60ce129bdb31e7cf95a59390675b4ede2b
SHA512 180d912a5f72068657b2bab1648664f27ca322625c87a1766bb2eca82515141ac2b59114e95cb9c28c7bec5adbf5eb7d56f00b445e83dc3db40723ed9661c583

C:\Users\Admin\AppData\Local\TempFFYOJ.txt

MD5 8b090728fee03de443e08a7b37f627d3
SHA1 3f8d656f7326f408eb6e084f5ace832fa600d130
SHA256 6f121e5f028070a332505d8b0f660c29f7965d2e55194775ef573df9ef0c3865
SHA512 68f0bc3fde3acbfa300a2702e8cce74600557b326d6db2ef794af6abfa2f376bbd2e0e2f9eac37f8e0518bf302de7bf6d1c9a09142ae13240cacacd9c6262d79

C:\Users\Admin\AppData\Local\Temp\MEUDLAAVBRMHBGV\service.exe

MD5 8858328bf9de82aae86463a53943b72c
SHA1 441356c65202b9181121f36f94bb3b86896c98d1
SHA256 6f3bdd22c3667d5b67ec1a2b7127b2ddc99464aa441abca51faaac33599a20e3
SHA512 482a87ec39f5b2240723201dbc94171d94a1a1e5a0d2d7ca325ac692a9cf48a6b1e55c0331aad7ffa5cc3e0e69fb5df74b2d9c0e0603223213f9e020a0b5925a

C:\Users\Admin\AppData\Local\TempTLPQV.txt

MD5 3909b3c552c7953c7cf61160c67ba11e
SHA1 1e547807fdfed24f6cbd5555abd8316c0364cefc
SHA256 fb8a1faa4002a8cc522faae95d99f8b0408205d8103c54f3978f65acc766a0db
SHA512 393f42b21a602e2abbc28063498c54ba6a96a973d217a84b8b8df834be57dc812a95dc0282ffc15371dc9e5563ad7e668730a048ffad5a137e60f653e04732d6

C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe

MD5 61eaab9a36981ad82036c4fc2b94acbf
SHA1 0937910b77e8e764fefe66f4afa9e3b57fe61582
SHA256 25057595d725031dffed4a09bf5087bdfd35415a788d34218f8720954a30f0df
SHA512 e9a72976f8f30ac59b40fb666b718fc1615c52b2ec3d6a2b855eccd55fe665d6324d77ee9ce5d8668cf424c7bf06dfdd3345856ef1168a7e4beffdb7910d3ae6

C:\Users\Admin\AppData\Local\TempWIPTF.txt

MD5 dd507783b244e1bfa969091d48776a83
SHA1 1e2e668cfbecf139dfa53db1d5983dc7e9bc6946
SHA256 5f7076f94fc2a19f7d29513fdc17266f5353643cf9fe7b82e1b8cd4e7650cff4
SHA512 6ee73f1e25c780a32db39eafa1a56c6d965c27032624dc105a62762c9ea401d03b4b8671504b1e725893ca7c49fc53efaa153a0596e9923d88b8fa6875ddd2db

C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe

MD5 de686751f7bda535e3bea003d8f1c2e4
SHA1 8dbd81cf9d2122a11cf9618f36a5813b732ebb14
SHA256 c708a64ea1c3ae17307470ae238975f4fd62a590314bbe63decaeb1721d6b95a
SHA512 c6e7b1158d9d6feba2cbf25792bc8be49c89da91486fff5dd29131e8c2b9bb0d3705dfe46af75cffcacd33dffdbc292dc5fefcdd1ef27b205f29ff3a293ed5db

C:\Users\Admin\AppData\Local\TempQAPQN.txt

MD5 0a50a779445f3e889509ad4b0c3155eb
SHA1 1c2af11aab842ce1ff774290d060a41de78ce6a9
SHA256 f1e7c742b32b9df9983ca45f235f8858126c7460d0f51f48b3ea5b89febfda65
SHA512 03b2587b5eca16a5ac8450f2fb5c43d1a9416cfeff2d74632e6cd27b73751ddaaa59e05ecf281b13e44e85e8bf526fe8b6ae085c815852716aa449a7c63ce08b

C:\Users\Admin\AppData\Local\Temp\SRCONOJIOKANVEP\service.exe

MD5 074b5d130f928b9a82d16214766bc7f3
SHA1 036e57ea676465dd58064f8ce30762f9f61d7f7e
SHA256 5478fa36ab0341be41ec75b9f4600863b629b496d21b6c389d09892795544385
SHA512 4cbf4498474d6d0089b5e357133c1b90ef031cb154ba0d4a0d1a59f14f8bd4c3ac555f507b5a53c4af73265539282a5182ec6f60865b6a5b74f2426c02008e05

C:\Users\Admin\AppData\Local\TempNOXTA.txt

MD5 4febd0c69ee4be6773ca67e0e845b982
SHA1 176496a4a3d6cb0371deeba7367c63d290169c9d
SHA256 0a869712ea250aa0f1512fd5feef21044ff2b2b78bf1173adfac70039415706c
SHA512 f3574c2afeb12abc3fc528fa09e2786e4e3b41dc0aea0e351df3f5005536981e947753df9c3de78e06a6f9892d34cd7c33cf404ea5a1bdd205936fcad310049a

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

MD5 c278eff2a4f841c2428b132101fb44e5
SHA1 a241374728d8677dbe53efaf42e231f705ea57bc
SHA256 f5aa816a2e2148959cfc6cc2dbabd21054106590e46d06efb4b3d8a3b848dffc
SHA512 ace419d9e0bc440cdfc701cc1d9bdbfa430c788c517acd5fa17b75e641c0d2bddf213e72f89a379acefac0c6a85093f14028b2586338b9df47e86a68e400faba

C:\Users\Admin\AppData\Local\TempIBDQM.txt

MD5 54e7dd04811e3c5c7adb64014b0fd1b1
SHA1 59b5d72027a48fcade813cc749c7bfc4efecaa46
SHA256 684b24beadd9b1e549a22484e78ae8515814e2c4f0ac0cbcbd67bb2810f0cba1
SHA512 3d9e2c7ccec48f895120a36d02af2c94ca73141545400fe858ea6f54adadbdb641f62d4077134e353caa8d333c15920dc36ceebc7dd67612747e6cada83c60cd

C:\Users\Admin\AppData\Local\Temp\TASDPOPLJPLBOWF\service.exe

MD5 b1fecb0e5a38b6cc2a3837df5659505b
SHA1 66ec13b94be9053a7e895df0fe745469f6a05dd2
SHA256 471684ce796e7181ca513a5e898af874a27a189f0c8b9a13eefa063d50314878
SHA512 a19e481ae2f83638f4d076156f1fb717dbcc4d474b9abeec3858fd99461269a422ffd7c63b7b999d68689b5dbd8eb65da1dc12f4e21faf56ccd8e22bbad4534f

C:\Users\Admin\AppData\Local\TempAJUSR.txt

MD5 56b77666785d86daf872d3006a96005d
SHA1 976df00b0ad76a29b8ad84987b803f897d722b3f
SHA256 92e88facc69e684b866791f50941dade3b3a1b50b91bed32758ea7ad078fb136
SHA512 5401139092dc78ad7bbb6229047e109dd413134457a29f32abe87f0a4faa31f2a81509b2f71d021baf5933aae297794b176c6f05d7851c95c8d6af48627aa7e7

C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe

MD5 d9c47e34b733d05d374c6dcdc55dbe06
SHA1 41dd7934c8eb73255a080f013a2773a9af93792e
SHA256 87b0c661d7c1ce9ea2b32a64a66f4a9b892ac75e814e60198006e7eb8ac76870
SHA512 65bd4b30341cc3b1a2f78f1eae57029eb08d4e33bf6396632c567b9fda862bb3299e201909456731603445350682da855fc1f12b345b9597741ee6da8ab2cdb2

C:\Users\Admin\AppData\Local\TempFYOJS.txt

MD5 db157818a0a97e73babc2855734c5406
SHA1 60cdc711249b42a0fcb60fa5c0838e6e48fddf5e
SHA256 d0feb07077e444f3a8b3695e9842c4f49ceb09e7851e3217c01c37a85ecd92f6
SHA512 3eb01002c5e7c13e313c9f329b0c9995f8105df987391d1c1dc947a6668841c48a275e37f9fe118a2b160e4dae3ea485270e88c4ff4c5f49427306478cc10e2c

C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe

MD5 1d0d4340381dd1906b9f941f3f3928ff
SHA1 438207e69daa8f619842ae56909d12ffb2a96bd4
SHA256 c04d7141c6ed9a207b06638f181dbc823cbeea6370a072edfd28a391e3db169f
SHA512 11b3e9dcd85288d818373e4fcabe292f686fcc03a4c438a69f691cabbee9ab311b232f44223757a12eace0e88ca8ceef31fafb94fb55360e2ce2fa77aac53586

C:\Users\Admin\AppData\Local\TempABKYG.txt

MD5 f3395fb87f79a75aad9093782ce6fb0c
SHA1 9d2ae0f4a5d96a55f6793b175a32a1ec7cee5403
SHA256 e0f14f288cc02d04b8693be7d2d4600071f12c5cdb621d4bef3cc0fa33b26091
SHA512 667baceca847c5eda8dd1ce305f77c1220ddf570abf075c4e177b6a195169a70f891d2703064dafe60ed5c743877fe953132cbffdfbb8f308234590bfa80346b

C:\Users\Admin\AppData\Local\Temp\BTLRYKAKDXCEVRR\service.exe

MD5 7005154b61e2cceae4ec740faf2bed0e
SHA1 0a11b0c429a7784c450e09e966034b421a1fce51
SHA256 0f449278e5c37997c34594cb4a7ce83e12895024500937575c499713d1717044
SHA512 4ada919d07d486c6ae38cc1cdf315115fcf9c38d4f637161e058bc1c2d116ce69c2fae7df2bfa7e24de2e110e90a572d36efe7bb0416f46a4ad3a3db87e52e38

C:\Users\Admin\AppData\Local\TempPUGDH.txt

MD5 a2f05fde12bf21377c1f94d6a814291f
SHA1 d5ce88cfa22df2c1659f978efb12066768c0857d
SHA256 7a42536cd8b60a13d2707d9644330d47e64c2125ba4b0d31e691945d939ef329
SHA512 c4048552e0e7ddcaadd161bf77e59d4997751a939863a498fa774ad1394b9e30f37bbfc3469f9a185ff1b92180c92a7b38f91e3eb95055f828fa60bccaefa750

C:\Users\Admin\AppData\Local\Temp\JFTRISLKMCHVUGO\service.exe

MD5 b2e9286c5428749e9d4cd26ab127d814
SHA1 ac762daf4167fb8da3fa46970d689c5ef04d7a03
SHA256 ac9dcc74fcaaac08aae8abbbfd5eba9059908c23a069f488acf63204c224fa34
SHA512 259740f90ec17265e25f2eb9434134378e6231644098632a907831fbd367250c414a0802bbafa4a28a91d4cf216db845b65f9a737112fdb11f86f6b0821121a9

C:\Users\Admin\AppData\Local\TempOMQLT.txt

MD5 9b8ddcb8a03dda0db854de76f0b97656
SHA1 33e6cf7b482d51ef46095957b6c7757aeaf3fe6a
SHA256 4e81ba1a0b8e70dbfa0c5b77c2b2ba7e2a1e1842ddab305960de4d3f8422a368
SHA512 967d33476d233c9f45d452247268ac5c03eeb104330a885bf6bfaf9143c19a67680ec766122a884aefeaf6375d2b9c4959cb7458ebca18443b5610a2a8223840

C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe

MD5 dd40cbaa6567f4012a2bd32e045a6201
SHA1 790862ea1fb9e2fc0a18180464788ba6a57190a4
SHA256 29adf28c4de077c6f032adc6f8f9bba24a52a1dc21a56b59c9e4be7beee8525c
SHA512 0b7f9f256353c4fb80afbd1e0930ba3d2e9dfe35f3b10f22550dd36b2ebd61bf15a4894fd17deaea2bd6706f4ac330ed760bcfd76b0d646debdd0d9cbe9b740d

C:\Users\Admin\AppData\Local\TempVHNSE.txt

MD5 01a423dc9819ee71e3d9625b2dd40190
SHA1 20d2a4436f8afa87aa2abc177c739fce78b45b50
SHA256 70c9d210307f850d4ce4186ee292a4cacc82948c3298b1b627b7022a6ff31e6d
SHA512 cabd65183e8f6c3d8c2e5580147ce83671f7f0ef4eddafa396045e84fa058fc3d0e005cd7b83360b687e908973964ea8cea50cf6b44dfd93c07784f90e5052fe

C:\Users\Admin\AppData\Local\Temp\HDRXPGQJIKXAXFT\service.exe

MD5 0816eb3609c7ddcd2745e10e7e90af26
SHA1 55f613ce9a1627e85a6c7a66e2a18e7d6cec5bbb
SHA256 6c833bbf457b7fefbc62e8ea9b36219348b4c186251db9c0733548a3e80de3d2
SHA512 bcefd14e47834ac405f4233cf1263605117125b9699f9d1cec60aeed525799c9dcbe9cb6cd866d73988f65cbef75503eb14579e713546a2466bfbebf3941a43e

C:\Users\Admin\AppData\Local\TempCAJXF.txt

MD5 c68c3e5a50a38742641912ee2aab7548
SHA1 2fd2fa74689e2c4c479a4a42e9286c6076d2fc50
SHA256 ecf01c5255d39db0b77f5312c81a9d6a2bc05edf6a3c82dcb5313b5137a046a1
SHA512 82aaf3be7b05c10d9e09ade098ca51cdb486ec5585f2f3d8ebf0eced5b5e557a4cc444043ba91d0b6ebb132caa405ab074b987c0c71977c0f9d8ed3551981d67

C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe

MD5 d4df6f98a3da7861741bd37e5e6a32de
SHA1 15107eb075839230fbd150ff06851d4e8c017498
SHA256 64d0332af720eb8000114e207a4c2991692608d3d88d855e3b3951ebd46872cd
SHA512 9c3a43a7dc24b99274de505620e536743884dfc2ce9e3c9bd563226842d8c591def1e8937dd03dc7136cbf88a8698873f7d2b337a55844d76ca8e21520af7465

C:\Users\Admin\AppData\Local\TempANRRL.txt

MD5 65fc9cfd2167fd097080f9999f0b5d4f
SHA1 fefaf48217111677a8338ac0fc57c9c7b57a6677
SHA256 6da257ff72c1fa536319e44346fc79d180ec4da9dabc1a61a3d3c7548f185f0a
SHA512 edf83fcd8e577ba58aaab13d2a5c1186769ba7009f7ea97e464ad7a32f2f2a5bea8c8ad2d9f02f184ae87daa3c737aeaee2235a67b5b8f823ee011239e4993ac

C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

MD5 9501864863feecdc534a2943f44adf6e
SHA1 c93075c508b0ab199a4a96bee6bd9fb98e8a4aaa
SHA256 fb9b03c797a37b1a9ae07fa53a6414333c59f55da7a0d5922470561490780f4c
SHA512 b2f5a2583edea2da53283e6fbd1de77e8bd71fcbfa88ae0b64e34ecab00da540350a3aa80874c9a9c15f3650917e6f6edcacf3987fb82c894f21e4a95ae99ee0

C:\Users\Admin\AppData\Local\TempCAJXF.txt

MD5 dd9b85c1af6e757ed070222ec926d5fa
SHA1 3a3315571ea00bc351bcb25f1771fb38de381a6c
SHA256 cc1528e64456e553119a25e753b1f1bf04ff3006b4c32805d0607193f2a840ec
SHA512 c7f1f4c75a3211f0a023c7a8a5040415545a676b7b183a4814de9f7b305809285fcdf789f27f3f9a0b7b139ccd488eb17bf3a7183e32e084f1310488dd8038a3

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe

MD5 76610563a7daf8fe31bb69a6a3ace428
SHA1 3bbb1e80f0764356487bd46c90223ea3450f2922
SHA256 ac6ff1cede043c98a0349464200a79083d0dbdc8ad83400be37015b5e51c489d
SHA512 4f39ead61f18b2c49277e54bb59f8b99e992b996da5f5a29c27e46a9383533692c664aebbd8085762ffdede5c528d994cfb59c94ccd551cd48dd27f48932bd25

C:\Users\Admin\AppData\Local\TempBYUSB.txt

MD5 ada40c11caf09a5f36288da437604749
SHA1 ea7911903e316109df023b0a113f0cee013b73b1
SHA256 ccf14036451e7020529a077eb59ee5e1271c09ba10c1958e93899b4a255be6b2
SHA512 cf58388b1a89d285aec9f0e06b744dc588ebdd460f5eeb5829f3932c405c0332ef800cc9fe307aad4d47558b58ee67c1c09107acf8078c68d77783c5013b8efb

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

MD5 86a50b795470670722682f93d5226eea
SHA1 75d938fab887e22dbc42778d83861803938e07eb
SHA256 c6110a6c016f6982c06855eee446a6e7d302f7fcd580d815fc9bd740563d95cb
SHA512 566d02fa26a4803f4c0bacc02ceafe106342c730e3671197034be305ef11c8a964f7b79b7f8f9cd681ec742034961c3360e0480da0727f5f1e1331163702dbd2

C:\Users\Admin\AppData\Local\TempWFFOK.txt

MD5 1f16c8669e2500574c94e9f513bd365b
SHA1 087ad6d732f71bd8e9e0b5dfdf5a519e0a9c2e7b
SHA256 8d9cd321758599bab82b0ae17c21ece06abeb3df5c64f388b8e83ec56e10ef84
SHA512 6c0107df33e649ba0142999038a56b55125c7a75706ee9c02e3d9f4ec81d0969c880046c1d89753788a17b591c9c4736fc472e9a40c496141d3e74bd40a68fe2

C:\Users\Admin\AppData\Local\Temp\MFUEMABVBRMAHCG\service.exe

MD5 4f7d091ff86037ef607fe2c08c56f0ba
SHA1 7f6505098b04c5ea890d393d8c1fb7c98b9be463
SHA256 ad8d3a7b6a6d95e9322282e6b3d7e1489eac69bb050811a495910a7947e8d0e9
SHA512 a951d193c7cccf74420bb1c8b98d4efc7fa806c8e255577112d71c328cbd6601c521452d4709a8bc1b8cae0a88fcadf71ad284b365a6799cbf9a9ea5fee876c0

C:\Users\Admin\AppData\Local\TempUYMPP.txt

MD5 4039e963052f1d5c440010f3462e82e0
SHA1 80d6b07b5fcf7debc8c69ceae447fa7eebab1877
SHA256 b7d60532d688b243108413a5b96227295a69ab0613b9422efee9933d9576c0d5
SHA512 7b7c9e02aa7c620a3e3d99327c68e1e727a50d192c8fae4c8e99c48bfad3982febf1557d91204c9972cba944ba0f84bd87768f91d9fda4d4654ade07a5688410

C:\Users\Admin\AppData\Local\Temp\CQMYOYSQTEJOBNV\service.exe

MD5 a3b8a34f4d1e051eb55710e421ff7d87
SHA1 1a59e9ff7b8d9c1d6cfe05908546f2bf37472917
SHA256 adf37c8ea904db1d8346606278ab37e90f8b64e4d6bec8cafe94ddd3ab3b6d8c
SHA512 c7d02f53ebede469c2cad2501694c2b992b3c365310ecaf9d14cc9dc6c30c30a2be93a3518078cd2886834c294d616be0c2653e512f787c480ca413cb72b3c82

C:\Users\Admin\AppData\Local\TempWIOTF.txt

MD5 26f3456284c42531d062fecc8f950858
SHA1 13fc1f48a575e5fec12d3ae262bab99edab25a14
SHA256 3efe61fbc3cecb44ed4abfa9509f3579e320fa71e3899bf95627e3aad1f1a33c
SHA512 d54a4973044082b1e2fa3a31397ef3efd6249a621c96b2e88c807fbd050e883cd0a17230dc7eb15574fbef681ef49c79f6a553adf6d20288035e59306a1f6968

C:\Users\Admin\AppData\Local\Temp\IESYRHRKJLYBGUT\service.exe

MD5 2fe6ee60a0840bbd05aca5312c533ee3
SHA1 85b555b5b2f2b11fb72fa37703896b41dfc54708
SHA256 06a54baf58e740691fdab39cb69e364d1f882448cb9523d41245b9fa545fe17d
SHA512 5f4b495f495a45d1007d1a0a8037d0796a303430c009a39efccce679604f1b592b941d86218cfbbd4acb29e257ffc86c3307061232759b36cee426de6bf404b2

C:\Users\Admin\AppData\Local\TempRMUIJ.txt

MD5 1370a8fb9b63249bfbc4be07f8c7df93
SHA1 2ff42a1700302ab58329ab27bca4ee16fd678d6a
SHA256 396bd3e9b92d250118bb5c258dfa408ae09cdce79bc9f4c01fe87852867c44f5
SHA512 e337306f083bf92b99524723c12ae5b1f0fde7566c04c555582ab9d2245fa08e2e9cdafecbfc38f549d973d2a45b20dae078a251b3b7392ff43e089d01a8209b

C:\Users\Admin\AppData\Local\Temp\FSORVTWHLREBQYP\service.exe

MD5 5a19867b8698c5f9dbbbbd3e33b88de7
SHA1 fc58e25fa00a2352197515fb610f8eb74fa709f5
SHA256 ae272f7cde5c6122930f57ed098b4f2132282829d66bc2be260be8874fdd2e5b
SHA512 494d641b6074046533eb9f2e0b251a8d0404b1a0b08febc6307f4093c8203782fab6d4762b47bd82d752cd9ddbd80f6f4e13a69e4a0f8259f00d89928e731bc8

C:\Users\Admin\AppData\Local\TempENEYB.txt

MD5 8dd5104a3409226cad2280ef472c8e22
SHA1 4d9fe1838efd406e46d6e277292799540f07c0c0
SHA256 e29c9a70fbb0dc56de0e255fe805153be54d09f3092b156c7e7faa216eb62907
SHA512 1ede201d023d6f4b6b514e522c8bdaf29d1c68a509aa680aac2cf1088cd83c80749bb4706792ef9a72b23f4d476d6c8a0d322620768d8955452977e5dba182f1

C:\Users\Admin\AppData\Local\Temp\GOGYPMGBBQROXJP\service.exe

MD5 86018240e50e8d71369f6dc30290162a
SHA1 59b51eafaddb8feb9e58eae92e330f3a1e59272d
SHA256 b43fbb04fb1dc2c8971f562216678b8bd51f2684f7240125c2df1d32aa6aae31
SHA512 eb92a894c0d95186a0fdb7452badc61c18d7485028f05979e7a18d4225c575be7a772a46204e407938f67a50917a8ed7b69b4e90b67e33fc353eea767c404f73

C:\Users\Admin\AppData\Local\TempQUPWL.txt

MD5 96ee9589f991bd9c3dcd56ca158d2b77
SHA1 d2f5d1b16cd3d9e20d97d95d27e2228461452ede
SHA256 73ac7be5d82c6725cb5c08a99f4af57ee5e888a45d4db04ebdc6a60137923571
SHA512 d37955950a9eaf0eef608960dec84def0baea494489226d19651c63d09e6c869007a9d44297c63de5fff6f5ecf02f14447b1f2a811a8b534ad0c5cfa6812f543

C:\Users\Admin\AppData\Local\TempOVKKL.txt

MD5 a091f0642d8decf80e3f93dfcbeb518d
SHA1 93cfc063ae015356ac6e12babe396115fcef6fc5
SHA256 41d69ca3bcd411c767d8b2eefb24a47be0f1afaeee778ffaee30cad0b45a0a3e
SHA512 5a90f69a30fc3ed2cb2ea0716f3eeec9b57e7055c394d32ddcc0d5b2d1e35ac314115dc2b86f563ed4bf5e5c226cb852c98519a04b20a4a1cd2ccc007e54dfb3

C:\Users\Admin\AppData\Local\TempLMWSF.txt

MD5 e14077320dc6fd79041e1f2f5c53daa0
SHA1 9489ceb4b9d6d491d9c6bf1a310ff5172a21c368
SHA256 32817daded980b0f45aac82c119f2819e6ce8edeff2b9b5a6a3c6733cf81c254
SHA512 18ccf852fb3d3aa17a812a198521cdaa408a2440912773ad88e54fd895e79f1f2187ca75f1e649c01fa03de6194318f8e690ff4fc5003470eede6d907a94402a

C:\Users\Admin\AppData\Local\TempBCQML.txt

MD5 8d86f28783818b00d00158c46f8da59e
SHA1 1f0a969aa8f6c8c820a319e7791e154c5d299165
SHA256 abe83114d6a00d15c9a9c527cd9b366d8df7cd71625a062cbc8e98f2e1c0bb80
SHA512 4e25f60af9bffab402d1c6d75f1763b886f956aed83007c4bbbf298e7836685bec30444f17c8e5366c79a5d749365f14e83690a1748e1e78c9e72860f0788b4a

C:\Users\Admin\AppData\Local\TempUASWR.txt

MD5 561a2619cf82099c2e4defc9913510f4
SHA1 5a386310f2288f7de4df581d5b555ffda2fd8588
SHA256 b3e66fff6c04128cefce587e729fe0e5aef59772b1b4fb4b1120d9282b703ac1
SHA512 7fa9d688a0b3651e4e3da103fcbfde3bed245c4c8790a24169aec71b86a6c0d20496fb7c9b4f07e1fe4d509997fd486e659a8c64e51dd4f076d38bd9fc3a71dc

C:\Users\Admin\AppData\Local\TempWNLPK.txt

MD5 1f55acadac2c78e221a99ef65032d0c7
SHA1 bcc1d2a1d7f575e74490921a7b7908c13cfd3df8
SHA256 56ae70aa3f6e5a16132b8548f251e545e74997e0c8b85c9e24b4a63346e4887f
SHA512 db64c6c504f1876ffabe0faa6f7bbba513bace57fb11a10f7da738e7b21beaa6acad8b8c049ad0a98341bb3818fafe167d435cb71b75cd3cae0d6b836b5629ec

C:\Users\Admin\AppData\Local\TempIBEGP.txt

MD5 c2f64f3233bf56357f27581e2b4b8ffa
SHA1 2beb8929282332bbf427df43f1dc37ac22b5699e
SHA256 c3cfec79e8623c36800652cfe8b46e302f5964971a7609647826d63d3083bf49
SHA512 5594344e29a0bf4416991f81de5a1fb59e73dd3e79e0a70e1a12ce887152aa625052adff610fc2e415168a78a7075949a31bf9f793fa910de4beb7c22f49c83d

C:\Users\Admin\AppData\Local\TempURPTO.txt

MD5 fd5ee226421b503e4c86eee1780364c1
SHA1 33337d5d5896dccff7c759bd9efb84df584ee5d3
SHA256 6b6c9674cd203a55167c24c71a25105bbd1e77762b9d39dcb9b4fad94cb451ca
SHA512 1fb6c5e2c4cdf5ec3adada62724d86a3cd851a5e3d86fcd2b4f5ff3d93fd769b6a51079bc3e7d5afbf2dfcb419020c87fc527f217d9cfc007df1d9920053382a

C:\Users\Admin\AppData\Local\TempQOQGU.txt

MD5 8728ba4b7e9c70b38406e4d7f6cad7b8
SHA1 30b4f6df0254e92fa9624187414178f4f1fde3fb
SHA256 0097ac2c7bd35084c1ab6f705e9e77b8bdd34c29b2553dffe9140c3d3863f37d
SHA512 0f1f686a1124fe94a5c3d779d05dc05223a5acf7b26cfbf31b4ca150f1f504c97a81125f34bd0b592de680bcc3494f1bd33e4aed599dd8cabe02a20155d4309d

C:\Users\Admin\AppData\Local\TempVREBQ.txt

MD5 6dda3e6683f24fe93d3aa84e5ac181d5
SHA1 1a44d1a3c74a6a8be49ec81d109c99ca42b38a6e
SHA256 3e368e66aabca5e568195f15dde97a621399ca25d24f6fb110631215653deb0a
SHA512 b0b565736ebca2f1ac1623456ff890cf80896c38f5e907770e27f06ada0f9499ae08dadda138bba39e0ba92150658ba771e43224d31a57475a8e44b2f192b6ba

C:\Users\Admin\AppData\Local\TempXDVUQ.txt

MD5 1a81a51970096ea7f7fb5f137e158e8b
SHA1 4f81abb5daf7f1d60cad004d323a057cdd71dd81
SHA256 c8473aa3472cc5d0b6e482cc52db55cb4cdc6289f16bbc4887a227edce326c33
SHA512 1262a27b7b68dd29f4fbc8558fd5aa745fa59541b7bcf649f547b594df3141a9de0d87577acb7e8972dc95bcf2c98c58ff7e9d54da19afb2ed349f5384f9d244

C:\Users\Admin\AppData\Local\TempQUPXL.txt

MD5 5d0d5ad40d6fd09a0d716640cbfa1ac8
SHA1 ccaf0e23a3cff154b4863714b904dde9f3a05e47
SHA256 7e9d503b5dcf215ce570cee881dbf382d056c6d601e8859ff668b1348cce0159
SHA512 8b6a6f15623f84655016c2877899c30d5b3e475d666c3f08a175f1efcdd08231927338c839d2d3f4d9fb7ab6c58c68df1c09b8e28277ca9bc8b1a92d8961d4f2

memory/3988-883-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-882-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-888-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-889-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-891-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-892-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-893-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-895-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-896-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-897-0x0000000000400000-0x0000000000471000-memory.dmp