Malware Analysis Report

2025-05-06 00:16

Sample ID 250124-cbsjcstngw
Target 30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe
SHA256 30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d

Threat Level: Known bad

The file 30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Modifies firewall policy service

Blackshades

Blackshades family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-24 01:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-24 01:54

Reported

2025-01-24 01:56

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNKJNBEAOUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GLYHHTQNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEEFAFBWQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWKLHFHXKSBMRBO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMVEAYOTYEFCLDI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\DIXYVEFQWNLPKSG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKIKAOVEPUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWIIGOAHLCN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGATWARK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPUMUITJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVMUJTJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIHKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQVBCIAFUTHIECE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEPRMKMCQXGRWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKKIQCJN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBYNMNJHOJMUDO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HFJXYALQXYJBDRM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOKIKANVEPUERCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYHDRWHIFOAGLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1164 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1164 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1164 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2384 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
PID 2384 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
PID 2384 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
PID 2384 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
PID 2408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3000 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2408 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
PID 2408 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
PID 2408 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
PID 2408 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
PID 1200 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 752 wrote to memory of 2148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
PID 1200 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
PID 1200 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
PID 1200 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
PID 1144 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1144 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
PID 1144 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
PID 1144 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
PID 1144 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
PID 2936 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2908 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2908 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2908 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
PID 2936 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
PID 2936 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
PID 2936 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
PID 2232 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe

"C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDWWLU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHYAHH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXYVEFQWNLPKSG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUHPJO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQVBCIAFUTHIECE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNBEAOUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKSOXO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYHHTQNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe

"C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGATWARK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMGBWP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HFJXYALQXYJBDRM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKNOYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIHKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempDWWLU.bat

MD5 21d51ecedc46e539f6209a6366720a52
SHA1 a2b59a2415b66162f8f3953e9227853ee1ab3186
SHA256 29d97e122e271f038c88da17c66955d2e8df8775b6dda841f1d1bd324e16e7cd
SHA512 29711e705ad80ca54f15b5e4a572a89067f332b163e706f05b47723236b6bf314df7d60e8060828a00224ca342b5e9a6a7b9c8cd27fdc17ad29f3036fd31197d

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

MD5 ce047197e105d577647d4a1de7211f16
SHA1 3ababd2ff909c29cef5b309c23856c5c06f1aed8
SHA256 ed4c348dca267adcd02d20f01c0b4572351ed8d019f700bb484949faa21118a6
SHA512 3c15440871ae87da1b6cbf37cb8fc56a1b2c355c9ccc8202df447f043ccbcc14ed307967cfe8ef24970bb658b2d7d339bc7ab729f067346472ef34e52f2e6a4d

C:\Users\Admin\AppData\Local\TempHYAHH.bat

MD5 d3b77b280a7cb43a7da70fbf515d72be
SHA1 fe28f5a1bf33d4f85896df6a2b134f96c85f11b6
SHA256 52eb451fa10d4ea85ad4adcfdbc23f05b07ef9e04f701fcf5255dc827afbb83f
SHA512 6b533800bb7fcd2b1c667d270c9d4f42240c0a6173b33811d8173bdaa344377520332d5ef344671a4e99ca18f800c076a88fc77c66cd523b2d82a9ab9852a825

\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

MD5 556d8626a37aa8b412f2ee6b8fb47be1
SHA1 83b3bdba3e60b1cbe3da8f26934a98adddfee5cb
SHA256 a9459a314e0d6d8b5fb4887ba181ae9a5b7f8feed72c72615c44a422d1a00c91
SHA512 317d5baa4a4ae54c971435a66704f10af92e502d5d950a4a1a4fedfd0636c09452f6a716c544574d7e7ed9a7a772a4118e31b5c5d20011ca4e23d0b07243798f

C:\Users\Admin\AppData\Local\TempUHPJO.bat

MD5 ebb995f81295c2868c6edafeb7a65b84
SHA1 100b44a8a8684bacee2ed36e165ff3d6f457b3ef
SHA256 4332530bbb9b6c9a54f11683c8d706fcc0a5c3d7b52a1353f5a34336db82493b
SHA512 3ba539e1c2b37c7a4a80bb4c7323a40f16c52b7e5db2a2930b2e090999d7033909ce68c3604f3643ca6bab68281dc16f3930f98d8a81e80499cb90e7fd9019ab

\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe

MD5 8247ef8ef91bbcc663783ada5bf0a4cb
SHA1 be7e2a80be3dd755b6d21c3bfa63f43831128eae
SHA256 91ac882d3db5473cfe6e3ad86a1c74e563dd65e745c0baddf800f6b86bec3da4
SHA512 cf40e44bc106f68289d8d063d22f9fbb3ce7b4cea71f5272d2f29fa9fbfb3eae067c6b7bb237f7fc55977a4cebecbf25a381793604e26c56e0eae063c5fb9e56

C:\Users\Admin\AppData\Local\TempEDHYU.bat

MD5 b0e3f78dd578c1827bffd537f7263b0f
SHA1 866ca32b655e01effdd00b4526f5756a5a6df846
SHA256 da7a574d162e97a70dbce195f1ab7df74022ad3ef406bf41325a0ab8c5554018
SHA512 73a574929bca426493fbebdea7a601429811a25462d827b9c0011529ec14a7831b005af48b66cfde904ad8c37c055f48c06c0a077a0e7b5a67c960bf62b86897

\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe

MD5 02408cee13c5a674b57f517ec523c3ce
SHA1 a61311b16a5a33e9319563f4fe406b1ca77e2683
SHA256 4cbcff077a07f7a1707165e0b5e42f24a4a577847fd9765718eb2ceb0b55dd30
SHA512 4fe3674e5073731300230c58721c44b2e37d43149fd776ba6b3fa527f750ba4a24f7132822cc424906bda1dc5a3e1fd582dab1ecf71a51671e3738f41702fe1b

C:\Users\Admin\AppData\Local\TempKLUQD.bat

MD5 d47175ceaacf560d2223f3a3d44fba27
SHA1 0d93ef4ec8d42c668c62ab148e2059347178421d
SHA256 7162b8b04111eda39d91132300930e3fba148a261394f77f6d2ed50a5a47bb57
SHA512 ce4a1856b81ee1bf877a47b2c76c7c675656bd5a4b140f894cab4389acf54d0be0dfed8dc890735412464d503e732dcfe1a99026839173998040c5b19157a7bc

\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

MD5 7fc3f7113a94178bb247eacb45eec902
SHA1 6e63d6d7b8e50621d3725b9658f3c3e8c4c3fcf5
SHA256 caba49ebacc6998a3f76e4a5a2112d57ac55fc93e8035fe63d76092c3118a099
SHA512 87b0d56744786f46f761046e3ecc253620171e5a2238a169a073f526e60189b75de53f783d12518a9c3e0d7ab4273e9a355bbfc109bfb76de21c9341ec9e8ef9

C:\Users\Admin\AppData\Local\TempAHUCQ.bat

MD5 4b0d872f3f416957a182ff7e52c309eb
SHA1 0f1b526a0543465b9e3dbeda4d433788776401c9
SHA256 6432bfed5b2ad0c9a8af3893a8ba1adc4366ebfb2bc5c0d373404ddac44baa88
SHA512 4655e8922a7735416c318b9fcbc22580b512c35518ca7ccc8085fba08adb232deb54b6266167f54a7911ae83310c9dc563da8189d836a2ee6d393e074749beb2

\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

MD5 09d6167fd94df9f3b1a3f8e6ed9016da
SHA1 e5e5fa98ce8b42c5be7260dc7b7b2ff01140eca8
SHA256 ed3541daf5e2a6487f9635a37f5508e40a312b57e9ceb73b2c3f80e7fce337c4
SHA512 864ff401811a2457c648f17b30c0e30578a23b319aaf6a8f79f1fe816e14a37c57e9a99b74823603d23e70ec03e8374ecc78ff2b21397969ed8b9aa7c87b1992

C:\Users\Admin\AppData\Local\TempKSOXO.bat

MD5 090a59c0660d2a9aa20174a68b2c87aa
SHA1 c8b63fa0d9a493948d1fb8ebd6aedac3f5b16c26
SHA256 39b5ab49578bfa0b316ce8a98462b1359d803e6709054e4c6b9c900810365dc4
SHA512 e6a0b9e38ad4b47da4a78755015abed80f1194aa244c78570998a8118708fa8f0cea4f702eee743beea51e86ead1f24b9ab221001ce1656fc81e9746b8cc3551

\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe

MD5 157bbefaf94997383d034e0ad65927c0
SHA1 d03406ad8b31b478d7b18b0df3d7ad591a76574e
SHA256 c0076c42386ad73a1c30c3ab1797ac2b3b2148ea7663d176a46c7caf20310c52
SHA512 ed4f20024f7eeaf12a01387623013526d1406f2d3c7f723cf1fb4aca77ecfbafb2a393179af87e6dc0ff1859256149c1b36408ed48f4751dfcbccf6e214996c4

C:\Users\Admin\AppData\Local\TempSDXWL.bat

MD5 1a3da698ee8fa36e10bff6662c71beca
SHA1 6ef93721e781a68c788b0f3adf5c402e66b49f00
SHA256 02effddc870eab367d08f4d09ebc710e98bc02f3ec9fcca5a98db8e9b0637e3a
SHA512 61ed3b5665204732e3a6d2398e769a5fe6414afa3560a2451e38a5ce5bc4c63a30ebdca8fc84a137fd7f9c0d29682d1b3806630a9c17db2d5d610357500b0200

\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe

MD5 bd9e1dd80e2075258b0183d68e4d333b
SHA1 c07a687cdc3d3820d0a6ece3218ca9e56232c9c1
SHA256 a27d55505e67bc770447a20b6f7b579b604b343b65d3b5014c81976f51be65b1
SHA512 4cff15d4c9bbf3d23c13ff5dd0bab48bff1fb2356860b926c029d31c6b9717454c8f1746a32b78a7516978d1838a80e01631f25c55ff9029b8e4a471ce439c8b

C:\Users\Admin\AppData\Local\TempLHVUG.bat

MD5 de69c25118df8838f32524d5b65053ba
SHA1 d79b8934dab391b2f85b02ec96a6cf696e23d29b
SHA256 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921
SHA512 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

MD5 7c978bd9fe9466bdf3ad8a1a92fb721f
SHA1 689bf572239e8994ad575a7ace7cb3fd02a15b31
SHA256 d1900cdfd52dd0dbf05e0a12d924fe108a0581257e6437d9696aee90a276faa7
SHA512 d9a141e4973710794b936ee6e142f95e3469ce88ec126f31af6c5eef505865ca28594be07bb06e35c6bc3a969678230e55e5cb9a0ac4d02d1002e8fc6361d521

C:\Users\Admin\AppData\Local\TempXWSTT.bat

MD5 b0365534dd53081ab289eaa1f406d160
SHA1 2520a131bac7e82546a7c2f699d87e7e9d79987f
SHA256 b34a0d1c87116939b294e31492dd97f4f15695a8f11aef5c01ca626794fc9d14
SHA512 fedfa78fb3552323408d533ade49c7808907fd74f95fe2a9de01b2b75dfa2cd0e70d3ea77c38477e0e68277ea6f6d6c436b51c5d187961add5cad3f8954366e7

\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe

MD5 50531e7ac29b1ba6d7d53d18a03e471f
SHA1 d2b0b58f27d5fdeeb676a3e1ec652c44b1914044
SHA256 fb25eba1a050bda4b641497d3d3534816dd5a8645131085cf9838367d5822e0a
SHA512 b1090e256be32eb1f56a489585b9ef7a8a35c61efe449b6f936c2323c31273a7f02c101e2bd407e3fcb946474a0eb47f10b5389939217e704123f92666896de4

C:\Users\Admin\AppData\Local\TempNOXTA.bat

MD5 118316f9ac71d39001143c26a9796aa1
SHA1 47625f74d7f4be3a906e1954be2d451457fcd8a1
SHA256 123f455976de4f294a2fed91f4550a52696a3e4c13e3e525ed2077aafe9ded8e
SHA512 dac6691ac29cae9d8771513a0017ee180dfb8cf7fdc9d76c703cda99b72793c9f4dd2795fab7d35ecfc0d863e8d85e7d698a328daf01df1f7ff58cb52ea8222a

\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

MD5 7f5b66a9057143b2a5f2b885ad61d2a0
SHA1 8402bb85e76818057716f8d2471f876d659b821a
SHA256 c5d1aee7ac4ddcd4312ab5f1ffe938791f3aa193d06626f5fe853a466b4b116a
SHA512 670be86b4816ad01321b1b8bcd136c6af2e857ef1606d110000e852412550c14feb9cc08d02583cf0aaad3928bec7ac9b0072775d836c7e104551f94237a8c7a

C:\Users\Admin\AppData\Local\TempMGBWP.bat

MD5 81ecb0ab40151e671376d193c693fe6c
SHA1 cafdd1788bb3f98758a0e9d1dcad376e83dad883
SHA256 d1ddfaaf26aff03f199177601135bcb60d336079f7cd066861b78288ad8c164c
SHA512 fe68e7c30baff506b8d7d15954c9499908f73afe6d311e3138001d441f17fc3facaee25afde536490e2d007a7694e92e21c3a5cc324465460b8fea60860b962e

\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe

MD5 dbc872b7f7e5bf9ca0f89d0b6ade74d2
SHA1 a89c873335f6d3874c5bf9c11924412131db85b0
SHA256 e219fdc65ee9d99551d8762e312eb6a713df034f0dc95372244f9ed534fe9bb0
SHA512 ea8b6402f4d8cdaa832235f167db35bb702c6664b5e99c18effff01b3ca0407737ae55e38364443215b0d9c0762bc19bbee07aca074147c77d9dcd86a4d43b5e

C:\Users\Admin\AppData\Local\TempWCUYT.bat

MD5 797a05802a5f3d6699024252559afe38
SHA1 ab85f1b33d35de1a5d5f55187c816bb4237eeca1
SHA256 16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074
SHA512 73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d

\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe

MD5 6ca3ef898dcf7e53d5617385c1755e0a
SHA1 001f933c01599b2ec010132dca6459279a1fed81
SHA256 896162e80ebe40d78051c1138f5284aead669a0870573c0c29969fd8a574842d
SHA512 da3e6bf63a0af6e86d66349daa58e472f31f72b6ab7bed6114f2805406508fb954db650bf3280b9173e7e2b9bdf9f6d40274d6df4577ed4c0eae8204432d7e49

C:\Users\Admin\AppData\Local\TempFXWST.bat

MD5 f5dddc8c8195b915447e8eca984daf4a
SHA1 92ac8e13c3544047b426c6a188f1e272801f7f73
SHA256 b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4
SHA512 f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77

C:\Users\Admin\AppData\Local\TempKNOYT.bat

MD5 f485eb466d124afe4f05082cc3b835ff
SHA1 00bd1a4c37f772616c2e3f6e3fd4c53341e1d523
SHA256 6246d34daef7970b9cab9952ec458e097ce05455408db8ddb3589dab848a9f9f
SHA512 dc0bb4ddbfef6bd302503539ea82d43aa0bd338da0a46a4e63a2701a77e87bb41c6f447ac5504908c900a7f511d6c9e516395b56235c00f56ee2eb5ca12325af

C:\Users\Admin\AppData\Local\TempLPQVB.bat

MD5 0b5902a513078dce612bdb0904f70d14
SHA1 96280bd49e5a5305afd1e9564f063b95218562e6
SHA256 e1a1bdbf6313d19210601de717b5f513cae9cf90ccfb50ba9e06b6627b20bae4
SHA512 76067c4641dd3e186b1cbf0f8c969fd58a38b5b72f444ba6c1be91e0b1d9d2dacaab831691e972d1fda45e9546469f6400ed3d2814d2435fb91b838e6ac6095f

C:\Users\Admin\AppData\Local\TempLHVUG.bat

MD5 c3c3462e2857382d6b4982d0f2670492
SHA1 2d448b4ed6165ee31b3b48392ae09ae4337bcb54
SHA256 e7335fd821058e1b7b0dced6304042c8bd86ced20b87f715eaad2f7eecc66ba5
SHA512 9799fb74c578cad99ae28fcf8e1670b1418a589a44c365f8890cd445a642c46828e4c96ff7489f85015b67e059cddff96d86d528ceb23a0763f602391eac843b

memory/1604-474-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-479-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-480-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-482-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-483-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-484-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-486-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-487-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-488-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1604-490-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-24 01:54

Reported

2025-01-24 01:56

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYBGPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTSWJNJHXVMLOJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHMEVMALB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JTPKTEUETURBMSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSITMKNDIWVHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLMIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMFJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CGVVIKFDGVJQLPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TBPOAIARJFAQJKU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KYUSCXJDXEUNQRW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JNKKWSQUPXLNFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHGIDBIDYTHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQRMLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVNJEXNOLUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGSDCGYXUVINU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHWCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRSPYKQVHEIELAX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDLDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MREIDBSXQGGIDBK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKWAXF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IWSQAVHBVXCSLOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYXNXRPRDHMAM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BTXSOQCIPPYAUTI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTYRHRLJMYCHVU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLLXURWRYNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XENXVFBMGHXQTUG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOPLK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BNTYKHLHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTPKFAEUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQLTHIBIIRNVMBK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KTPKTFUEUVSBMTX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVLWPNQBGLYKS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONHRYIFPJKTWXJK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVSSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJJVSPUPWLMELMU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYCFVRSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBDGRTOMOESAIUY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYPPNVHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FNBYCVTCCVLHPGE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPOQCGLYKS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJVRPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHDXSGN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CJVWRPSHVDMDXBM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENWUFBMFGWPSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYWKPUBCHAE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DPQLJMBPWGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRIFATXJKHQCINA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UTHIECEUHPJOLWT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JWSAVYXLPUBCIAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YMNIGJMTDOTDQBY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXFCQUGHENFKYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRQEFABWRELGLYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKILAOVEQUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOAHLCN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJDWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BFVWTCCNUKIMHPD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AHMCNPKILAOVEQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQHUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RISOJSETDSTRALR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHWUKUOMPAFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WVJKFEGWJQALQAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLYUDXNRXDEBKCH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AXDVUQSEKRRCWVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFDHCKVXSQSIWEM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWIP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WCUYTQRDJQRCVVJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GOGXPLGBAQROWJP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KJNAEAOUMDDFAGU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTAQYMXNJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFQVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIESXJJHPBIMAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XDVUQREKRRCVVKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLCULIDWMNKTFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WESRDLCUMIDTMNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEUMAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TPNSERTOHLMVREB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWOB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDOLKOCFBQVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXXBYTRAYUJXFN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCNKJNAEAOUMDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVAXSQXTIWEMD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4036 set thread context of 1448 N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Windows\SysWOW64\cmd.exe
PID 328 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 328 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 328 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
PID 2796 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
PID 2796 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe
PID 4636 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3328 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3328 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4636 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe
PID 4636 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe
PID 4636 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe
PID 2956 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4400 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4400 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2956 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
PID 2956 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
PID 2956 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe
PID 4844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2308 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2308 wrote to memory of 3484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4844 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 4844 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 4844 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 1300 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1300 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
PID 1300 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
PID 1300 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe
PID 1492 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1712 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1712 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1492 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
PID 1492 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
PID 1492 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe
PID 3704 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4332 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4332 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3704 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
PID 3704 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
PID 3704 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe
PID 3792 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe

"C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXYKLI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TBPOAIARJFAQJKU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJVRPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDSTRALR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKINAD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CJVWRPSHVDMDXBM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGPLY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJNJHXVMLOJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe

"C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JTPKTEUETURBMSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDEBKC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYUSCXJDXEUNQRW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYVBTX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVJKFEGWJQALQAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLLXURWRYNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTGFTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AXDVUQSEKRRCWVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVRQFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JNKKWSQUPXLNFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGFSWW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XDVUQREKRRCVVKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLCULIDWMNKTFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDYBNK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFDHCKVXSQSIWEM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHEMFK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XENXVFBMGHXQTUG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLMIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSFESV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WCUYTQRDJQRCVVJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe

"C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTQOSN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRQEFABWRELGLYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMYUAS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CGVVIKFDGVJQLPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHLHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWTSWJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQLTHIBIIRNVMBK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVEQUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe

"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKTFUEUVSBMTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NJXVLWPNQBGLYKS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJDWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRMLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGAOX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSDCGYXUVINU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQPBJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KJNAEAOUMDDFAGU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTAQYMXNJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOVLJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXVEE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BFVWTCCNUKIMHPD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHQCIN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONHRYIFPJKTWXJK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFRCBF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AHMCNPKILAOVEQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYUBCH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IWSQAVHBVXCSLOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe

"C:\Users\Admin\AppData\Local\Temp\BOKYXNXRPRDHMAM\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENWUFBMFGWPSU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBCHAE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMNLTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WESRDLCUMIDTMNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEUMAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCHYUU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DPQLJMBPWGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe

"C:\Users\Admin\AppData\Local\Temp\IRIFATXJKHQCINA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREDRU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BTXSOQCIPPYAUTI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYQKD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPNSERTOHLMVREB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBIWER.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOCFBQVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXXBYTRAYUJXFN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQQFOB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJJVSPUPWLMELMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYCFVRSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJVGFJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PBDGRTOMOESAIUY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYPPNVHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQNMQD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FNBYCVTCCVLHPGE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NJXVMWPOQCGLYKS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRVQYM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UTHIECEUHPJOLWT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\JWSAVYXLPUBCIAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEWVRR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMNIGJMTDOTDQBY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOXFCQUGHENFKYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQHUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBYTRA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRSPYKQVHEIELAX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNAEAOUMDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFQVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIESXJJHPBIMAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MREIDBSXQGGIDBK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 184.115.23.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempXYKLI.txt

MD5 6a7cf9a2c25f03497fabec742b8ecc97
SHA1 ca9b6c34628b5e4b93312600eb8b5ef4ea8a79e7
SHA256 5c519200f1cfa920c468a173e827ee04dfe6e1eccfe3315ef4c4644263ffb002
SHA512 ca065762d6c428e7497909f01a4cb97835229b23cb94271a6f6a12bd35dbeba5c9b66da22c3cf608b06dcc9ae458709f3dfafb7aa4c2e998e684db697dbd4bbb

C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.txt

MD5 6303b2c3820d8ac21ae64417b49d2070
SHA1 e221d6849c7ff6c5ca7d1fe7db3a4a54d4785396
SHA256 244ca40d4dea30c28b523270c809f68647112927afc648b79a1637efa1f87abe
SHA512 2b6f3570015718887a9433a071f10d2c06f7a47dcdf99966440b2ec8ca48715c8b8d80d31b110ce942360be6ff540c0df0e55b004bcf1b60cfe8b564438299e2

C:\Users\Admin\AppData\Local\TempUQYPE.txt

MD5 474a8bdd998702329cbbfa871ad3275e
SHA1 49ea6726c74b64e11dc8a51df2016325bb13e021
SHA256 b91062336967dce92dba34e0dfc4a6f6a491b162b43473e1c80123cc2afba95a
SHA512 d6e92f1ea542187de6d2e5d5eeee2d898972be84497eef7017d755c547e00bc64dbb71491a3dd2824c0309cbef237d241c9b7abd05ae29ab9e789a6aea661b15

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHDXSGN\service.exe

MD5 f0f9c435a8359ecaf1432d366f83f762
SHA1 62dbe8b35d0d9d6c081e78f13e4b78ff6dff7587
SHA256 d43ca043b3621be54160f5bd394b03ab557125165e6d746cc5d552a013e9db62
SHA512 e9b098555c0c45a4ca3a8658f70412b1131a99a13f0d534c7287fe365cb882d9201e67e8db4f7c299bd73084928f74288d6db36bb8c57277a172cc799c1021f0

C:\Users\Admin\AppData\Local\TempWIGKF.txt

MD5 a39454a73687ba6724aac5a2dd46e82b
SHA1 5aefa4688cd7a115c87d470b61e35250366307c0
SHA256 a9ac5445ff333c0c317e924010a3b1df0807d3688171fa19ded3462607f36323
SHA512 008cbf3e97d0000d6e3934a0cd35c164cc4684768b032cf0235f5821d0d4aace012d2f04a5ae223b9dede91070f8cca508e6523a74d68c040e393139c0c46571

C:\Users\Admin\AppData\Local\Temp\MHWUKUOMPAFKYXJ\service.exe

MD5 2dfd2953a4523486f9a445a0d7f04a19
SHA1 49dfd01d930ce1cd07e872c2ec392004afb6902c
SHA256 a5c7036dc8c254a30f4e1475bffaab6b28310252f7d3d8dbd6e2464bd6c87b24
SHA512 712e39ef1ee54d8ae3c43bf501ea1fc412fc37293e9044801e35fe59299bc376e961da725628888a5d266615ee39bef9acc9fe3fea568ce04e2d5135e4d64ffe

C:\Users\Admin\AppData\Local\TempKINAD.txt

MD5 0a4949b01b555b96a67d5da734350f27
SHA1 56c8be53876cf2a4cb4a122a95500b662b637db9
SHA256 5561ab85d862f9fb54cae67a1647a69cf03b491656ac6ae32b7f1ffc6c45c07b
SHA512 bf98dd02cf8bda2f74c92a7fc5ac1af823ba3842260bb1a748e4e854e751fa228533a4b69880b7c0a2b3aa994bf65ba6b08253c18a4f712d9afbbaba364a7bb3

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

MD5 b9cb4660c43cf05541d5b2c147290488
SHA1 4a0a3372a8f6e31b2830ac1e0a9b97a475d8d4a2
SHA256 97e9f32cdeb8325677dc8fffa30eeb80d051db5a967cde941a9d905121c1f5af
SHA512 7f5a406f7339c255ca3c40a7d70673b05b965ecd364d2ea1eb256f892731f2389a2d3defba40d18ca9c8bdc909a6cdfd2d631825776707aa6e7bebb83cc35e32

C:\Users\Admin\AppData\Local\TempCAJXF.txt

MD5 dd9b85c1af6e757ed070222ec926d5fa
SHA1 3a3315571ea00bc351bcb25f1771fb38de381a6c
SHA256 cc1528e64456e553119a25e753b1f1bf04ff3006b4c32805d0607193f2a840ec
SHA512 c7f1f4c75a3211f0a023c7a8a5040415545a676b7b183a4814de9f7b305809285fcdf789f27f3f9a0b7b139ccd488eb17bf3a7183e32e084f1310488dd8038a3

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe

MD5 5d7e0992bf8783e7873b38b61fcb6fb3
SHA1 6546020499051ff3af2b9e3e099152b6a0b77c5c
SHA256 f72f4ac4ac3bc8f9c1913ec4da05d6eadffcbdd79a502950854d6f1bb1686620
SHA512 9e94127210dfcb248f4df15a9588af105c61b0dc433b9e4be1a59694a81561ab84b14d9d39d5a2a23207af7c8d8fbd4de51547ccd410cbfdca5d8a3d161271fb

C:\Users\Admin\AppData\Local\TempFGPLY.txt

MD5 673f3201100fe8a257c12e36f4049a29
SHA1 f97afb1d3b91a839c87d2001b497351d2bf2f5ef
SHA256 4b736c214c6432ed6ec4c1b7c8ec97658fbd66a276b4b469e89b92fbf3721e26
SHA512 8ed78e8fc185d91af59d99ce418bbaf3e9079dcdccd1c38c0fe9574a4abfa6d0bb310084d07e2438261f6ba4d60d80b8286d94d763b3fe4c7ed902d9abd259b3

C:\Users\Admin\AppData\Local\Temp\QTICBIRHMEVMALB\service.exe

MD5 c265f95a1d0f7af1fdf466675b9495fd
SHA1 72db52d11b059f1e8dce72fa12de3574005be3ea
SHA256 9590ea0e52c581e737c5ea550c87b00cf3b6da5ac800f400e23a2adc5270615d
SHA512 d1a8842f1c482c77d041571608278b470c96df30497c14f9556f15d40a63d3ab952bfd4e39d4afbb48617e8a3dff25b0a85fe1feedf103a27326d00037ae08e2

C:\Users\Admin\AppData\Local\TempJHLGO.txt

MD5 a0c381d2968be48fb7079e9cafe78bf8
SHA1 0388345405dbf9cc6fa67ce3bd5c4829aa531c14
SHA256 e4f5c732140d0db0cb5f559867a4c66658387c88fc80233b72b93e573377608d
SHA512 3c2e7416eaeae3717d757b003ecdcea985df051d715064a095e81d4e5e19f96f6953786e6e7c931ae1ddd84a933b8c2e3d3718e77c1313c64dd9056111de1493

C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe

MD5 b1b4ecd26788229dfe876c7dbf9904e8
SHA1 74326f58fae9d01bc5363ea2cc8dedd9260cb9f2
SHA256 9ee61932caf25bfe7fe90e13f0a2f493c6a2b71f810da2ff8208e99725626084
SHA512 bc020d048be7ba84443a428f4a6add394c83c3789455285d3d617954d81f6a96204e1e81593830ceb3033e595d94ed88c96653750fe6d93db793b000372f8635

C:\Users\Admin\AppData\Local\TempDEBKC.txt

MD5 707d04d8eadcf6c40e6620322e2f60ea
SHA1 45416b3283d41efde19d3ce6ae7769a89c3cc572
SHA256 b9cffa05a68797106287b7cef274c3078135649915429b468839807bfc206908
SHA512 05b6b331679438c4aab6dd2db1b6c7f6b9aa3f394a9a6508b057b89805e3af5ee2ae7747635c69c98e13f4e654ca6b0a3976775d42405dd402b1a961b496f798

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

MD5 4cc16737ee3c19d4cb0683fa348bad99
SHA1 76c0d51222e7392042374ed9ab807b86e6890fa4
SHA256 daf5f0d2b2d5aef15d5679dcc28dd7420f5dd00b9fe825fa038604cb0dbec86a
SHA512 83d2f9eb7bf764695127a723d80b2d14f7403866b401b9b0f6f3ebd7939ecce3244f9eb7b76ae19955934183daf2e2133b90d1050c5b2f69d81d28f8d3af4ba2

C:\Users\Admin\AppData\Local\TempYVBTX.txt

MD5 c2772bee63397964fc1f25ee8bbbbca3
SHA1 48e44c0cce80ee73c63a25a3a8009b3fd528b67a
SHA256 32a4d5b5dd10dcf83cd9cf00cb85f0c7cb7da4967d6d50ce0b706bd9f2ee31af
SHA512 708b5d55de48c769733ff60926ddbfe69db79880452adb0716b6d2f86306ee1b24c9f31c677bd8d5b780e2cb1a71baa9443a28783417a2e0a9de08a40bdf6d33

C:\Users\Admin\AppData\Local\Temp\CLYUDXNRXDEBKCH\service.exe

MD5 35ddbce7095ddbc50626db5f7e7befaa
SHA1 32085504ab18d38758d8fe5ccc92c44339710ac9
SHA256 463db2a20afb084e5ec3a6620ea95d54b588ec4caaba7e0341fb3648aade4cff
SHA512 64151797e4d97d4e2a84cbd5d5867b862e23f33a3ceb651c190dc184fca8bd2050feee2f80da83220ed23a41dee959f8f73d65ccf505f593185498b9505f0fac

C:\Users\Admin\AppData\Local\TempWSSHQ.txt

MD5 e889e2b2c41c2d89c09d40bee5a9965f
SHA1 dd4fe27268d34a17fb9a8aeb3cc364fa9856619c
SHA256 eab66596afbf5158280d6e54619d09f40f154cabb151d5f6d3f8e1fc7ae5dc7d
SHA512 b85ded74a7f5ea8059fe93e46425cce45aa4958eeae4a1ec8bca376ca365c3cc4c44ac079dfd82b0d0e79599e41dcc185eb25983112e63735b5ed40a0563da21

C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe

MD5 ef5c29995033ffedcb0da1165b755513
SHA1 572a935c031567f617234b976a2cb5d37024fa3e
SHA256 57729ca4207de7e1f77708aa9d92f9abece4c0df29e7c3d11540ad7799784684
SHA512 36b268dce93da4d8a1d5949cf0c31633032b5d62e5ddbbc9914f8f0082511268475985ea5e4552c8dbfdd097f7c5e31ac71da21c8baf31d46aac887c6932f318

C:\Users\Admin\AppData\Local\TempTGFTA.txt

MD5 c1467c6fa1d4ac04889d3e595dd3f1d4
SHA1 312bf2d74dcaf1cd3ba780d752c02e472af2f816
SHA256 ad3c5dabc4cf3202c878dbc084dd6719632e6e611a3395aae0ba6e85542a96fc
SHA512 c55db1d35d75f2369b1f2149839b35a07c176113ed0d46936a937fc0fe94a75d8d688bec04d0cfb7cf12a75dc9466eb3a126e38bb6586f6b7719924ccf7a1247

C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe

MD5 a9556eea3012b436dc0bcd3dcc1dbf13
SHA1 d41ac58629d8e21dcfcb1ed54a1fb4ddf79530e0
SHA256 a179f25dbf2f045a04c8f005838c87359416c7f023e30a6e369e42a113119099
SHA512 e47b21c571af6b136c9ec8f536cb1475a0b8907f253858ed33b31792d54066a1e52c94a3034f0005675b0e3a1f845975d807f831800ac6a4844cad0fd4951938

C:\Users\Admin\AppData\Local\TempVRQFO.txt

MD5 b4884fa88aecad738e4f70a6df7c5442
SHA1 896ee53454e23fe6250ff107db15675c733c2458
SHA256 30b1803e2d106a97c62d74f5f1290e0637bdafb5743515bdb7a5787523691cc4
SHA512 d95c13394aa5aee5f3ea07e07b7a525b6b6e7be83170fcca6a4aaff8c3e45bfe7f2b899bd6bc102b8d9444c7b0cd3ccd491f408bd9ab4bc8097e14e379d85572

C:\Users\Admin\AppData\Local\Temp\TMLTHGIDBIDYTHO\service.exe

MD5 d1786870294549fa280c30930670f474
SHA1 8c85a583a7eac0e0ad3e540224f1ca1b8b715075
SHA256 f3ae262d5dcacb7ec31115efa0545cff62eb794cc2ab943d19b33f50dcd1fc3e
SHA512 b4f4b7d7c1474a9d80b083703fc6bdf47524a060fd902a9737832ceb241b4dd1d48c3dc82451899ea49599d731f0dead36019ad59035a517cde6e7d239128188

C:\Users\Admin\AppData\Local\TempDYBNK.txt

MD5 4b6d47751dfd37738277cde9ea821f56
SHA1 89d9dd9b82f6c6f682b22c0b21e1b9479884640b
SHA256 772c800aa5c76ab47196bbecc34bfbee419d02e90f6de096aafbbb6a77a0dec3
SHA512 21dfe78a52933747ebb17d8a8b3d0b4dd67282e8e572a02f91fb300d50b4a98a7467882737a183db455215d7c446fb41c64469346699dba1c12cf15026f474d8

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWIP\service.exe

MD5 5a5732461c5c53edb7e03d6d1f09bb89
SHA1 f5078e0f939bfd0842d0150236efbe4e9bf5a0de
SHA256 57ff260c51d980cfd231f82ec58cb1474645f72b42b72e70a83453260323a8df
SHA512 d68e029127dc3c2447ba2d15fcdd159790215eda7de85fc97b5975e0dbd2c8cac50e5c52328980b1d3892fdd92d61a719b0fd0aa12e03c5b987f1d3a0b5838aa

C:\Users\Admin\AppData\Local\TempHEMFK.txt

MD5 c25dd0f6017a27e1c0d70b5c1d5f248f
SHA1 0d367edfd96e45c8a8a2aa68cfd91f8c64415e9f
SHA256 d885731cf0fd31ef0fb85461360ae0166c60843ed53bd6e5e2e5e9ce7f9754ff
SHA512 00597dc4f125ce98f44d02b704ea1de8dcdcdc4e88aebd4a627e2eee67e81edb34c0cd34d7b962cdefd466e6e572a5059147424b54e69dd58319fdc26720e46c

C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOPLK\service.exe

MD5 df31252eeb149edf9865d26680b62e4e
SHA1 4f112a581a13f550a0523b0b8329ae318f902f1e
SHA256 0afb5672736d2d2b1c17324ce3ccaac50889f9fd490253fb00462ee1a2802752
SHA512 e813185b8df9b1917cbe50c51add1a1022f2e4065047c7e4f5c6f169a1e1da6e9e47295eb811adae52e3b116a99df9f9a34d7538e5b6ad50b7b3544a2d4e4c2f

C:\Users\Admin\AppData\Local\TempXDVUQ.txt

MD5 4004805be9425a828f1421bab4a3a78b
SHA1 b8a6fc4e959fdff961ce6aab8090fd1809c19590
SHA256 967b88ff41ccebf1a53fa4b1085ae1805561464d535440c5598d4e9072721aa7
SHA512 37625ff599536cedc336402ed823bbaf31b7d12c05a87e674cfb4f0fbfa7b2a6386f66eecd0373c43d9ab9637c2127c66fc31de07235be3baac2aaf0b1f193b0

C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMFJYA\service.exe

MD5 a908ce620cb50424094fa1b652bf15f4
SHA1 53e10406621db65f987ef1efb151e49d501954dd
SHA256 987a9a570a6171984a159e6ee752433948cc756ef13ae9ed989f495fec04a24b
SHA512 8522165d77ba1f37fdea76c9f26be2daa3c04a8152709947de807783252894e1b6603b742a2d39b86d3bdb5a2d97bd06e4c3e6d928924c3e8f6cf63bfa0952e1

C:\Users\Admin\AppData\Local\TempSFESV.txt

MD5 6e0058352b4cfa865c641f38e4ec9528
SHA1 5333d313b12f5ec9112dc290d7c8ab26275270ea
SHA256 61bfd6e3fa523751a4195557da3cf1417c5db08e6b4f3bbd55e3eacdfd279988
SHA512 7c9d0cad77dd9494e10ae086f73af3ff87a24f3326f996a9f3d5d5aeed123b885d0d945528b951e7371d7f8466368f977b80e5fbdc412b090de53ffbcb20ec57

C:\Users\Admin\AppData\Local\Temp\GOGXPLGBAQROWJP\service.exe

MD5 bb9c8dd5418189dadb7ccbd4705bbfde
SHA1 363370a6b43753d2ca49e05110fa4519416cd32a
SHA256 7af88d0c8c168d211f4749402520434a571876b66d1a9533dfaccdfdaf2a8c35
SHA512 ce024e212f0b5e1014effc32f227cf6b59f41721ce902b6887a7f2dd19f76deab0d4270f8a2e53cfe506b70194305c1c55bd8dcd710f5d6cdcb03c9ac8d5f625

C:\Users\Admin\AppData\Local\TempTQOSN.txt

MD5 b1f3919dd1aff2b33d48792acea98956
SHA1 6ffbc4267dab56d021602cdf82b34b09c7ce68af
SHA256 1b5360c0685d72464a008f6b3cc2abf844c308d0fff252e585965283667e6d4f
SHA512 54b8d5cf03738efbbfdc1475f9950f73c134099db5beea390698d66dff11737a84615f93bcb02da68e0bc1c7629bf2ed32213c5ef2fe989f8c5b9755aaffaf4d

C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe

MD5 679319d1465aad32d3c7bc882e51134b
SHA1 12523da9a2b640a577446ab549febd80519f8dc1
SHA256 297603ab96cbd7ee24ebc552d9fc9225eb2ac095691c2d5dd3656e8b60228779
SHA512 69d3839fbdd8e17772afdcc11d85a2916b9afed8a7264ddb6f4374809285fd5c4b395fe0a087210ff95bf08c74699629ed99b6c7b8cdabf2e37bca2cadeca55e

C:\Users\Admin\AppData\Local\TempMYUAS.txt

MD5 5de012dba808a76cac73bf7f9364e253
SHA1 1a9b1bd168ee27c68a1ece87de004a4f427855d9
SHA256 7d865e2ef3ac909137da14b315f4702a09140c56a9fa6769b872eb11d507d273
SHA512 e758aa5d3830b2e6cb6d8006567c85396fef39cab20aea6cb769a55213839a18256f3d201f1b77be0c3aa6790d7db39ff2b90edf5ff06e400090b881c47f1a29

C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

MD5 9f605a51590016d9ca9077ad0b730d4b
SHA1 1b1a77f956cbd9c0523b52a95c82c4989aa214b9
SHA256 f828249b39ec79a523a10d197bd1a1072b9965b09018b9cbd2851bd2a65989e0
SHA512 9566c46147778b7390c6fba1785f329682953e82a2c98473d5ea4cd4d8c4b8baa2ecc897553986d65b266f8b4f0a73dbe33f0bfd223db644678144568381a84d

C:\Users\Admin\AppData\Local\TempXMIRI.txt

MD5 748c2680f1565f476bebf0293522b917
SHA1 d204341d0ec0d3c6c2ad721d573efbacdccb208f
SHA256 2bf06dccf0e5f3d6f5bc7d01b31e00ed07c0cd6221004d825f5fee203323261a
SHA512 99005b5f6afaa0cffab56f590062d19c0d27604cab9c2c77a9620d9bc6765a4d0c7b92a8ed0dfa23e80087135bacb3039a96419752760ca576cda9146808fe8b

C:\Users\Admin\AppData\Local\Temp\KDSCKTPKFAEUVSB\service.exe

MD5 9f78963217def3910ac936d804a96628
SHA1 28bb32dcc1dd6767c1e14895d383af1e45f35ebb
SHA256 024646e7f72e1af141c3a8d5b47709268d0d3faadd92ee4be4a362c669a088bf
SHA512 46eface2f0ec561ebeecdc618599f70e5cb7bc0ea0b3fd5469f546df45f127478b6ce053b965613c70481e8e2e3f4bc726ce6645627eb9aa54415d45b9e7a3b4

C:\Users\Admin\AppData\Local\TempWTSWJ.txt

MD5 aebf6eb0347e03e8f4357d9b3a9193a8
SHA1 293d3f059e4d346f8d10552512f48477eb12f3b2
SHA256 32f13e7683bd48d53ac6216812b0f670e22f663326d93062f0c7360f6d5e688b
SHA512 a8d963c079524327f277c1e5eb3a107b64b57d8accd6da0f9758d3cf73c99a2147e00a7609f18e072e5bc7630d6eb45aa6f25fde5a6d9b2fcb8e85b4d99a613b

C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

MD5 dc83a0127bff374b00f9126e68a2635f
SHA1 95358366265cd43177da44da0118efee81b4daca
SHA256 9a26c8616f73111be82c813e8ab96889d9f4fd137057d94193730b6c3a07d6c0
SHA512 a04a941c11f5a79a3179140b5a5bc3edc49662e558931d87c05ddf1468f073449e55666c1356be079b07fa612dcc4c2a83bf7c819112716e5e81923bca6f0705

C:\Users\Admin\AppData\Local\TempXWSTT.txt

MD5 601e13abe3a7c6c4ba9ec5974385f941
SHA1 11d3359c26ba1b2a30ac5fd86771641fd3480c35
SHA256 e6914e4e8ff8bbdbb6bcd169d24885e364f75ffcfbe5e0bebd345d55a50e0f38
SHA512 9b2f07abe4efa44cb181f5b6c6f80a2e52c0cc536d38d4ba77ce0b98fb6b4d78adf2c5247fdbff966aef67bdfb67805cb9862e5eb36cde513d4e666ab4eb9572

C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOAHLCN\service.exe

MD5 1471e0ca41e500dd609c5967f5a68fdb
SHA1 9ea5d530db9eb5e8326b8c237e24c6a86695aa9b
SHA256 82d335e1c944e64745a04c3b52aa174a6da78c3de1908c7e1fa7d3207bfb54dc
SHA512 1c17a53824fae12a2c79ab2a4bc7b7a2fa3e274e5abb4f78c2d354fef6ae18c71d466af84426754e3e2814cf0a186768c0492cb53cc26a23b9573348369763dc

C:\Users\Admin\AppData\Local\TempDGHQM.txt

MD5 7cedb3d42768f20679a594db5102907a
SHA1 aa67317acf7a8bb0918555dfe9b53ff203cc2879
SHA256 01893a2be0e431b455d0ff12a54061710bf853577b9951c3db90f2b69840b018
SHA512 f5e0f0b08258ac2645048fafbc71c4ada3374b93990c62833e443d1de313b541d026778d27c4c5d9504d21296a01281227785c8751fdc93c57ec250a2a53bbb1

C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe

MD5 02a41c99c4036a88f43d1bf420dd811e
SHA1 c9341ee7cb554b305eefb31634fa76d072129c91
SHA256 af33245d83083e364a6e96b69906d569dc0f7185208b36ff21d8a6a98747385e
SHA512 f720eed3793fd63fc047b0c19f25d0825376d114d307975c32f4353fd88d3a5165a59b197fa9915aa48111f7a520b080c8585bf3d8a2e6ceb2385b2a9706dd94

C:\Users\Admin\AppData\Local\TempJHLGO.txt

MD5 8509bf9401bc0a70df2801d1a6c97866
SHA1 8c3c97ea6e580ef8abfb31cd54a8d3c933b08f14
SHA256 79f858d8438fba230ba0df8e090549c443ac3a95fef05ff7f7495876af4ddb54
SHA512 35192bd18f309f2dc562f5eca04c9444844f032e7d81f578c2c737470a11d200d9d3d1ea0b9450f57e2cad3b83a8ff0a97fe039852d76d644df84ac0d479408a

C:\Users\Admin\AppData\Local\TempQRWDE.txt

MD5 6e3815379c8f480ba4bf4314d9c8ae36
SHA1 d38d3f6a9c42f75504efdfd7e29b6854707c35e5
SHA256 050f9da0d56aa7132b7b3085d091415b9e80bc02528b3bcf2312220b928b2869
SHA512 3cee7e22d0d114305306070bd9af41383904d1d8a8bf2d290d86cf191a6bf08277ac930f47d59187a78c6545ff26c0e251501508fba62e76b89b9097d08b624a

C:\Users\Admin\AppData\Local\TempUASWR.txt

MD5 61101519a3da1228d0e0498cf23f87f5
SHA1 23984750bbaf6fceb0c0fbeb529e99639b05e8be
SHA256 9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac
SHA512 26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71

C:\Users\Admin\AppData\Local\TempUFEIV.txt

MD5 2d79e5a174e0c2d7b5f847285e2b0c5c
SHA1 2c2ee0c9d35c15f144590e1ce1be936bdd7b9bcd
SHA256 fae75501fa5030fd4ecb0df3ea07cf1f0e2f8b867d3dd8fb60ba65c933011811
SHA512 c7fb07e0003ae95a9e47346dd7a7e099c4f224dfd170d01ea276af3e458ae26ec85922b2661f8c8e16d10ab26fea41c5e1010903f37942446d4a26dda404f330

C:\Users\Admin\AppData\Local\TempVGAOX.txt

MD5 8f1ebadc12ce7eb03827462ace5798bb
SHA1 ffef26150d6aea7f5230f54f396fdd962a867d05
SHA256 4debe61d057f2dc9c80bfc3ef55cb92aecba7cf3a48282cfbf1736a9d15670ea
SHA512 d45fda1816ba8341423369f9e95eea987cc139586e390cf0a627f6cbddc7ef8ff178aac4a1516070107a4de08c414a60dd9049c1d0949563dbc0aee8d46c570b

C:\Users\Admin\AppData\Local\TempCQPBJ.txt

MD5 09061505e34645afdf2dd58a50775a35
SHA1 a8e4f91b1d4c76f68f405784fd17fb0e57ae9701
SHA256 e7c3b3a9b765d9b773f8ed8c2330b02ead44f94946b945ee223ad71ff857b22b
SHA512 8182305be6cc91e65d13bd12ee3cc54a890547f79190f88886eacad355e6f33cc947acbbf59955024c3889be76ba74099a1e1562527c5b08ddff8868a610614c

C:\Users\Admin\AppData\Local\TempOVLJN.txt

MD5 f3931ccf4bdf284ee5fb347c6e43bbf9
SHA1 f538a7c05c86b67b4989635505496f06645b6758
SHA256 aae5447814b780af09a0f1a0e4bb253dc6dec2fb60f5bdb4e9bc7b27c21f77b4
SHA512 64cc45490c27133d4599cf71ecb148c129b33e83229572c6da074334a7016f51c1fba50ecf66b401fc2933c08b8a0a07a7292bd86bab251655555b34f8471514

C:\Users\Admin\AppData\Local\TempFXVEE.txt

MD5 58011a41e484beb480a74d17c7cdd1ec
SHA1 68c2fa7c080d2eba3f7c2092047991e2cb64ceaf
SHA256 714c6d484b04573dc88ca6fa11639bbe1faa5684fe1a9454af69c96970de6329
SHA512 20b39fd418a870fe0724b90e8109219734f45ede42e812f9085e6fa46ca856a1e9dc5579393c7fff6849cef4b6386b7ff8837e3864113b4b77fd7c95b881eac3

C:\Users\Admin\AppData\Local\TempHQCIN.txt

MD5 4f8e2eb175512bbf2f4fcac496593d63
SHA1 462a3cfe0bba8a1c439dd568b5e8014ad39dd58a
SHA256 af46c409447714c8112f5d2dcbab67e29f528e068fa3c4bbc0a0e9ef79041b75
SHA512 0e5cfad7ac2fbef753f9b88590c4a84dea8cb9277392ec9dab9905055884c07f32ac4e73e57bad871b6139d84f9bdbcdd0a3b2b4e8794efeb700501a087f73bb

C:\Users\Admin\AppData\Local\TempFRCBF.txt

MD5 6fc4da483c651185221b5e788e6086a6
SHA1 dd19d5c383e1a364bf27f67006787766ea8f031d
SHA256 28d15f9e6bddb3e835b62aa3f4722566930371a04c24bee06d0d89007e3ef024
SHA512 b93e65ae41cd591d7090cd7a103db57c0ddf06ebdf92eba6eedec563e52016d0d97aa70abfc97ee9aeec332b04304607d2db9b1aa9436adc0786c50d106ebbdf

C:\Users\Admin\AppData\Local\TempYUBCH.txt

MD5 be924e320b1e92cbccf2e9de781be821
SHA1 09cf142e3df6a20ba6a1a1ac4f3728fe886c2945
SHA256 a98b0fcaf22d109ab3cd7586424a986d02467e143625b9df23958a2d4e176b81
SHA512 88edd1c598bb34763ecc3ac3cf192f05d6a8f5940de6ac29107af234239140c5b085c588d5a5eb48828e6dbde8072c2ffda8b03a6ef1d783c3dfad1347ee9b0e

C:\Users\Admin\AppData\Local\TempFGDME.txt

MD5 394c8beb81d73c641d531bb0b6be1fa6
SHA1 a63ba048872e14b00514bcc9e2251b1f5ae94cef
SHA256 c2d64f8c9e90503407dfa5ad777e116ff0c53328c356c917b647383e79abcbbf
SHA512 32b232b6fecf626653b8eb77b0d4f1a124690fe994e3051e5891fdac720b15c460583793524cf8ac16e8b25665fb303d4d0859fb88fb5462c2b19ed6e036fa75

C:\Users\Admin\AppData\Local\TempMNLTF.txt

MD5 ea80b813a13113ba6ad8554f71b3dc23
SHA1 49d03b6e7cea3aa994ac32fbc38c0a41d1ce22f5
SHA256 9bfd6a52cfe047211e8f76dda5b183af2817e8a77700498150069d0594295c48
SHA512 0e07f6a43094a0a838c449fc564cfcca6d874daad56fd52463654a6f160be2d851e6d72423ba9692af36f058431894248269d03f5a1f0526bb9618a33d6decab

C:\Users\Admin\AppData\Local\TempCHYUU.txt

MD5 fe86a1bcc9e6ab20e4c242d1b4b8a4a5
SHA1 8acdd52e21c9479143e8f19462ef8ae7d1f25e23
SHA256 4aade04c584e35c19dc188ec5bbce171d35b47a8d97244022dfd4df2ede1daee
SHA512 063953813d9d26ae3e7deddb68a44145fdbce3677dec57f9d31a6b946ff7bc42d540cf5f0bb5b570c80208fc2034cc0992dfdfcbe9a0abba32014ebe0922d65e

C:\Users\Admin\AppData\Local\TempREDRU.txt

MD5 ac43f82f5a12232a199157db6a4c9076
SHA1 f03506b3c36d1561786aadb357c82869c55c2ea8
SHA256 a809ee44f1e0595dbca60ad3c70a9b58ec62e4aa5886d51e73496a53a805efff
SHA512 4ed7400e68486ba731f820349e76dfb56730aee9f3c9a132ea92cabd64d1a0a40fed6e4860dc5443f76580e57fdb2beb1b043959b6718acf335232fd8514eaa1

C:\Users\Admin\AppData\Local\TempQYQKD.txt

MD5 3845a288688af0ea7ad1b3351fbf7892
SHA1 bd748562ecc8a31ddc6abd83794975fd1385c1b5
SHA256 6cbea6af99a5c35e01753503a065cd827b5e9e28119a7a5f29af8b496c3b1ac8
SHA512 c3415763356726bc68e4f2b422c143350a804694b918b971afe1f767e0288c4eb07a4ed8041c8b4adb37e5e8aa5879c45db06879117b926bb7b6962b8ecebed0

C:\Users\Admin\AppData\Local\TempBIWER.txt

MD5 c78a9c4a35ade4129cca9d1e9fd17d34
SHA1 bec85bc03f9797ec011767d39a60fd8a6912f417
SHA256 8cd75fc67979d0c3c56d6730ecc15e6c45ef6dab654666368196e5e97d1491ea
SHA512 d49cfec62ab739821ffe1b2bb947e5d29fa76810203c0e03784e267832c23a7449c192da90bc048474f15a34663b610733f4195462ade9298584a0538864e118

C:\Users\Admin\AppData\Local\TempQQFOB.txt

MD5 4ac8f5745193a6f9a1b825c67798dabb
SHA1 8708e3707c77d35373de6967ae9942c197db15d8
SHA256 e6eae62b4bb8272204db9082a08bbe94996a0d82665c7b81bbbe6c81d2d0cd05
SHA512 c381d4b5c082fab4784567b9c495b6146128a3151db93cb4b61952d32ad8dfafbff3f1334d0a65ec7317d39b5806cf6deb575a52f768630489801ecdd950cb62

C:\Users\Admin\AppData\Local\TempJVGFJ.txt

MD5 1bac81f9c646fe2b674d58a179cdfa39
SHA1 f0dd89413f25043dec31a23f4d301be40fd32902
SHA256 afca7bb674d728b84da41109cc101c857527fe9e2aba63c85804a757d8556561
SHA512 802abfaf7b573bd715d455ad394cdd5aedbb188031cd7be7ed5b0910656951b6a9dd5e28347d85ef34f5865548b8231ff89025d4c22a9127aadbf5af7c60b6f0

C:\Users\Admin\AppData\Local\TempQNMQD.txt

MD5 6625d8d591d9531af5a93b0939b70765
SHA1 a761747fa880c4677e73ed657ff6d7cd6effca5c
SHA256 a6a3532725f8244e3be90022376fc07249dfd2cefd1ebcd10c5e7d1fae8ce51a
SHA512 85a830b20bd99db26926a0bc229f83313b27c7f9a9d76036478ea2bc6280fda8021709de87347368c455b3b5a41153a1d44b130d82bdf47d3f4123f8a84fa4cb

C:\Users\Admin\AppData\Local\TempRVQYM.txt

MD5 e6853eb8d8bcd95d445473b6a01ee7b2
SHA1 9734a00608a3ff2bca48bbce91dcb7e601a93b82
SHA256 01738fc0e6199dfa9e0bc7189ed9156e3a99ed4a50eb581c66dd0738286c4d07
SHA512 e11f7f49927db5e339380eafc0951e22f95e61f83fb45b98913d4bdde42f1a90697d0b3fe40d9022041c4755e3f00cfd9c50ba9ba0f67da41c225b617100a872

C:\Users\Admin\AppData\Local\TempEWVRR.txt

MD5 b3c991bd10680d992a6aeddc3022ffd8
SHA1 aa16ac0333280b9346e07cb3700f9a6d89a2546c
SHA256 09b4fcc6c3713f89d1468e89291c2e2850b7173d3b5f4233b047ec22ece7b72b
SHA512 d21378daa1eb3a0c15325b5f340c3252fa603d7b51e5fc1d82405899f163a929821e3070d3bdf65e0c1be87193eb140b269be0afc80820dee513a0a358df92c7

C:\Users\Admin\AppData\Local\TempMNWSA.txt

MD5 a4d004ad29d3b8175a96f922359cc315
SHA1 0fa15cba7e806e78247ff7a5a5aef1172dbeed47
SHA256 3e67df9708b257edbe5dc59a43ca15b93a69924b932332eb540da0ef422b729c
SHA512 81259fbf60b4f0153dbcd04484d0ad28ab3fecce6d4945a3a72b8535d6d120b20ceea5d1be9bbf32c5f35c1e7ca97cff84ecde6f288ebd29019b98f1783af423

C:\Users\Admin\AppData\Local\TempBYTRA.txt

MD5 44c21cc5be8ae2a576be1d54e1ef6e9d
SHA1 a2faa69c90172db8c93bed2f67eeae187634669a
SHA256 be1aea600fa59172350b8929dba873d99045a73a3495f8489606c7f92e830049
SHA512 ef2ef1a977fc9854545cac015e4a4b6698b424746cac92b7fa682e8d3d7e38c580ebebb5be14fc76ae941bcde26d7cd78da478ad947941c83dcffc43459e8fb9

C:\Users\Admin\AppData\Local\TempAHUCQ.txt

MD5 e9ea081c5a41b847f5f8222a51e7da8a
SHA1 3b129936a5a39f7565d3313c5cf901807bac8cc9
SHA256 83515ba7a54b2fb22dd4585258b0f0bbcf368c4db790c760e686993ac7d0171d
SHA512 ed3791219f776ce47c40ba9dc6d27a7fb7c3b4340bfb49e806aedaa42d35e65dff753f8d35e7124efb0fca5cb3a8de44978f2d34cfc1bf581acbd373202398d0

C:\Users\Admin\AppData\Local\TempGYXTU.txt

MD5 1aa231193817ca982375b9b41286039f
SHA1 897b67065055c905c5b5376bb63732a2eea5951d
SHA256 9862d5b00f91a544792740a3f17a706469f2329d86825bbf5db186edef3ae43f
SHA512 de7067a4572eeddc10ba885822a94a5162c376973f438f5b6619b5ad3eb7dc9c82f7edd2b33564894ea12dc11d2f0111c55a55efdf014839698441dbd58f285a

C:\Users\Admin\AppData\Local\TempYGUTF.txt

MD5 69786475f46eff7a611d5d485b9a9507
SHA1 306206beab8da223f7a0f2dc5c488c4da9fea3ee
SHA256 4612f74b03bbdc0afef06ca91661f4e639f58571e065e9beed2ef884b8750a42
SHA512 3c28606386ee67a2eb70d64abf07f4ab002be80073372d8bde65f37d59e3dd1309c9b018e8a4ad8a6cccc4cafae21b99a6ac8a8fb0f568149f4c02c88ed480bb

memory/1448-1243-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1448-1244-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1448-1249-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1448-1250-0x0000000000400000-0x0000000000471000-memory.dmp