Malware Analysis Report

2025-05-06 00:15

Sample ID 250124-h9trzawrgw
Target 00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe
SHA256 00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975

Threat Level: Known bad

The file 00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Modifies firewall policy service

Blackshades

Blackshades payload

Blackshades family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-24 07:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-24 07:26

Reported

2025-01-24 07:28

Platform

win7-20240729-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALEYFWPS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFGRXOMQLTHIB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYDUPCKE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NRFIECSYRHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMCIQHGRO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKDXEVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PLLXURVQYNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFUIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RISOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKUOMPAFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTSWJANJHXVMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QTICBIRHNEVMALB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JFERHVQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDIPYBBPUMUIS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPMLPCGCAQWOFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBUSBUKYAGOF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYMKJNAEAOUMDCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWRQWSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QBAYEWVRSFLSSDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEKBSJIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPSDHNAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKOUABHETSGHCBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDLDUMIDTNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJVWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UQERCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJIOKANUEP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJYXGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWUYMCPLJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPHXODND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMJOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABVBSNAHC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWHTSTPNUPFSAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCOAXCVUQREJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\QCKCTLHCSLMVMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBQRPXJQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
PID 2144 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
PID 2144 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
PID 2144 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe
PID 2940 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
PID 2940 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
PID 2940 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
PID 2940 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe
PID 2724 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
PID 2724 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
PID 2724 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
PID 2724 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
PID 2424 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2424 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe
PID 2424 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe
PID 2424 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe
PID 2424 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe
PID 1724 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe
PID 1724 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe
PID 1724 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe
PID 1724 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe
PID 3000 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe

"C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWLUHG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QBAYEWVRSFLSSDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTYFGD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALEYFWPS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSELPB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QCKCTLHCSLMVMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWSSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLLXURVQYNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RISOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCFGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTSWJANJHXVMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe

"C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEHISO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUYMCPLJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJYXGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYWFGO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMJOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIIRMV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFGRXOMQLTHIB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMOXTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JFERHVQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDIPYBBPUMUIS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XEWHTSTPNUPFSAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYTGNI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WKOUABHETSGHCBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTGMRC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDLDUMIDTNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJVWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLYGUT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRFIECSYRHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LOEWUDXMCIQHGRO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCIWES.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPMLPCGCAQWOFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYXBUSBUKYAGOF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKDXEVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEXXMV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UQERCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNNOJIOKANUEP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYMKJNAEAOUMDCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWRQWSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCOAXCVUQREJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe"

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSC\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempWLUHG.bat

MD5 0bda01f0928a49f8dc5fd847b404b682
SHA1 811669ec5e74243508f64a47fc4d6d119bedb007
SHA256 dd67a5e53cf901481104be63a03bae5fc2b29f2729bcb1fdd171b0ca384d447e
SHA512 b0b0924d76a9cf654bc57dcb90f9152e62da761e000c06e837734c59b45d4b5a580ce4b8bdec2a96650b429bb7561c8f7f3e3a4de1e04a049407098876b8c468

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEKBSJIT\service.exe

MD5 04bfdafa1adee376be912592ff343025
SHA1 09fc6a3c24346bde52f5179e72551ca48e6283fa
SHA256 326c81b93c3e8cd05c37a75dc06370893bd462d0963b3b01ed3b6a356d38aac0
SHA512 e0418691c3add2b3a5e344a6ff6fbc3b3db108f6c0d7641234e7ba624ad822e01cffa4731e724a660a43f2a5f06b5c98b5b11250907af4922899f3d69b872646

C:\Users\Admin\AppData\Local\TempUASWR.bat

MD5 61101519a3da1228d0e0498cf23f87f5
SHA1 23984750bbaf6fceb0c0fbeb529e99639b05e8be
SHA256 9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac
SHA512 26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71

\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe

MD5 db13eff8abb912859ec76b6d7c460072
SHA1 a477fedef6c7ef9bdfcd8378aabfa3728bd7c768
SHA256 16a8e518d0e63f7092967b1a7a6acb2465280ecb6e23ed70352345e77e8b89f6
SHA512 0933fdf6f920bea7b61bee1d5c3843a13cefab23defddc511c426fa50d8dd3bbdadd15860b2e9ff3a9665857af2ea71d53459175f0c3f57b3837c1eadb69bec6

C:\Users\Admin\AppData\Local\TempTYFGD.bat

MD5 78be5efd6f00a17dd035880f8b17f7b5
SHA1 557d916dfc0a62bcc340f3f54f15edeb8ce2a14a
SHA256 68d647e33e63f912b96928a9146aa07146c51e812e573e0015797f67040aef5b
SHA512 09eb040eab976a5bd9f1226cb583c31b5270107ef35db5ab50cff97659a79206646f015828eaee73119dfdb1a323cb3df256683b0f7c076e66616a16498880be

\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe

MD5 d5d24977131881a0bf5ce017385db91e
SHA1 ef089aa8fa823832d8cba77747d344ba8077229c
SHA256 a762ad194765c119f793c07faeab90e732357a446a18e3b9e33bb42598e1c330
SHA512 d6d04ab97305f1e781f330b63a9d295fff477a66df22f23530146d062914174640a9992eff74ab6bb0a7234bcc07b31268fad6d5d0826434aebb0399802d51ad

C:\Users\Admin\AppData\Local\TempSELPB.bat

MD5 13a9f43dc30fd15c9d16b8d252d35708
SHA1 8f10643216973bf945324576eac13d6a84c46c47
SHA256 cfbd162963b1aa9c1658748dfee196a6335cd4a1841f18f1a50e5adf7bbeafc6
SHA512 f3358bb1b1cd9b69c865ad6528113eec8af0c48aca4bab1a43a2bb1361deb49d243e8e0b2cb4eee8f838e243827b79b4d98b378115cfe6c9ac7480b57d4eff0d

\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJQ\service.exe

MD5 843411fc20a23e3dee34e363b99cee0b
SHA1 a622892c0f53c61d05c5ba265a92465359375565
SHA256 38c36b8e1a2d1d1ea3189f17212953afcc9d08c2753dbd630904ace6c1df4d2f
SHA512 f4d979edc0c73c2ebbfabdf7e2351f8f5d3b6d26dad0a8941af22556d517335253fa730b6a16643eb0005fe9bf32fe1fd7458697cce5feb2b9d3c78b615de67b

C:\Users\Admin\AppData\Local\TempWSSHQ.bat

MD5 16b35d89fe8f5c1208819291ccc78756
SHA1 0e318d04aa4794f8953448e1ecc43a67008d18d3
SHA256 22da392c36abd4899d4fdb4a894ff0fb95f710307b35158ebda417b586cd4159
SHA512 478d8d54a30bd6d48526f74ceab051140e0754005fc58aa332f07da723d132f1e064e725f9537c0e5cd6305cf4d18bc67a187d0734c4f460eaff29efa689d464

C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFUIPK\service.exe

MD5 00138daf4785123a28cb2e5dd960319a
SHA1 5a1cf201de24fed91e597c0230f1a3e727c17b1c
SHA256 5b54a2228893e5b3e09dbfd7f461d5c0f1d8f079bd97aa364e9ed110c99b7742
SHA512 d9f181c5b0deed8d723c81df375a2c7e77ed6249bf3389da1ba4d796fffd4c07875ec2b14f73bd005bc16c0fc88ef9e8b47b08bb193f867e021d3e741727b4ff

C:\Users\Admin\AppData\Local\TempGUCQP.bat

MD5 4ff1d66e34088078840e9bfb6eedb146
SHA1 8d38af5d68d2bf926e09b6078a60bd1a85eb4b43
SHA256 9365ebd186294f5c3a7613c2f779d3eeed6037afa5c5dd1362c1bfbd14c9628d
SHA512 b9f8854a0e4573fca547d497f0e9d49d171f1a1cc65acac21781b0bc91a45c332c313b011666b9046acc954499694dc099c392a5601717a0984d1b6664f51e2d

C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDX\service.exe

MD5 a60df103f7d57d6a2f74d06456426da0
SHA1 a7ab5edb80e3ed354aab246f3a27f484ef8691ca
SHA256 b81a4d63497c46979ac2221447f7cadd5cebbfbbf5a5847dd9b16d16d720808c
SHA512 0ec76184cb7d593f1f18db0de94e0c498b01dcd2051b1ded9971829dfeed7c3b6a97ae83e6ab0fd9b51dd0e202ef3aa8851ade4415de569a44f3ebb5edccf752

C:\Users\Admin\AppData\Local\TempWIGKF.bat

MD5 cee52e867eea3e6cb11cacb1454673bb
SHA1 d5caf048426777e248db7e47e96f69528e4356b3
SHA256 fb395866dd130573a86c20bcb009d21c8d66abd8480a12802ed16be4a29a1582
SHA512 9fb572a40499b863fce21c793d720878e8db6c7198fb9383b22709a84cd08bede1dbfef8aa1241010e0226e6597d28bc8dfacc36b93ba1b6561d15e6893da827

\Users\Admin\AppData\Local\Temp\MIWUKUOMPAFKYXJ\service.exe

MD5 a4897d7ec39d97c55d130af626a70615
SHA1 7b31bb782530607c8ead1279432570d6080e23ca
SHA256 e238c8672f61127d0e15de0e44fa4b4552cc7a03b1145516ada082a964ef8b44
SHA512 789227149705ce1811645cdd550cacd5bfcbbbdd86e68f3bb35a1fc6d67a25b44f8696b14558a4fea10752ab00d935d11583fb78c996dc6eb5132886cd07290b

C:\Users\Admin\AppData\Local\TempCFGPL.bat

MD5 6960746ab8f72bc91336e651aa68cf69
SHA1 33f742c4d12a695f0d00fb9e068862ea2fed7564
SHA256 f7c924382a15ac2b62a40aa8b03e3376ed39ff282f44e3bf664770874b864be9
SHA512 de13deba09aeb2446ee13159d012250ec79b29ef34f402fec1c0bf3963a99c78fde806652717cb62724c6e0b6da85fb7f3a846ecbe2de78eb1d4480ad7ae9533

C:\Users\Admin\AppData\Local\Temp\QTICBIRHNEVMALB\service.exe

MD5 bc655da3acffcc5a68b275e6015da24b
SHA1 37c16c83a5e52e6616b71aec3d2c59131afa1042
SHA256 b6fad253878afd26831d38ff8f04d85c79c6478a888966a2a1dee9dc5b933933
SHA512 ef9ae04a98c8e57cd28e5d21c5deed595524c20eee445a0c76f46573ec6d4b1b4eab0f5ef42f1a75d144daf611a6bff5d2a7b71ceff0ab5e8791b11fc463a23e

C:\Users\Admin\AppData\Local\TempEHISO.bat

MD5 817581e4cfe28bab2be4f4b73f7ab372
SHA1 ae99ec7f67ac23fae736086d22defc4434e1b7af
SHA256 e516494166781a16fa09d61ab2d51fc1b2205c7ad04f4c0b58cdb160915a8b59
SHA512 f74af482a46e730970d30bb87096b69d1e0c9409a51ac6ba0cdebc973e088aa43c67992460e076bfd0c12374b267e2515eb2f62435727e0ab1c5d82da02db39d

\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe

MD5 fde312e74d552a67166581f0b9e2cf78
SHA1 7de065379e65dc9ae67276deba930de43d122e1f
SHA256 9130859b15b1185acbe6096708ce86ce19128c6a7d7357ebe3c0af1120dcf0d6
SHA512 63b9ad783ff36e411b37cfc0aa1e28ed61c9ab6d0003aa9dcec1c5d405dcb595f0b558a0daa493d568624edd2f73f3360af2bcc787243e78c13fe2b14ccd9d8c

C:\Users\Admin\AppData\Local\TempOMQLT.bat

MD5 abdf815d63e8555d14fd45c44fa4870d
SHA1 db5b684a741883e1d999a126f5bed967747a9967
SHA256 98f58fafe79882a38007fcbb49a074f86446263301e079a3b7616d359d985407
SHA512 d38894eb0fc1aec80a34decc87b07659e4f142b07a253b01f2296f66b791e12c34053b2badab1ca29f6d9af5355a297d72c01e49c5d0b1187cde59c4eae7aab2

C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

MD5 976cfe870203a3b81ae38fbb830f53a2
SHA1 8912af325401d0d1e7f6bc0d280ed4719c8785fc
SHA256 1582ee19d0a6d9f30e929df5dd459d9fddb28561b34cfb973b08d8177b7c96a6
SHA512 4427d98f360ca7488f4683b496f6ad968325156b99071b33dcc5bdbd82101bf5f17b66878cded31b79ade3a81232eb2401bb3dbd273639cd5f8c5d3d2be07d60

C:\Users\Admin\AppData\Local\TempULJNI.bat

MD5 8ca42b41c8e2de27d308a6cc0759a024
SHA1 0ca13c792b5c2e0f0b28c31ba19f56810f8e0dad
SHA256 d6e22066c8860f60d38f58320258e5073e2695dfeaea7bc1a1111e2fb11ccb02
SHA512 bb288998fdd86c53ea2f2e45fcda1a01727eb7698a6f1dae71310c8c2fd695b0a1bb7cb5d74aa9eac3ec61711278a9728c7bd677c736a103e0ed90b4dfb8bc0a

\Users\Admin\AppData\Local\Temp\BOKXNXRPSDHNAMU\service.exe

MD5 4700b737a06d04c1cbba6eb566975eb6
SHA1 10b9a81cba4de9bfdbe05f48e9c556ce0ed36549
SHA256 9b80df73fed0cafbee5148015e267a4f47f4fdb38145ea80a42f1fefc734870f
SHA512 4dc80c5a9e000b581d81847d641795459938e64d49e92d4d652ced9fb54bd8b16fea6858f2bf775ab2c7e17bcd12f4a1e4e7b971e92696104ab4ba9e98ea1ffe

C:\Users\Admin\AppData\Local\TempYWFGO.bat

MD5 c23fe5c11339fdbd57cc4b727d05c243
SHA1 e9f72dd02de9d30b00f26630c2de5d28583979f1
SHA256 22248513dcf148704f25a1acf67d85efdf24eddf22fab2c5b4a434ae9398ff55
SHA512 d778a94901732bbc21407228083a1f7ceb068657c1f51cd06760227b636eedd50b14eaea2aef82fa75a5f921b73d5a0452c8f4738576b09a26d0bb9184555432

\Users\Admin\AppData\Local\Temp\MFVEMAABVBSNAHC\service.exe

MD5 e7af9bb05c671786d80c1cdc95eaa98d
SHA1 9066f23149936ac56c60ca1a40757ede6000b00d
SHA256 bcac6be5243c9450b4660f34843c341047c9305eddf46cfbed8d1b47f617f4d2
SHA512 ed3a943aa5c61d1cb0e5ace4132ecfd0ca518055bd9de536b6ff755c00cafe5a3b20c2929f437ed146d267a849789972fade5c646fb60a198201291d357abe02

C:\Users\Admin\AppData\Local\TempIIRMV.bat

MD5 d3cf423a2b6bb6aa36c4e8f8ffaa4266
SHA1 6daa5d9c61ea67af3e5a8f6cab65b70fb5b12607
SHA256 787c796ba2311e1177cb9f1b49b606825b97af4b0dc24a64804df88155d9be3b
SHA512 9f3190810933d04e9d1ebded293fde42fe18924b0c0bd130b966b7f726d0b9dc1f5858db7b1a09221262cc86d3ad16458156f1760ee1f5e7bf3c25f1850b78e1

\Users\Admin\AppData\Local\Temp\PHXGODCDYDUPCKE\service.exe

MD5 1f473452633d08f8aadf85dbd41d88b3
SHA1 36290f7e222c205af59b5f28b15ee1c39d0bca7f
SHA256 4742167cf50ba3b47467c45c06f6231df0c46769b23f9b06897acd0903408563
SHA512 6f64146668af685ce9f8cd717e1dd5fd7e4415449242d327c7dbd712be0df43f02dd46bc7b02acb7acb9fc73da99101f6b3f016a80ae9ecd58c1ade7cea2eee4

C:\Users\Admin\AppData\Local\TempMOXTA.bat

MD5 89a11c0e81b3a6d98279b765147b25dc
SHA1 0ac625a5eedd3becb549a6afc792834e6af37846
SHA256 98e0faac6907cc135486e322a9ad2f3f906a86a97b7c9706ecab4a9c4963398b
SHA512 d61d7a38646ae335ca4753e05e1e467ef81db1eea6299b3ef69a68a6117db0d20a457381866b75fd7e4fc352f644bd8a05965389b1fcf46840a4288488c73504

C:\Users\Admin\AppData\Local\TempJACDR.bat

MD5 d1f2e014c99667f1790fb29c6759c62c
SHA1 ba5add390cbf847484cfe9ef87ee50ff6705c531
SHA256 f7f2f97bbdb25c9b940ccc189306d8cf2db72688d4a8e779f70088f3f2357f97
SHA512 39ca1ed5043e399af93fa00f90636360e5a8162e270b8ca1617ab7af51c78051d4c989f1f6f32b9d78bc6b6d4557ee0fa891488c127ec7d9aff17aeeddde072a

C:\Users\Admin\AppData\Local\TempYTGNI.bat

MD5 4781224838a35e5e9d41fbe6362d446a
SHA1 f3d11cc263b9402d8b5f0059400e4b0cb5e8fb5d
SHA256 c194bdafed993955fc25112fae5a2bab38d48702103195ed079b9a33523104d3
SHA512 26ae30e2855de142114298c610b38654f772ccce021e39d657a1feeec66724e702cc3283f7476c35ab86792601e0b09f03e5fe2975765b0abe91b950f6313864

C:\Users\Admin\AppData\Local\TempTGMRC.bat

MD5 2787afdbe11d921ac85738a66cbfe809
SHA1 32bc245503d9e670703531b8391702795cbb8f5f
SHA256 e9626c32c43d56c08542e17855b078f23b1af0ad81a1be24ae20d81e95a673e2
SHA512 c0f6ce57cc0360548ae0610256b96a9f9a7aee2308dcdb36daaf0aee19c696aefcc1cbe29977c62bbbc181d0b0f73f71b1a709517e71d2077d98361272d0e869

C:\Users\Admin\AppData\Local\TempLYGUT.bat

MD5 7f1673b1048549aa98809f3006551b9b
SHA1 eb830f08514f8d5977b20d50d1796eae55b68044
SHA256 88185dac7a594251fece5e5f5850654f8422732eaed33a5a424b2c7500fcdcbe
SHA512 cecfc1417aab714f9bf8abdc90687a39aa7071319aa01aaa9b7b952b68a1fa4effe7f85599c91513b63072b2ad468e5a6d8e911c1ea2e5cb16b4fc8c8ea92286

C:\Users\Admin\AppData\Local\TempLHVUG.bat

MD5 de69c25118df8838f32524d5b65053ba
SHA1 d79b8934dab391b2f85b02ec96a6cf696e23d29b
SHA256 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921
SHA512 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

C:\Users\Admin\AppData\Local\TempCIWES.bat

MD5 ba429fd56ff7582c4de4880c49452a09
SHA1 f39ab13e597a4092461eb550a4a343404828677d
SHA256 15ce592a30f8fa800ef34e4ccd3f9a5826f85ab0becc58f0c2cd34aa79ad6ebf
SHA512 83f91494e16ce9176dc14eab284c96cbac783ecf712524b31e9ecba8983c47ccfa20013b99c6cf8ffa05d32fcf6ec16f02d59263330639b08f7fd50136fd1e0a

C:\Users\Admin\AppData\Local\TempRSXEF.bat

MD5 50bbbf5524dacfec25beee4cda0c1c29
SHA1 3fd6c1b8bb90c1d0861ff798675c5fb2101c58f5
SHA256 fd428a7373e0e2051e9fcf95cfb26406832ce301cb8c8d2fe4d9185ada88c583
SHA512 2129a0f899999954ad9b157ec67b75f98fceebcf3fa07ee210ea1bd40607abbda29cca1590053ad2791e45e3233e37beac2eb9eee77b9fe0c277a08ca1bd7b7d

C:\Users\Admin\AppData\Local\TempEXXMV.bat

MD5 c25a274d902d66113edc208144c5a402
SHA1 d76687b680cb02b698c2750f623e446e9bdb3402
SHA256 1f0aefc0bd8eb6adba2e5e5965340b1beb87321194d02d773ec7cbc58ead68a7
SHA512 fd110d3876f35d735602966e772f5dabd05671da46d8a3e75e189528e506e57ab1bfe40bfd6b7cb9fd7c1f0c6ca72843a0e8e3263d4ba7eb7c7ea3fc595c7d97

C:\Users\Admin\AppData\Local\TempGUCQP.bat

MD5 003c89fa3c4c23bcaa945e0122a2ad78
SHA1 c3daf91e40f93e9c174594e57044887f42ed6ad5
SHA256 3eeeaa97262bd94b5d3dfd22d9b0676573c72e8d2b3f54486a5b65cb1cb01333
SHA512 e2abb39cfae34d9cd35fa5db9ca71745ae16250f3141682901b9af9ecedfe0b7d8a412ad76f9d39f3658a25bedb40a49139f4da829e2336a6cf00c5ad1713e22

C:\Users\Admin\AppData\Local\TempRCVVK.bat

MD5 53bfce173bee6cb46bf72cff1923b2ca
SHA1 ec898f8bc5e8dbffd4378b590d222a2628d3848f
SHA256 d8e5e08175f4b556c54390ec568b84be889cf08086594967bdc7b2072264286e
SHA512 89c5f8bc1de97c7bd6c1dea6830a11b7c7ce6d1a62ec991282ecfa2a57745b268d8df63b7256c94bd4065c0b25fc45e4d592760d6a82c235049466a164855739

memory/1484-642-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1484-647-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1484-648-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1484-650-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1484-651-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1484-652-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1484-654-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1484-655-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-24 07:26

Reported

2025-01-24 07:28

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YUIVGEJWXAKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HCYRWPFPJHKWAXF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OMQLTHIBIIRMVMB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMDVNJEXNOLUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNDNHFIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABHES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IXYVEFQWNLPKSGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNBBCXCTOBID\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RWSGTECHYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KGEUTJJLGCDNIWV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLYOYSQTEIOBNV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHWXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIIJECJFVIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUXBSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FVWTCCNUYKIMHPD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SUKECJSJOGXOCMD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQBNY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVRFSDBGYXTUHMU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASCOOPKIPLAOVF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DCGYXUVHNUVGAOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLBMFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JYWFFRXOLPLSHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCCDXDUPCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PNMQDHDBRXPGFID = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLYBGPGF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RPUHLHEVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYXFPFKCTKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NBOWCUYTPQDJQQB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAAVARMHBGV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVIMIGWULLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WXUDDPVLJNIQFGY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBSMAHCG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SFGCACXSGNHMJUR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DVTCCWLHPGEQNMQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWIJGOAHLCN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QMANYVBTXSOPCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHMTFFTYAQYMXN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NPKILAOVEQUFRCB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDAPXP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VHQHQNIXRCSCRSP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQJPWHIBVACSPPL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DVUQREJQRCVVKTG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVCSOPLK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MGPWHDOHIYRUWHI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKBOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNCMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIHKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XTRVQYMOAGNNWSR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNFLSEERXPXLVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DHCKWAXSQATIWEN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DNWEBPTYFGDMEJX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EFABWRELGLYHTQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRFCQYQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXENXVFBMGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJPWHIBVACSOPL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGRYOMQLTHIBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CLVTDYKEXEVORSX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGBQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PNLPDHCARWPFFHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSLBLFYDFWSTA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPTHKGEUTJJLGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKBSJIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TGOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKHQCIN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKKUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCWTOBXIYDIXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMYPSRTFJOCNWN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXJRJSOJTEUDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDUOCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDRHUQOTGTVAQJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPFXVEYNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4972 set thread context of 2708 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Windows\SysWOW64\cmd.exe
PID 428 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 428 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 428 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
PID 2052 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
PID 2052 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
PID 2860 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1444 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2860 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
PID 2860 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
PID 2860 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
PID 5084 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5084 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5084 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
PID 5084 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
PID 5084 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
PID 3792 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3792 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3792 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2068 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3792 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
PID 3792 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
PID 3792 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe
PID 5052 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5052 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe
PID 5052 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe
PID 5052 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe
PID 4960 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4400 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4400 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4960 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
PID 4960 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
PID 4960 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
PID 4056 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4056 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4056 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe
PID 4056 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe
PID 4056 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe
PID 1076 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe

"C:\Users\Admin\AppData\Local\Temp\00fcf8a8a34fb5c2cd0535fba86642a2a9567a6184f489d0e823291c20470975N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SFGCACXSGNHMJUR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEFCKD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CLVTDYKEXEVORSX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

"C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFOAGL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MGPWHDOHIYRUWHI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKVTSW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OMQLTHIBIIRMVMB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQWNKP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCWTOBXIYDIXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe

"C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGBQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJIWDT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DCGYXUVHNUVGAOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDHHBG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DVTCCWLHPGEQNMQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYATT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMANYVBTXSOPCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNLPDHCARWPFFHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHIQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFFRXOLPLSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHQHBL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KGEUTJJLGCDNIWV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSOJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEPWMK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHWXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTHKGEUTJJLGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHRM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKBOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXWTT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NPKILAOVEQUFRCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TGOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNMQDHDBRXPGFID" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNED" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLHEVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\OQGAYXFPFKCTKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNXTAG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDRHUQOTGTVAQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPFXVEYNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIHKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFXVEE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FVWTCCNUYKIMHPD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe

"C:\Users\Admin\AppData\Local\Temp\SUKECJSJOGXOCMD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\UNMUIIJECJFVIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYAHHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEFQWNLPKSGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe

"C:\Users\Admin\AppData\Local\Temp\OGWFNBBCXCTOBID\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUUJSF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NBOWCUYTPQDJQQB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe

"C:\Users\Admin\AppData\Local\Temp\MEUDLAAVARMHBGV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQBNY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEYCNL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DHCKWAXSQATIWEN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe

"C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYYN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVRFSDBGYXTUHMU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe

"C:\Users\Admin\AppData\Local\Temp\TASCOOPKIPLAOVF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRMUJJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EFABWRELGLYHTQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQYQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGHEMF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXENXVFBMGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVACSOPL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFOK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVIMIGWULLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWFGOK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WXUDDPVLJNIQFGY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPTOWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe

"C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABHES\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKKUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGRYOMQLTHIBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPCYX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTRVQYMOAGNNWSR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNFLSEERXPXLVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACQML.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUIVGEJWXAKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe

"C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKQVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHQHQNIXRCSCRSP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQJPWHIBVACSPPL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFSWWP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DVUQREJQRCVVKTG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe"

C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe

C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJPWHIBVCSOPLK\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 192.168.1.16:3333 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\TempPTOWK.txt

MD5 2037347797bac083ebc215041f536594
SHA1 5099d1a2477a0f7f5b96b5b0256f5051bc8724b8
SHA256 4f6eefaaf197299e8a853243a3efec3fa499f5d8661c3590432ab2cdac202b16
SHA512 d5b6a1f0d254cfdf46e07b19e48d4d7988016178e348e7060b6c6617d53e322eb5bc5b8ebd8a4d7f1fb7264c7e391495e56a023e2e5e361c3e93d7263d4764ab

C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.txt

MD5 5132bbf168c0a7e5e62325a7643f31d8
SHA1 051d03ffffd645ee81fa669a485f7f86d5dfea3f
SHA256 9e7f2c9f417ed8adce550d1ee726df539cfc202dd22c0b836306c4080e932968
SHA512 7e6f643d18bbfa5222941bd958a075e899b0b597b9e95464ebba5dfb7baa66e97f8d57456486f42bfcde0af58f5d253cf36fca42fc80996383a1e6263007dff6

C:\Users\Admin\AppData\Local\TempEFCKD.txt

MD5 2fc221260bc64dbe75749778291fbbde
SHA1 9ce10d502d3c91095a63bec896646556bef19a95
SHA256 3cc4ceb1a902ab8b0ce684b8f901a165ba7d6a6bb1012138fe61d0d37fcfab75
SHA512 96795ee572a97695fd6d96435746cc3c4da137ff090bc790babb408422b0d030fe451b6260290bc3693c4019165ae2a109d0cf726cc5fae5f172f9fb44b58b61

C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

MD5 3a290136fd8e522fb86d3f0dd2053464
SHA1 385533a7067fc2d6a637df899d3ad613e7814f14
SHA256 d1ef0425043b8fa16d3c6ec487c1f27e8a450f9f55f3c53afd78985b88e8d443
SHA512 2a21d3ce9c01e0d97b28d94c30909e8c3b2a829699dfa12cc6a4a7debea5f013fe11be03c4a2fd98a2a6ffa3c6c59153f8613f6877f6bc0b98042ad42d04a034

C:\Users\Admin\AppData\Local\TempFOAGL.txt

MD5 e5ebcf8683ce3e8c02fe2f678d430a8c
SHA1 81b39fd3bdd5dbdcb4ba0b1c057e92b460100d4c
SHA256 157380c53f94d8d4000436e42940d63ae2fb6a91f80d71c35830f82d3140d2c1
SHA512 a240088407b1d4aee249dc6a129689e9abd10969497281f5c748c50c54dcac06929929a4bbe569b5783cb78e81ebb8cd4cbdfc3cfc87c8cc659cbe702187c56c

C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe

MD5 1d0379e678786840cf573638ad6700f7
SHA1 48d883a7e0115060a52ff2534d5f3f54258d6a8b
SHA256 ce54c25d2192a6239f064c48a34dc6d6b82d5d40a9344605943156ac71f18beb
SHA512 aae718a4206eb348dd13cb76124e5857ea9af8b076c0a4e67eb43dd35797bbd40dc692ce3ec868a9d8beb4e3d0b62cd5f2e3a068c44f76b69857d783cdc4fd8a

C:\Users\Admin\AppData\Local\TempKVTSW.txt

MD5 355451ecc7c98543b7df3b0daca5947d
SHA1 430fd0fab7fbc041007083b40ddd47d2846ae9aa
SHA256 e2b822395c0fe0d5648050cf3495407eb02b80552ede58aaadaeda938bf1df6c
SHA512 56707a77375b6f1c892ed4abb5248492375cc6d151530c55642112e73a1b7006be14b7d6c24ab4946754e59aa81a674aa2a3c26103a7a8bd4de503ce6394161c

C:\Users\Admin\AppData\Local\Temp\DMDVNJEXNOLUGMR\service.exe

MD5 74c6256d5a3e368a8a58ff6cdb3c1474
SHA1 88be0e0199d5fe70a41cb7557fd63c948d075f4f
SHA256 aa757e26feb2cbe18a84f16420288437ac1a9935db089e1503a0c1b91fe88ec2
SHA512 f1266cbfc9563d99cef5d168b8161d750788d5158db43ad3b37e4ba97c2de3dcdd04117c4317b41832bce5760b66531222b3801b3f08b3d592831cf519994a35

C:\Users\Admin\AppData\Local\TempQWNKP.txt

MD5 465865360cd0ba68badf0ccd4980331b
SHA1 e55ab780d6bdbcb4a1cb56eea47a86abd26a8f13
SHA256 13df97d3733d9aa539f1980e8c0995929b9ba0914c344d5aad0e83ea02598e5e
SHA512 7b01180631ec16beeecda3322bac144ef0c1e01ba7295789b59be4981bbf0ae973f95b163af22c349fd3a083a0eb86df4233d391ca1669ee6e08896a2c473863

C:\Users\Admin\AppData\Local\Temp\DQMYPSRTFJOCNWN\service.exe

MD5 751c3484eb1d7d1a1b821ebef557fb47
SHA1 efce2deed8cf841289c66d572f00471324b374b0
SHA256 5e9e55375e06e00c8a3057c9e52e216fd80f9c8cb1ad7c3a50b89d258244dcd5
SHA512 793dd61eaec2e6695b69324f39b783ae0b22d76a520ce7279f95fe755be6147420515e596a7e16194a5578af27ea96847b123201357f38d13b3b99da1e2227d8

C:\Users\Admin\AppData\Local\TempLIRDJ.txt

MD5 0ad6c9500e0217c6a48554d553396c1f
SHA1 ba19a344bcef4b2edb43ff807dd4aec698822639
SHA256 819a70bd41db67deebfb277a07da2ea0319aae00f012a4cf28d2a713ee2c7d3d
SHA512 91378178711b44ff33de321b82a02a58ae4e73bc2cd3288b0b0f370f5cca6e4633fe5c67c21e9b6e340dbae03c2483cd5c093b641e29c8d2c6dd988bbb9fa488

C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe

MD5 4846e9ae4eb6da48b3ff76bb0d1c96f5
SHA1 4e449028f9559dc2384b58ad92ca4019b288caf5
SHA256 a04c60c94fdaddaaac8a7d5a8fb0c0198d45b0963e6ce1687fe108d78c8db2ee
SHA512 d4d6f492615b40722308404fd2d660977625c7b642ec6d4dd52b9c81d7e8c5ac6046a49f6bfb2c0c2658fe6ca922f4baadfa1166608f56034b1fcb409604d6f4

C:\Users\Admin\AppData\Local\TempKSELP.txt

MD5 1177496c947a69db47a7fe37d2b2c738
SHA1 e620660c26a58e6d8c51c30a336f037907f3f74f
SHA256 d53a356106d076db04b76fcb363ecd2596af20fb4e489c4fdbae1e315d995edb
SHA512 c2346ee11705256b93f4a4ba9d3b90ff8bca1524d11f3f3cc34a691b53dfb0fd2414140ff1cc34bda3d5a2f2eb6ed94b4e841352d7d8a6400cae9bbdd4bef505

C:\Users\Admin\AppData\Local\Temp\FBWPVNDNHFIYUVD\service.exe

MD5 8d637167e6787c9dc26ac18fecc8e941
SHA1 0a5c9f9b3218c92e20021ad4bb3de662f1631306
SHA256 6ba883429f2b797b9b537a5b58caaf49ce5f603c13b3d5ee2a087c67ac2d3d00
SHA512 acfe64a693dbc03d2be238f15a4ca5a90cc4a98790b8fc99ff7abf5c4e85698ec17004dcfefb0fa46506663d362b57b8d942a8e9e625fee54180f1f00160998c

C:\Users\Admin\AppData\Local\TempJIWDT.txt

MD5 6fe9341909588e65cf059330f305041a
SHA1 0584b50ca63bae1de312355a58a7c96a32fcfd3a
SHA256 32c0e3e7914e05cf9441e17627a5fbe5bafa7fbd90b77f39002fb97286b1b081
SHA512 f1103b5a7ed0f2b7ebe8c41aae5310c3ad40a63c4a2ec357d9f7d449582eb85796dfd13db78e4d4dad8838cc58ae8c4fd740cd10ff687592747602244cc751cf

C:\Users\Admin\AppData\Local\Temp\DUNTLBMFDGWSTBP\service.exe

MD5 6c575affba5244471936cbd51532baa7
SHA1 873b8b0efa4297a016afac8cea977977e56c8aae
SHA256 5032ece8d419e40b7a69c479145c3fcaace40bba8fcd30d7d915f3a89068e6e2
SHA512 97a59daff9b12d86b9fa9b7cf52fb2ff4d0f179971b5724287c7e9ba616542a1ecdde2404f4624070eb02bd858b674ffa83d8a81281a640e4e43f9b47d78c43e

C:\Users\Admin\AppData\Local\TempDGHQM.txt

MD5 805a0854b6bdae48c71ee7464113dc78
SHA1 e875d5d0a2665556c4528d2194e4e721069cd0b6
SHA256 352b1d6863171eea99aabdc71997a75c797d2c196682d593e1607aeb9a3ba959
SHA512 a18211060ec6b9aed9e9595cf1eaf730b6d840680b29fd2059bd731660e4d59f3af274c4d1420b975f4cd44fb750089fda5eb7b44c75e73c36fbe1764b2a2d2e

C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe

MD5 74f40d82f8dada9f624e3872763e686b
SHA1 17d2e377a731c7582573d8a6c1e94c657ee3e6bc
SHA256 2e0a8f0f42384602727577a7023a848e218577a8cf311baf3be8fbea7f2bb2be
SHA512 a770ffe6a760923fae6acc784578a16cb99d44917ca865fa831222914fc1537634b3a74765de83a4f012219ee0b8d04b48e6836a40447414a003a3cedfc545a0

C:\Users\Admin\AppData\Local\TempDHHBG.txt

MD5 f0385e3b9c074f1aa23c1ad26c6e1723
SHA1 201d1a9a441b1bbee8c9a2f9c9706002b97c56fd
SHA256 341e1205affd8b9c64f10cd312144d757c25b502c8f1a1ffae36ba60fcfb3e14
SHA512 0e134173c651a36685f66a423e0a1dce4ce34c7d215fa995ad4ce91581f5f89c8c3be52d75ee80339c910acbf380a665e8a4498a2cb608b587c9d8195eb617c1

C:\Users\Admin\AppData\Local\Temp\GPHDRWIJGOAHLCN\service.exe

MD5 a6e107c04e3b76a3930eca9ffe4e37bf
SHA1 07f1d83710550cc624a98de42e5825d27954568f
SHA256 329a5cb704ef0a1304fdd4f9fafdd5bc301423b203b639ccac960f5f38352c71
SHA512 1e26488f1cd6aa2d6fd033dc8b90651bf044dec7644d4788ed096db25909be0f2db6ef3cef868d02cf144e9d81f2083103b5c4e15821554f65cca82e4d9552ef

C:\Users\Admin\AppData\Local\TempPYATT.txt

MD5 6f0441fab5f71b8ad67a9e9651b9967a
SHA1 8ca651b8d62a1a5f2a988ecf583ff2f0ca5ea0f8
SHA256 5a231a15c85c0a463ab7c95026ae500e1be282361d2ee083dae5f1bd79da323a
SHA512 f14ebd51f90fe50b5f49bf381d58f8ce7c867c01ef1548d27753a47377be165b044b3936a3b41fd8221e24a99be4f4012b9927fc551f932bd423da31ed4964c1

C:\Users\Admin\AppData\Local\Temp\UOHMTFFTYAQYMXN\service.exe

MD5 0731002e5dbf89e9de8129d96f2d8c30
SHA1 a6bbce959f9714a49454773f85e40971b2c0aadb
SHA256 e1c0916f45b3decd8de4ac6b86e3bff1b8223f3546a0a98796010e95beddb02b
SHA512 068a6e85cebc6bcd47c0bbac3cac72edc7deb47aab0c617eea21cccc8db013db995244c4c2416cc3f81f288ce973e967e76ee227ae0cd33a17c3ed7cf5cff31a

C:\Users\Admin\AppData\Local\TempAJXFT.txt

MD5 8cf1bf2846e63ce08e7fb6d7f2463b46
SHA1 fc0be31607702f4764e98398541630eab6b4f42a
SHA256 28f389f73d2135a4d96c1abce48626ed4561d31fb14bfbe9790b691b79297429
SHA512 fd783bfac613f1be8a48411aa0f9208dcabbb6c0496ddd3516dc7bea68cf661e6569b85147ddce2e7981e29ef30e4e97654ab397dee99cc3372da2dc7641db65

C:\Users\Admin\AppData\Local\Temp\CUMSLBLFYDFWSTA\service.exe

MD5 9656d67cffc5fe64185f8dea7db0c60a
SHA1 c5653c283f8f64f8a0b6798d067ea2f305125021
SHA256 7f5368f2444c98759b1303832052adc116722b737780745a5a7688519f1cee69
SHA512 2f45de6cee21e11c74f3f81c881788f6cc4f47462938cad0af36c4fd7127b7635f344db80eab23a926e73979e3a0b3c67652e5df2192504a8238d225277b6a27

C:\Users\Admin\AppData\Local\TempAHIQM.txt

MD5 61cde408dd426c6058615a38ac55b111
SHA1 adbe0c98fdb7bedf65c3ebf822fc0e16ff8adbae
SHA256 ba28d2450c52ff4aafa1398dd94f51ffeafa327a6b43f8f9d849406b11e86724
SHA512 8194517c39f38dca4bc3a526b8df4d5ce5dbf20363867661c3c26125c74577a5db733eb07e5e63ad26827a473bf65e71ea0a1847eaddaca1119ae323a6d833b6

C:\Users\Admin\AppData\Local\Temp\OHWGOCCDXDUPCJE\service.exe

MD5 f66e87adf56bd65fbcbd7c95c293a8ac
SHA1 617256b55e82bf2f9d20f35426427f94bb1314cb
SHA256 048de65672aa699e71e71087cfd8bbc0606d04be54ae4db4a30d565147f6bcbb
SHA512 f2a7b6cf3b364df4712ec51a7168f0941bdfb9e48e492f70446cefbf53c9262ebe29a5f0de7a4f80ea99d2484c624031c4d5762c39bb351a0fdf57a1e416110f

C:\Users\Admin\AppData\Local\TempHQHBL.txt

MD5 c0f2c55747dcd57e7b8351e0d1d953bd
SHA1 575ac1a4eec940e1b5739e12773826a05c1318d7
SHA256 89a87f9771461e63dc6cecf6e49f3f675390136d94671914a6a169ccbbeb97aa
SHA512 37e6aa6eff86f8ffb5cedd832c56411e1fd460e6a8c9752cd726b4069c13b96799940094ab53e6620e69b7fc2571fd34f67e76c2d08c4e788794116ef2e410bb

C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe

MD5 f64e5fafdcda9e9db242d6a27d67692e
SHA1 f7276007ac7cd232b7f340dcb98d4f36bf7ea904
SHA256 07376effcdadec2d14cee2b18d49398601194e7a8f922eaae1c62a5edc5ffd54
SHA512 130c3bac84e64d9cb02c5023285a0bc38c54fcb701e90ceeacf2a29b5a43c0f079000f5ef71a7a4b728cec2cee4a00d1ca574c4a2c421d9dec90986a7be9b0e4

C:\Users\Admin\AppData\Local\TempURAMS.txt

MD5 35131b564a0e147be70d9bb5535803b4
SHA1 7db8b9f32ffea1829c0f8a3f52f539dd6450e364
SHA256 f7f0c9bd1bd49051abd3100845174250086be3912a63f36d018eef216776d637
SHA512 87545ecca1273af82ee58e9a6a2223912acc3cb00e85abaad2bf60c0085ce77b4514337cbc24825bee3c3014336339c5b61a770e4d2540a2d174ac83cd0a285f

C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe

MD5 68cabfd2b027159ea40897e78115fe5e
SHA1 fdf52c02268476043253745ef71f46d7bc4b91ec
SHA256 de32f1df1b28b3eae67cf88cd7c45e99d35f7e6b960c98ffa339970281a9f839
SHA512 889dc1ab514bf7f6927f07d1b748897168c5d4c7a7b105f86a2cec776f0bcf377defe13cf517d4d136bb80d6666ebf345e881eca5b8cc43e6bfc025af5eaf7d0

C:\Users\Admin\AppData\Local\TempEPWMK.txt

MD5 6df101e5793392a3a4687cb3f0d05d43
SHA1 8bde684a4b0df6d745ccf82ac144b7f10552c5f0
SHA256 89213ed3a57910f62abb88be0afd10006ad3c0229991b8387f4d6a915970e9cc
SHA512 d918b19bf4e2ae9a0678321b6253aa4efec4b87d2248d3faa05e282fe1a85625f777df6bde8e6be7d92de6901528a29c97fba82027281fde1f7cefa2f827bea9

C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe

MD5 9cbf730ed081d04bcea32207e452d2bb
SHA1 dcb0d45e022c18049e2ac94f7f1060bffc1b5bd7
SHA256 185ccdb4aef4f07a55b4b495efc376f86ecf83c3d940d07c36a74fc048deef98
SHA512 8b2cd6535e25ceb3391fc03ac534ead2d42d2a48b9a3ec26a0cd8f92480c2db68a60c272af62e8fec4ff84d4a42404e13d0c76094dab15bb0422c7788b32aa7f

C:\Users\Admin\AppData\Local\TempNIWVH.txt

MD5 bafb50a1971b8546c449cbdebb9e6964
SHA1 0bdb7fabafbc7f2d3703d6ddab0e97ba0ccd0baf
SHA256 4f5079af7f4649ed59b30f899f14d364dc414c0abad886a7fefc8a6ac1b8124a
SHA512 e7ffcde9ee652c8625b151f8e82f5fb8d5b9afba03257a3b23c98f3932913ea44ff703b015340e9c616a928485bb679f89108080d311a8747bafd76336323fc6

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKBSJIT\service.exe

MD5 3b8537577ef3c1ba8a43229bb139dac4
SHA1 b840c47091bdb14259f13e07a1daf481cb201251
SHA256 91df12a7cad3890c59f7fd368046bc7b03b72ca98302f16d9b28d3b63dae2849
SHA512 b047b0fcb89d3a8b6b14beda53f926cbe9b90d26ac3cbd5c2059c5657aca1567ca0877b747383d709adc5d52375b6ff5ae4387e9d0f64cb7c7dd4c80bcc1cc87

C:\Users\Admin\AppData\Local\TempDGHRM.txt

MD5 dff4ae58083e32cdf232fb45d9f443c0
SHA1 27541d36da950e2ae054582c47c46776d8bc19d3
SHA256 aa5a8a612ee9baae2cedddba86559f6cb2cd320c7b15c1b342461309390b87c3
SHA512 5362115279c09230e1754c0be624f0800d7a1cbc9d6759b29e7dfd55d89caf3cb94518193c3aef73f57d56c1550082ae66bd9dc52c27c12ce168f6180ba23ab6

C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNCMC\service.exe

MD5 b74e3d14a777ab4af320b6e53b5b992b
SHA1 795b2ddc87f90456923d89bf566e62300bebac9e
SHA256 6c01d92f5e3afcfc8827d4990925cee549a88de0440e004fddc3ebb404ef6234
SHA512 702de60ff996e81f40f06e138d729ea5de88463974a884b4be77c6677d17f8e9800f51a2e1d1986064484e431fc35acb36404b1ef0092eabeced326774f41517

C:\Users\Admin\AppData\Local\TempFXWTT.txt

MD5 993066f21325205a64b0450462faf8a5
SHA1 99079d6e1bf9f525b720fba70c64151a854e8085
SHA256 07c52e167a8bb1810d5337f759e83f5cf7d69b0863e339c3b5239471f17b1196
SHA512 43130ca52013ad6e00369c2af043183ebe6a260ddc536826bd42a85398f4d76b26e694f569bcb8200302578ba3bb87dc56b9b64263175c1d8cb26a7413b35f86

C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe

MD5 a3ea673fb83b9a3b4108127111f5a3ba
SHA1 6c29a3f34e58c16e2d88b74478e590d69b582761
SHA256 74bece6d8a95396efdc2a6273ed1d2e524261b7eff0ef4dad20653f20d3dbaf6
SHA512 b226849eea549a92e78003338e2f13dab48e97d1b4cb3c45f2f697ee55df8b1fea2253a98d783d803d6fa15e817ce72f411dcc4cb678af3cf01652d117a9ab1b

C:\Users\Admin\AppData\Local\TempNWIOT.txt

MD5 f87838cab15eda7ef4c359836eceb7d7
SHA1 76f05a70bba2933e540244898948213ea8af4893
SHA256 b047a9e48755404137e2102cbabff94592f10874757691e7d09714e36c1d8a7a
SHA512 cab55ca4d4f50bba7c56b92363accec829b266017af508eb2b9a3e48c79435f48e4f43bec06597964598f79df69b1743df553c6f24b256403d04a3a2c2292d24

C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKHQCIN\service.exe

MD5 ec8f323623f6d1857b2438e114a56fb1
SHA1 7be8b0dac03300c0edcbb985b2feeb01278a0513
SHA256 1317b615c5302c15f6deb6680e0b339b39679adee9ca3bbeaacfcbe18c7c2855
SHA512 890c48664cda2626d756fd869f7c7a61443d8ed5199a7f0461feb780c7f5727ed8a45fcd3d181c4feff8b7a2244f18258653e2021e40266925a03e864931f9ff

C:\Users\Admin\AppData\Local\TempAJXFT.txt

MD5 120537d96045d46e2ec2a722f68af997
SHA1 e14c077f5d18ac1ceb39cc6fbea443d10549f1f1
SHA256 707a34b25667e08a7141de1eab266006d310482c59b7ea0b42c472e3beaa18cc
SHA512 2805bb82415c3feb1b5bea94c96e6128cec78f96999ba18a7ac9ab109347df0fbf87aeb89b523e3d10362ad4a111967430d920dbfc5acea73d4ce60773e8c4a3

C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe

MD5 61f2596f5a0fdcaf59c627bc96fe4fb5
SHA1 84b19aa6432391ad15ca4f16695db8faeb267b84
SHA256 1d2d7fe5d87442cbef7bce02d721e3db2afb0e8a499d41493e43cdd258c25078
SHA512 34b91543f1ef0224f5c250443ca3976a4d01f145fe58f1ae8cd6d6301e1357efa223ca6da76d956ffd358ec84551ca0e3e59739a429c1e24d58e4a241e4b8c59

C:\Users\Admin\AppData\Local\TempGBHVD.txt

MD5 fc4fc4d0e67121ad7c4abfe5e5e1a17b
SHA1 5c85394b9f2aa5972caab7d5f3e1730b143a05f9
SHA256 f5b5a300415e73e733e16403c35df1f1cc3957bd86cde08570adeaf45d904b17
SHA512 e57b463c78f1b96e1030f8973a404437c833271a878577b73bbbea0918f3ad263950dfa169dcf01380a01a24f1a2873370f89c09e4277cd95cabdbb277afd3d0

C:\Users\Admin\AppData\Local\TempNJXWI.txt

MD5 52646ae1a90239b05b5defbc0c7aa789
SHA1 3b9fdf2279c61e8a858e0b3277fa6694b512777f
SHA256 df07f65149ce86d914f663c92961d4509168e04b71ec3c4f408785030fe48751
SHA512 ffbf8ee667a711ba4c60a09955b5d0551e38c1112e1a6f0f977f4616110ff7d1bd4bcbe693dfac84e2b6ba9022fd8cd40b32b24b853d7d58b57d8d310fa63978

C:\Users\Admin\AppData\Local\TempNXTAG.txt

MD5 572edd0e76bce32037f4b62e35ad8372
SHA1 0db2f37c0ded2a3462b298e379a7ed106c3d91d7
SHA256 c3a4e318118e5cb5873e83bdce7991328bdc7869fec42e38a1eaa4ef7eb07ada
SHA512 a7da5e5f7789e3c96a62ea7ca7caacdf217d5f86a770637cb49c7d37a04be5423185dd2f97d5a4337446e2e4a52e648b267c54af997f48abce0fd81e3cbbfb95

C:\Users\Admin\AppData\Local\TempOPYUB.txt

MD5 f5384b44e8e5e967c113012b496349ff
SHA1 81eb9aebe47f4ce35b312f234ca6e33bc81325cc
SHA256 5eaa355f0dc5eb39ebfe20614e41728909ff00ae656998aa368f043c52bbf5e5
SHA512 5f9f8d6696d8f0cdd1eda4cb8285d9c2036a4fe636141b09f330487caa94864832fcb00f53f22f2427b80db49bd7f175538a07f3e93f737d21699c6dd1f9142f

C:\Users\Admin\AppData\Local\TempLHVUG.txt

MD5 1b3335d1413cce612b26e63dea5c3ee9
SHA1 5fc3a2553e2ec413c04f5828f4ba14e17e9d3d8e
SHA256 1eed0376af4941ff6ff1271cc33d724d723a7f5c2c33591d733e73bb634cbed9
SHA512 3acf07fdefa32daf960353c147148355643ff65496b8381b4f3685dc5d1bbb940705e46802d0a1ec18e82a035daab7bab1e1d14d2f19f8c29d41b11cd997cbbe

C:\Users\Admin\AppData\Local\TempFXVEE.txt

MD5 f22c6d404e24bbc2ee98e6a28aa195ef
SHA1 4399df7d6a4c520a5350c941fc9d59a399862e20
SHA256 7ee75d73e4f2e5530d2a0cf9f5cddd001e64229a09cb85064a20ca21f82d38f4
SHA512 d297aeeeef4c2f954a43a0f6afef99294e452807fa5264295d9038530808ae5a9e9c93ebb854964be331360717ab29b53f3031dd4df346f9a73a1becb5d6a2c7

C:\Users\Admin\AppData\Local\TempXSSHQ.txt

MD5 3e81e6dcb864b4c554164ae46d86c0ee
SHA1 942aacb46f4e6fc9dfbaa3ad5818e20faf2cc225
SHA256 bd2f8ffdb3aa85827b29d12470f888dcb45443d96e3b6c63ab537abb23e12840
SHA512 d80fba86dfc5ae889e86c9d311c992427faac892807f2770cdcbae05c8d5bbff44b806d33352a3b778ae2a6f879fc7f3a828f2ed2a1aca088c27850378eb7d07

C:\Users\Admin\AppData\Local\TempYAHHQ.txt

MD5 559765df6500051fcb7b05a531784948
SHA1 a352c5b0ae4650404989944559c6aac131744d3b
SHA256 7218951015fbfda41d6abd84c116eaf053514c2ada6978fc0e50f17fe2ed8179
SHA512 4b5cd8bc9a3792d6a216d5dc71d18177f325038bf513b6415be74f9dcafd5707aa46e276c7b682bfacb74681cbbba554f02ec84289699a410aae25937acb1c01

C:\Users\Admin\AppData\Local\TempUUJSF.txt

MD5 03e34203e7084a09628f1ceaa8eb2a78
SHA1 8470037796b3becf0334163d4e49f245b9b3a073
SHA256 1cd045e752b401e2e246d554d546dbb6b88e2c906c2fe3f4688bb1a7175e74cb
SHA512 e68dcd588006851e55f86a3fad42c34394732da7e9bf45ce9b33bcca01838df0e650397a32235d0104013a6abe145ad024af734981845f9fa6b0c04346eb10c3

C:\Users\Admin\AppData\Local\TempVBTXS.txt

MD5 7fc83caa51827e24a9cb316306a8a179
SHA1 1e2b67cf403653ac666382c3d9ebc83b94b9d48a
SHA256 130879b093bedb944e2c94661322f86925a1f4de8b10f081c45b6ea253f32ad1
SHA512 bf1a97fa8d2b18e20b2920b005656008af7fa2e7c01e1bcd031f6243d0d20c4b892deb554bd46f8338a547f4364fc6171e2fbbf6743b3b629868871672b26ecf

C:\Users\Admin\AppData\Local\TempEYCNL.txt

MD5 0a9d2556ac2930cd3b1e617d113990f3
SHA1 fb59dab6253d6e712010051723425c5bc7a4e236
SHA256 031719e870b8b07f6da8d87e2aa3ac7fcff9d9542826f1d3eb7a21066e5f9def
SHA512 46484199f4ff22f743c26ff7478aa5c2bd24f817a8611f65e76fe34f50f4f66705e7f162bd83261be2030e9269852d3f06664b8e076fd23ae92d0d41be8caecd

C:\Users\Admin\AppData\Local\TempUFYYN.txt

MD5 35a1ab43d0d9daa94f8a90d1fd49b4a3
SHA1 75695acca8167e2c70acefd9c9a8a5b5fe6d66b5
SHA256 a1f6789a3bf9d6d15633e5efddc4250dbb70d98eedb06d6315eecf38462ad2ea
SHA512 6a4e61c922a124146450bab7c7cb22a1f11e8fc77cb4ae069a52e163d30d9f7fcb9a22d43148da55c4b73b94018a5588c4d98a5e1f602542ea4526649423e3f9

C:\Users\Admin\AppData\Local\TempRMUJJ.txt

MD5 1bc3fea9f47b62158e96f9c887c4e15a
SHA1 4e79a920c7df0a3bc564f074a3a52a6f736367a9
SHA256 3bea3ce73171f8373ec63b4ad065f6a7d149d3125c116cec1a0096401d95b321
SHA512 e4114ff25e7217bf639128720921b9ece015dd4389eb634315a3217b54f92a04ddaaf7cbc362d9c2a0022489584afbb4d720ced750dc0e831c14957b17521e89

C:\Users\Admin\AppData\Local\TempOMQLT.txt

MD5 5eb9108f067adcf608d833883e3a07f2
SHA1 e650d4150cfe98abda68db69d44ca5be8db039e9
SHA256 034166308c5ecf920f9528df3e6360e277479d497e1c01504226893f1d3fb97c
SHA512 d1fede2b3bb65ddf402b09de31213adafbb9ab1800d7e97fe855682e64aad93dc29a7de29a244ab200a52b7da3984050ddd6ec010ebe33cf12faea7c39a7f5d8

C:\Users\Admin\AppData\Local\TempGHEMF.txt

MD5 6ad2fdb2cb2e9751b3f87623415b2c1e
SHA1 f60a9be5ca20760142ceca80d23379bc1c3e8c85
SHA256 c1049faa10744eca932c04804ba0f59b3947559d457cfedf98e6287e22d422fe
SHA512 a8326d6801d375b30e6e4080e3b3c1be4ef7bfa8833f7c1d0feef6f5495fa5038ed22e44096191431709909109ef7b8f6c93c87f9ae8bea2a6e9365bb164bb56

C:\Users\Admin\AppData\Local\TempBEFOK.txt

MD5 fe0cd675e27063dfe4c8dff3ea68c455
SHA1 e46a35fa22461c1816d23561cf5e0faaa8dabaf6
SHA256 27ffeb64d8931b2d762bca7ae855666afbeda91b97c06c11768327eb39db6a91
SHA512 e294e2ce842ec8f577b1048b629a6d1dc6c6bb175f76541e6697207a92711be66f5c98dcb800a6295646a6e07f91653f6b872fc9ffad28a7ac7de124f6c02bbc

C:\Users\Admin\AppData\Local\TempWFGOK.txt

MD5 dd8c4ea5e4f35aafaac1e8882649dfb4
SHA1 28039a9804e5495ed7e7388c66427e22a4f0a043
SHA256 8b731e9f8526e23d3182a593cb25cc84113933f7afd160b996f11910c18db9dc
SHA512 dfa929ddcb14492b5b625e745d016ec5c91825cf7245f4d0dd05d77c9ee2c324bca75cc48012c31c7ab17153598d1ede79147d635b89fcbd4941d58fc141081c

C:\Users\Admin\AppData\Local\TempPTOWL.txt

MD5 c7ae422a1713c3ceaf6d55a47a69ced4
SHA1 f7358b78eb996bbc9535a7a5d2f676e0b51cc2dd
SHA256 01930156d66b91739abec3f67c182f3676cbbb394b3a2a1cee02d3655f0940f3
SHA512 3eec101482868ef09f0d1bf0bb961753acdb17222309c39c45f4b03b4c3607e0a15ee0c62167c1e025724683f7b1512cb039524ac7f1c400c26d74132a9a6af3

C:\Users\Admin\AppData\Local\TempLIQDJ.txt

MD5 957ad5dbaa44ac91d5d250272d2a94e1
SHA1 d6c101bb30848098ab9c181fbbc422278ab6f6e3
SHA256 64b0e81a7b92bcd7830d11fd3c39e32283c4a7fb1c38688c28fa581186061582
SHA512 052d798609fb80f14c32c1ee87a9741d11fbf89a72e53e08c146031c943dbe2f450ef3c4ca6d35d9d015574eaf7a41f773418fc0c6637b3d5914e6ffd405e857

C:\Users\Admin\AppData\Local\TempIRNVM.txt

MD5 7bbbb601e16501019f9650372554699c
SHA1 6e59d935bc5cafc0a452796b4771f70446480400
SHA256 6f5263aa019468fb1d91be7619c35319bd7f31c7d00f94918e5c901b5acc29a4
SHA512 4db55ec095a587030e059cd819c9319f2601be64aa0b963b867e83739e14710df5f7b390828cc2d76d9991f961b4ac5be1894548ec666d4f774ab708e0cfa903

C:\Users\Admin\AppData\Local\TempGAOXK.txt

MD5 c50c7621112fa1afb44904390e54c3c7
SHA1 7b090097af1e5ac92d212cbcf0b687ee773dee78
SHA256 5b26f953f04bf432172e566629398021a7a5e191ccb4d8d745c5611eea898737
SHA512 c73f09f0a6b1e33b9f216839fa1679f9bb800325667483337b127197835d109a161cf4260ad2fef587b39a6783bd4238a607ccdeac848ddb82b6d744d6caf81a

C:\Users\Admin\AppData\Local\TempGPCYX.txt

MD5 4f7f277105ed68afb89676851d86b580
SHA1 568a2057b0f9bf90f234b3466871bffcc2ef6f07
SHA256 5a37ec247c7370164d16b83ba2c49d12708e04db78d164e6c724fbbaa897d3c4
SHA512 cf55553e06960be9dfa8055405d97d45bd137ce3a8108dc59994cbcccbae0b8615c69d7beddd384ac4622a51dc5d1bc8ef45008860aad2af4067664c0281f1a3

C:\Users\Admin\AppData\Local\TempACQML.txt

MD5 d66f5919e5c9ded362fb8a7834e23ed0
SHA1 6e91d02599911d1f38b84c0ed717427e87fcc00c
SHA256 592087cc6e79795816c74d8e7479e2393731b05f2675733596029f781b3bd365
SHA512 c616cb0f5ce0c51cd4d5a6ef16869ab18006f0ef7f08950744f02a7c8ced3ad884f27321bd22e25668635eb9650391638236401c2f85dac38c28a8f8c5319622

C:\Users\Admin\AppData\Local\TempYKQVH.txt

MD5 d1cfcbdc161ceaed63dc7266a83e42fd
SHA1 0aec884c475de6ece1c4322c69e7fa14c7f021fa
SHA256 baecdb95b1e6bcce26d526880dd7b106c870d36ce53e850334dbe28c6d04f0be
SHA512 e125a33ecf700d880a8419021310f9bb8616cc8f16877c26d8e0c0c3d918cdc681cb5976b6956b18c6e60fbf77d2f342c956ac3825b0c37448a5ca2f75f16064

C:\Users\Admin\AppData\Local\TempFSWWP.txt

MD5 b4dd6a91063ec87374151d302fe95647
SHA1 fc6509aeb470d6b168cdd832eb458d4d55e89c4b
SHA256 1ddfda2c13102ec9e5d79a69f67682de3f321b1df50b8d0e40421df5ff3bcd98
SHA512 2eaf88609a764169eb7a14f20b6519f2eaf83e6359526b919376cf8c9cb4c7e2810412bc0f05a7397ae417a4898dee964f2240709f640264580f2f999e5e658f

memory/2708-1171-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2708-1170-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2708-1176-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2708-1179-0x0000000000400000-0x0000000000471000-memory.dmp