Malware Analysis Report

2025-05-06 00:15

Sample ID 250124-khkq4a1kfl
Target 70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe
SHA256 70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67f
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67f

Threat Level: Known bad

The file 70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Modifies firewall policy service

Blackshades

Blackshades family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-24 08:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-24 08:36

Reported

2025-01-24 08:38

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBGCXSFMH\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYTRCWJCWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMKOJQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFVEMAABWBSNAHC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KPCOWOBDXTOCXJY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVTXLBOKIXNANPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOGWOCMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAWPUNDNHFIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRJFAQJKTXYKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUXBSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQVNVJUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HQNHXRCSCRSPYKQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIUFEIWXKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OGXPLGWPBQAQROW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRHSLJMYCHVUG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYKHLGODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQLFAFUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLFAAPQNWIO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTECHYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMDVNJEUNOXNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HCYRWPFPJHKWAXF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHPYAAOTLTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YUIVGEJWXAKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSHBYAHQGMDULKA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LSWIGKFNBYCVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\AOXOCDYUPCYJEJY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWOFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNOBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNNUJIJFDKFVIQK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNSFJFCTRHHJEBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWUDXNDIARIGR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LYHITQOSNVJKDKK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RJIQEEFAFBWRELG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MIJURPTOWKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRFFGBGCXSFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYKIMHODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDTCKUQLFAFUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVVIJFDFVJQKPAM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCWYMRWCDBJC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UBTEQPQMKRMCPXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNTLCBEFTBPOAIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDSWIJGOBHMCO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QMANYVBTXSOPCHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GLYHHTPNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFBWQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BDGRSOMOERITYJV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMKSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GFSIWSQAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFPFKCTKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MQNBNYVBTXSOQCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCSSQYKR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAQRO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTYRHRLJMYCHVU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAUQLVGWBFVWTCO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWNXQPRDHMLT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\JYWFFRXOMQLSHIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHXGOCCDYDUPCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACWSNBWIXCHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYOSQTEJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWIGKFNBYCVTCCV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JBRAISOJDDSTQAL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VSPUPWLMELMUQQF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQSNLNDRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBULMJRDKO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLMIGIYMTCNSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBPUFGEMEJYA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe
PID 1284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe
PID 1284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe
PID 1284 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2696 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
PID 2696 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
PID 2696 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
PID 2696 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
PID 1980 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe
PID 1980 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe
PID 1980 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe
PID 1980 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe
PID 2732 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2016 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
PID 2732 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
PID 2732 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
PID 2732 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe
PID 2132 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1156 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2132 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
PID 2132 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
PID 2132 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
PID 2132 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe
PID 1920 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe

"C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXMIRI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKHLGODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOBXVA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSPUPWLMELMUQQF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNOBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYGOFD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPYATT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QMANYVBTXSOPCHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEIYWF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KPCOWOBDXTOCXJY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLNDRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXNIRI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYKIMHODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLMIGIYMTCNSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTECHYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKSOXO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMUGNR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMDVNJEUNOXNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe

"C:\Users\Admin\AppData\Local\Temp\HCYRWPFPJHKWAXF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGFJWA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRSOMOERITYJV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMKSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIPTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAQRO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTYRHRLJMYCHVU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNSFJFCTRHHJEBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe

"C:\Users\Admin\AppData\Local\Temp\MOEWUDXNDIARIGR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUXBSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQVNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVGEID.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HQNHXRCSCRSPYKQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUKIMH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLVGWBFVWTCO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe

"C:\Users\Admin\AppData\Local\Temp\AOKYWNXQPRDHMLT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempACQLK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIUFEIWXKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXUASW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVVIJFDFVJQKPAM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCWYMRWCDBJC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIPTFD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWPBQAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCHPYAAOTLTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMPRWC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYTRCWJCWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempACQML.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YUIVGEJWXAKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSHBYAHQGMDULKA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTOXOD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LYHITQOSNVJKDKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RJIQEEFAFBWRELG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVGHFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKOPYU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GFSIWSQAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDGHRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVTXLBOKIXNANPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKSELP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNYVBTXSOQCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UBTEQPQMKRMCPXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIQCJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRJFAQJKTXYKK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVLHPG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LSWIGKFNBYCVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

"C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWGRXO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AOXOCDYUPCYJEJY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCYQWOFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDSXJF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNTLCBEFTBPOAIA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GPHDSWIJGOBHMCO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAHIRM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JYWFFRXOMQLSHIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHXGOCCDYDUPCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPWMKO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBWIXCHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYOSQTEJOBNVN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLYGPG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWIGKFNBYCVTCCV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe

"C:\Users\Admin\AppData\Local\Temp\JBRAISOJDDSTQAL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYWFGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMKOJQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFVEMAABWBSNAHC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIJURPTOWKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe"

C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe

C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRFFGBGCXSFMH\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempXMIRI.bat

MD5 69fd85dbaf4dcbef556bcf149f1dda5d
SHA1 1ba41fa17e55e62b36bbad12791376f690c01f7e
SHA256 2e9685877dafc63293ffaf96367653854d246e459a2825a307996757f08e5fcf
SHA512 ee381a503939aa14fcc493ac6dbeb19c7ea1beccf0f16adef27a75d11daf7e85413ea711bcc80c495df294fb9626f1de5f1927dc8010ee097a26b03493fc0171

C:\Users\Admin\AppData\Local\Temp\KDSCKTQLFAFUVSB\service.exe

MD5 42ea5034254723abd4ac197eae3d9389
SHA1 8d50cc3c386814909daa6b93687c0ab4be4a23e1
SHA256 a653cdf73e57672017ea7431aefa6ced3c3db4d921578d2c63c7c26741a125e5
SHA512 7132c3383d0776d21cc400507a573f35647d6b6018dc947bcae07080ddee8357e8caea2c1eab8aa48e4f963be25f6cb29b6903857a69a26ad414a5239da3187d

C:\Users\Admin\AppData\Local\TempOBXVA.bat

MD5 d00a646ec0e45922608a0bffcf74ca46
SHA1 bc3fc2d2b51f4d5904971f4fb0f87bd13daa55e3
SHA256 2a065e72607304b76b53aec3f324032f06d7cd21c6bb1d10e88e594285560edb
SHA512 3ad13ca1c032662e148ca5dc90fc07ea89fb6da214ee7fb0286777d64aa92932ba5c1695e356162889f7a4d5eda7fe03868172a1bc36f7a4f952c3331a3c5c84

\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe

MD5 0fed3cd73859f89da7939a21cd95d8e1
SHA1 9b2ff34f6dd53f533c4001bf975caaba4bcb53a0
SHA256 eb65721e463b32c9fa37901ef65f7a78a1d03da9b60bacac2f8a52429511f3dd
SHA512 9360f41454964a0e4e01ee7692966b874130e7c4191d9aec9a58d6804b28bc7d70bd39945713508c54783647fd4a23e1d7166a93b835ae07a2ac024b7b8571b2

C:\Users\Admin\AppData\Local\TempOXTSH.bat

MD5 6f4b20e850fe3812d23054f9510da012
SHA1 77ce6864239e0073e6c7b0f40393ffdee94fe7c7
SHA256 07116cd5debc065b43b7c8ab9cd706dabab8bb9dce3ab4d18b1c326273b33563
SHA512 6bff96b9dbb3a3e52fd285ed8d45363c8b4b1dbb3b07760859c45b4d62c0d8fcdd22dd5efb54b2f397947d629d05817744cf5829330d52f7364fcb7ac2553444

\Users\Admin\AppData\Local\Temp\VNNUJIJFDKFVIQK\service.exe

MD5 38e7d79273cab6ad657b8e97f280d745
SHA1 b970ab602c03f308c1c64ba3da0d1f5827d2c8aa
SHA256 95cfe08dd22ce8913081e336aceda44c222fab835b1dde1ec4a6579d2fc907df
SHA512 e8dac0a5cb3a9a8e150a843bac0e60f9a8df970dacc3621e8b2b160867bc4c26a34d123dac9bc19be40a90a9b14c7e15f81ab0743d8c778e88100044ba1eb453

C:\Users\Admin\AppData\Local\TempDXBMK.bat

MD5 1f1d8e37cc450a99ddac87c7cb1f9a86
SHA1 031098a964f57adccfbc899b05f332bd80dbc259
SHA256 8ff70b00b060797307632716f7cf8022ca98950d439be373e5edb3a805f03891
SHA512 b87f0443f3710186636c4dfbb59e0b4f6b680a4e01f2c1b342025dedac022616d98e8f0f73ee8d974799ad7ded018ede6d9466a2375710d1899d4070ca341692

\Users\Admin\AppData\Local\Temp\FNFXOLFAAPQNWIO\service.exe

MD5 496b07f3626c2fc760e747320afc5b94
SHA1 aaaa23ad6672db0759a7789698da287715844920
SHA256 a8b09941bea610a3b2fd56a34bd877a79a8bb3c1fa723c023a6b08b2dd4863ae
SHA512 a50edde580c0efe87b7faa1d457e7ce2a0652b77acd6f960bebe445a3c5153b789bb539c2209cda3ee2650c15c9e0dac0966b4dd3eccdc236ede86b3a1ee2744

C:\Users\Admin\AppData\Local\TempYGOFD.bat

MD5 1c8a1be9bc3ebb31b2592214152bb854
SHA1 ad9dc2375b15466336615991e8f93396679cd5c7
SHA256 8276331203d869e2ccf20aa4070d1e22a3682ad54d69c4df288e5fb86522d8cb
SHA512 0b6179be6de759b1b4cd1597df2cc6df1de0223ef6b238cfbd33e6655e136fe8559094d8fea5dc783f79b33d91ea744ef491a6df1f420951c31626ad13dc7d81

\Users\Admin\AppData\Local\Temp\IAQHRNIDCSSQYKR\service.exe

MD5 38b5cf6d234eb8e3727764bff7c301df
SHA1 2e2773a60140aa5158f45f3d31742d6e7c7c7fea
SHA256 7fc0728c707b3be45d0b4ea0645604521306004498f24d04fdd589a2a0385f9d
SHA512 5f2399413678d398097075f1a3e205edad49b5627a8a10cee4fd34c0f51be3b19e7414858a437b7f5359fb6e98025ece0c61c72c0581fa172f20bd587cc538ec

C:\Users\Admin\AppData\Local\TempPYATT.bat

MD5 0e94e7f407c3860135510219d7c4720b
SHA1 c0e9bab4e759f6821d232c6bdd90da12cf3f11bb
SHA256 86cdcebde5fe4d5f6792d6621243882116f6b4244d687eb4a5f1094f6b758646
SHA512 35caee11dfbf70b33e60d1af90fe40f30e78a5f655154559f9cc45734954efeacbbbb2036e8af616dc20a648396ade018ed8dbf616ff240b08792fc3ac2a576d

\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

MD5 db7b134300bf64c3ff4fe9b60605db2a
SHA1 59bc6abe48b5ea8b61c0d49786f232abd05312c2
SHA256 16c32ecd22ac11e71b7aa38fe670346185f72e46c3efe2924f1ea3ce1d46495b
SHA512 c67cf1d15c1ceacd9d11407f40550d8d0857a55eaf4e5cc78b8edc69dfd205e34c55ce4bb7ec42f89975055517e21791be91a93decff33d46d4375e1d92cff70

C:\Users\Admin\AppData\Local\TempEIYWF.bat

MD5 fe3cdfb6636d696b5524ded1460e0210
SHA1 6ebf01b97852ea3d61599c60ed1bf58131fd2c94
SHA256 0a4da1a41f98999c3f25b7cdbcc33aebc8b1d61a366046202d4f4629060fc1bc
SHA512 69cb25c65bfbe80545aeb1017549dfe8fce64097879601061fe27586f86d9074615e14fda5741a3e8b2077ca68940028a9100cca489673c3c417b45024b70337

\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe

MD5 5c9e761c4217a5c8c7be7031672a8132
SHA1 a4d3a98ed50e6f571baf9a09883176cb0745c584
SHA256 26b0a7281262e6443f5abf5a9311d23e4ec33126558f1f0ae49d8eb9e0e63677
SHA512 aae3bd80a959ee9308edcb646849b5d4d29b0dbff581ccac53274ba6318d9331bba8a5adc1cccc7418e9e0f66590a7f27a7964abe8d2d0381889aa3c1b924fec

C:\Users\Admin\AppData\Local\TempUFEIV.bat

MD5 a7f29c655c9872138c89aa16608f66aa
SHA1 364b20abb1c8efe0f64a7932826c5fee409efb43
SHA256 89f6ff4a0bd1ca5da799ceea4b9a8ceb42a59ae14d2bc65752258168e3e5328b
SHA512 d0d8f36ad9eeb6c6bdf5dd125675afbda7ab6cd62e01f5dfa8fed25dbae730ddf00fbd0bed29436d5c92aebc93cc58244bccbcae4974a8109a037d29adc2e8ec

\Users\Admin\AppData\Local\Temp\BJASKGBULMJRDKO\service.exe

MD5 e3e79cceaf08ca1639250a4ff3c75de4
SHA1 9c4aafe68c5215297944b48e8f28619cff6e776e
SHA256 37821e9746cc7316669e7e0946e23639c07d3a12672297200cd270c3b68fea7d
SHA512 b5db98ad07a958cc1d4633ed27756a86b4968e861020bfe7592df21f6e9eac7b3fa151422b7ba575e116ba6588ff2fa9d871fa3197f0e3f4408c2a4549f88be1

C:\Users\Admin\AppData\Local\TempXNIRI.bat

MD5 493091b723f1019cd21d7ce77b87803c
SHA1 461c027f7380e8016c9b5171d1c4902d3701caa6
SHA256 469cb83f54c0fa8390f132a90b71b4489ab9b004fb3ce7677f3b381c44c22a8c
SHA512 418bf2ef52d92ca29f7c010ea6f5993a93a4f9fdbe5d2d7b39440584ec890f9152e231502061e58a3515284afc7b465717acc678f67f6dfc13f1f60df2aaa5f3

\Users\Admin\AppData\Local\Temp\KDTCKUQLFAFUVSB\service.exe

MD5 cc9eb396fd95282b9c851f4f4e4ba129
SHA1 ebdb44b0798a53beaf054f5a0301fa426d646129
SHA256 8f42def1f339396efa22e5086de257dbbb793b6f54c92f9534f058703fc4a9d5
SHA512 6dc3b5ab5995b61e4223996a7af2e6f0c10d7e5746c3d0b8fb7455997d705253206d61bb5aa658d847a4f9ecaec0ba8fbda5e3b3ea17493cf422422335481b37

C:\Users\Admin\AppData\Local\TempKYGUT.bat

MD5 1c95cf0a551ea20f4178aae177d34802
SHA1 20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a
SHA256 8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48
SHA512 82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c

\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe

MD5 f185341d648750244966c9e5f0f77a68
SHA1 e4e881f76e92d0af9768e8eb6b3d6cdaa36fa163
SHA256 85c616ad5826b842a4d73a3c12ef80af0056e980c44fa2591fe57b3c610a184f
SHA512 c80d6adda39c681a9b4a7a98812895f721820975ef3a2d36a4d12c28f0310290f1b8ae41461ff2eaeef548f03739a4c21acfc97984157c9d1b4d569ef641a852

C:\Users\Admin\AppData\Local\TempOMQLS.bat

MD5 b217cd93f39c76822c7d59441e2bf72d
SHA1 b74743485601810ac45731f8ef0ccc2e3a1f6e08
SHA256 72ff7221c084a4507b65f996ba9e40a2237cd9ce008748e9383baa25ac9d5f53
SHA512 193521f7f1e1c0257c63db0eedbdcd7737f295107be6e7da3fd61685fd86a0f8f593c268a575342623a24bec0682b1b33a0d25514c73db45761ce9d7f911f4c1

\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe

MD5 3b91d5aff3c13961f5c5c2550023772f
SHA1 702a2de20200ed92ad9552776554ada8b012d0df
SHA256 3e373c547aa9ea54b5a905259e1d0f70924121b453e02ed2d71522a614c14822
SHA512 9773fd77fce9041730f754f84031799e6392cb4b6a40538553f2254b4a1ffd783c6820ea69c25c4f4d2be3983ec60ca7fd6c78a5ec14891334d279b3a3ca5593

C:\Users\Admin\AppData\Local\TempXDVUQ.bat

MD5 85613293accabae3c3868aadbf4bb7c6
SHA1 0217840ab173b577bca6a62ae889cd597b02ddb2
SHA256 da81422c87423e7f4fe1793b46df7aa4ffd8c8eb96dd83f74f8f0e22544948de
SHA512 4310b9873b7f44edb9d44a51ba910f0f3becac5616d90a8c456e9f33893cc7372382df0e1013616989100d209e79c4eb760a26879b4e12117387e318529104c9

\Users\Admin\AppData\Local\Temp\ENXFBPUFGEMEJYA\service.exe

MD5 0661dd30e3384b1634b90be957d68b81
SHA1 a8b4c1268b7cd5e2ead972b00db32f3896a29cc6
SHA256 bed4cd01197a995ec6e657e7fb51bb185cc0e7e3455326ab5817ff77f2612a78
SHA512 777d680cad65363418abc2e59d960365c265258ff2c9a232bdb40c5ca0ec63935a85cdd60df62b1fab0e6386fba4f19fd7d60885c99c2a9a3abafaa6a7e49c9d

C:\Users\Admin\AppData\Local\TempGAOXK.bat

MD5 c50c7621112fa1afb44904390e54c3c7
SHA1 7b090097af1e5ac92d212cbcf0b687ee773dee78
SHA256 5b26f953f04bf432172e566629398021a7a5e191ccb4d8d745c5611eea898737
SHA512 c73f09f0a6b1e33b9f216839fa1679f9bb800325667483337b127197835d109a161cf4260ad2fef587b39a6783bd4238a607ccdeac848ddb82b6d744d6caf81a

\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

MD5 2375edfa9e09719d004d3234de1a3043
SHA1 7529440c07b5325224a0861d3b3e7e5c64272ec1
SHA256 c047631705d62c91056dfda708f80cc86a43d43bafae5b444cf589014f47bdac
SHA512 684184b1f0af79fe063207ab17667a3593ae986aceb34a62dc42f35a35d0d10622ba523961243158a71b8aa8e8c829693e02ec92d6a2ce7e84a4c2149eea8c75

C:\Users\Admin\AppData\Local\TempKSOXO.bat

MD5 3431da64f39c91423c177f3098cd52ea
SHA1 f69db46a9924188d30e400b9e4cb37ff3cc40ff9
SHA256 fd9c683a2321cca540096f5f23558752c9792e528cf4392bf2ccdc50f019f67a
SHA512 5f8f3835bc66b2d567df9dc3e67a95262d34b5b4456fbd30a493be1bbb24d20e9278860117c7f9e6dc93dd1d4d1e31b09d2c3dc5df652c912a7ff36a4c90fb90

C:\Users\Admin\AppData\Local\TempMUGNR.bat

MD5 739447080a3e22332add31b3d6b14dd4
SHA1 88b1f4b2bb3b85dfc58ccc3dfb90ece8627e3969
SHA256 626b142072fad964a4323fcf63a1baa0088373953747789ef2afe3b33643564b
SHA512 7f2e99cf7b787cac0bb7396a704f826fad3c36066a527e51f55fe6c8c2c6e88e5c7ae4e4ce45f1f4598bc11afec60934f2c453f1c72524e213c67ef67918950d

C:\Users\Admin\AppData\Local\TempGFJWA.bat

MD5 f342746ed0e97ae4805a0dcbd22f6711
SHA1 389aa2b56393e8521feeb335d0b448ff9febf2d1
SHA256 6409a6c8d8f94ef78633fd17806d1ffe6df0b931a90e4bd9816b840f018925c6
SHA512 89fcc183b55e271ecd36cbaa72a64b92b910beff322cdfd6677049fa7839acb39c7f5b45e84ece54cf574734f421ce2d6e1258e8e3337057d1bbb3a47e976d75

C:\Users\Admin\AppData\Local\TempWIPTF.bat

MD5 dd507783b244e1bfa969091d48776a83
SHA1 1e2e668cfbecf139dfa53db1d5983dc7e9bc6946
SHA256 5f7076f94fc2a19f7d29513fdc17266f5353643cf9fe7b82e1b8cd4e7650cff4
SHA512 6ee73f1e25c780a32db39eafa1a56c6d965c27032624dc105a62762c9ea401d03b4b8671504b1e725893ca7c49fc53efaa153a0596e9923d88b8fa6875ddd2db

C:\Users\Admin\AppData\Local\TempLHVUG.bat

MD5 d75c35c49c091739fa8e237703fbb5be
SHA1 6f4f5091ea425894e46bbcd652365c32e210ca29
SHA256 bbba4256828f063db5ba9fb2e034e993d5dc3b8f8679e2ee5efeaf7f22e590bd
SHA512 763f88b02d6e6df01794ec982a530f7c2631bd6070982ec5be6933f5fd4714fd3de4faa903790edf1e25f760fea9bbac9f45a9a12a29f69a210d072de563c414

C:\Users\Admin\AppData\Local\TempWSRGP.bat

MD5 1a5ffb40bb1b61b3f2de211f85cb4452
SHA1 29109dfbde3136692272d25d2d366334885c34ef
SHA256 829b3c15ff9c57dc1ceaa8a4270a42885c7cb995198164721e5470fb4bada793
SHA512 01351190368e3c557103977be10a37f2dad788178af57888e50a98d2e0ca69f8b7a4a1b28df5143d149a745d0292cd4eea9c20e3d9b0003a44398f84442248ce

C:\Users\Admin\AppData\Local\TempOPYUB.bat

MD5 f5384b44e8e5e967c113012b496349ff
SHA1 81eb9aebe47f4ce35b312f234ca6e33bc81325cc
SHA256 5eaa355f0dc5eb39ebfe20614e41728909ff00ae656998aa368f043c52bbf5e5
SHA512 5f9f8d6696d8f0cdd1eda4cb8285d9c2036a4fe636141b09f330487caa94864832fcb00f53f22f2427b80db49bd7f175538a07f3e93f737d21699c6dd1f9142f

C:\Users\Admin\AppData\Local\TempVGEID.bat

MD5 7c8ee1053c012dbfde08afdd92dd76f6
SHA1 e9c8b515c6e21010cae30a9ad35b081331af0df6
SHA256 51df4901f14127f152809c3dd444d41d0a623ba75c6cee31f4d23a2d83ddd38f
SHA512 78b3bc6481ce26cbae09f035084d5e96b4cfa6750e32f4cea42458375ade6db79816ecaab345a334f806a746d2e934e38519b4a79d1eee61820aa4a461173ee8

C:\Users\Admin\AppData\Local\TempUKIMH.bat

MD5 ae2842a439c6b8c7f1c37622a815b1e1
SHA1 2522555d1615e0abf8fff285290f316b0cabf78e
SHA256 77be13c912c0b1d6de3ee8b5546a887ad20afa32c6323c7390820c4b03250fba
SHA512 9ee0a27c64ebcaf1218ae39845a39ec53a8625c91064c08e28e9c8e37cba7c7540022424a48136a99b0250d446a0cc60040127dfcda21911156d9ce03ff65895

C:\Users\Admin\AppData\Local\TempACQLK.bat

MD5 e480cb4cfc35c5be7922272049017a24
SHA1 cf6c7155fb23ffa4a87625aba227031e9af314e5
SHA256 3e02f4647234af2861527258666ab70e7211b8585553139cacfad7f17a087d54
SHA512 ae7f79d26ffbfb89af4578821728be899762de1d624280b98c620a6d8caed0d8d018b023cdcb734da9a26597ad5ed28837115a45349a2d545750971c09c53cc2

C:\Users\Admin\AppData\Local\TempXUASW.bat

MD5 6ef2b43caa087b15ab235ad5bca73cb3
SHA1 0065a2f4a6dd15a9f53154204b5d4d594eda4e44
SHA256 6775fa779f6b98be85c3af5f45ab8d5879d39e0bd78831fb515eb0f657a04201
SHA512 9c5bf46752453f33fb884b402a90160df4c72774c6f7e875e0daa143d26516e6198bbcdf899cfcd5218d73ebe3b9c836d7d34565c63296d3f9ac903824ee7a70

C:\Users\Admin\AppData\Local\TempIPTFD.bat

MD5 13c37c974a81b3bee474200cafab0cb1
SHA1 fca5969136b58f6fb5d544a7073ed304b33429ec
SHA256 72801a866cfd1ecb3df595ad44bbdc01348b040d981fb00addde95dfa28fe82b
SHA512 e9965be0d02e15219e1f6f6cce2414dac147d9eaf2fdd2d044cd6875a8bf2971981a54e59798c2e6722337cead878720b24a1516dbe7ec06f8878ec6214405cf

C:\Users\Admin\AppData\Local\TempNWSAF.bat

MD5 96b2a97d96625bead810db1f5886ec15
SHA1 7daae2c9cc03c286031858def45a35d0d05a2a9d
SHA256 ab7fc64f1ff4ba696e5e0c067327e32f6a23badc91e86a3c20ae15bd576f080e
SHA512 95a5b17110e2a66021b2af5708dd91e2bcb4501361d18449d33eed78899f3d2223f521f56723a42a566ab77b19aa8c9632fb67d630a6891bfe165bcf7db401fa

C:\Users\Admin\AppData\Local\TempMPRWC.bat

MD5 5826b21bd1acd9827aab11fa4ae96f80
SHA1 70dbcf9b36551660a8101cf41b3d223306a8a912
SHA256 4837e9f3bdc83a08cb1b271cf3ec8df340f9f366fc4f3bc9398a1c05f3251f0f
SHA512 961b179a7a08c6548df904d249a39055fba8987a5d76a2d8ad26c717472b61797dbefe0a8079337d26551f6d19de118c4fccef25f6b90cb52e84ebf030c841d6

C:\Users\Admin\AppData\Local\TempACQML.bat

MD5 9197458fa323a342a83d7e185786f916
SHA1 ae7ccc2b80ccc08393dab19eb577a6fe828a6cb1
SHA256 8f6bb51ff52ad4d71b690a2b1d58f082da0adb833048f3424e1f4eb615922c1e
SHA512 8e912b036479e355b531ad7ff1729fff23937064950dec57da81d1a06cf69fbd88d794fb9b42641aedf5f8379f98a9a65b73b78e7862998f59e46369d67c6c3c

C:\Users\Admin\AppData\Local\TempTOXOD.bat

MD5 c8d316c3aa2dd7a63998c60c132e8ab5
SHA1 8c1019afb6a9f4c520e688aa92e436cbb8e97f83
SHA256 2915e5a438a255809b986a460e5df6c651f71bf1d3493ee520f9e1e8e262a6a0
SHA512 89daa56405e81dd6694c04ee30d841bbb61eab33c4a426a5b9c6e7f998d3d755fc59cbd4e765565516f3182572b890ffbeb9cde29bbbd4056b8c32ac6dc908f4

C:\Users\Admin\AppData\Local\TempVGHFN.bat

MD5 ad82842722ffb58f85923fe72995a080
SHA1 b0196c7e43c41f945699d8086d0bdab02be7119c
SHA256 bddd1ccc5afa476901c4fb69ff910093b51ab37f436adfe4e3daa069d2b633e9
SHA512 a101e08b3809eed1713d50d162ae3d7a00c9b3e89f41de67d91f01091eafe2d7d93e0bb46ee4eb52419dcff7877b5c3ed1fbf33ae53c407c8f84e517f6b42bcc

C:\Users\Admin\AppData\Local\TempKOPYU.bat

MD5 f580c5408f377b43b97fe93b33e43894
SHA1 bb6cc1246dccedd60063a8b5c97c22a15d89a755
SHA256 d1e0778c2ad02971c77cbc5e9bffca5414ec447c93d18634d4987d16a242a8ed
SHA512 7c6effd95c1b343564326311a594cb46fb94c456514553c0a14e929e4cc5aa1e0e0f743e2d2d0357654c0d85f03ed88a960d3e81a21754262ffa1cc6682e2a11

C:\Users\Admin\AppData\Local\TempDGHRN.bat

MD5 d6d497a7c8a2cd3d805991f834f301bb
SHA1 db7b5181d26833a06f39ef3a4500ef8247b45992
SHA256 eecafe061030a3131c21f255a783fc84b164ad05493576c795e94e8dd8726fd0
SHA512 1a10bb454d6c0a1d729013b7e07d18871894ea9fe5273bb0ef1704503478ffac5ff1170711fad1a5329fda63eb4b43cb3959cc66643b16940af0329e3a5ad1b8

C:\Users\Admin\AppData\Local\TempQRWDE.bat

MD5 5f86bd202bfcd38eb1df9dc3f99b3f2d
SHA1 20eb5c3c335c0ae536940a2687e7a4b19f36ce56
SHA256 d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84
SHA512 4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

C:\Users\Admin\AppData\Local\TempOPYUB.bat

MD5 cefdbdf3e03e35a03922a2739efb8950
SHA1 3a31bd0b4348e8e7674bf50c7914d4f20a2008d7
SHA256 dc8ff0c84c87ad432951831214861088639a8d0b992f8adb206caadda2fcfb69
SHA512 308278fb087d6df2de2e68bedea72fb061a38bb332e7bf3b13f934cf457a65b0e380c4acd79c8e2262dd2b45a5c6efc935abe3dd554c0fca0fcdb7f151b8cb90

C:\Users\Admin\AppData\Local\TempKSELP.bat

MD5 2571fac6f6656b5ebf4eb96ccd0641d6
SHA1 34438c35a6cd5dec850e15b7434901d24934b2f3
SHA256 50d344f65fefdbfb049d62ecf2a851885c505f284341c1555b1420d1be814098
SHA512 e3a8a5a713dbd3b1c1f79bfb355ddb07a22b6a8bcae88cce5ca2ecee3130280a4963fab979119c6947da0cc33f18066d1606fd04fd460aa07266802ac1e25e37

C:\Users\Admin\AppData\Local\TempPPYAU.bat

MD5 b6e7e717427b9a2a0cb73db79e705a84
SHA1 27812bd748e98425f675803b8f176a4256f194ed
SHA256 b504483495d7dc2be123b22b234915a5fe61a07a357a00b56f2b57222e3a63ce
SHA512 47677f7e8dfbb53cff8c626d252772dc3910b82133864bba34838c246bcf1050751a5ea87fc5f46d8d7068109c8d1d09dbf1fefbadd163c2d97f9f7d6fc299d7

C:\Users\Admin\AppData\Local\TempGAOXK.bat

MD5 7ed000eed1ab7f3420e001d25a18e2e0
SHA1 c53a4d8d38369ee75f7de08af9704b1032aeba66
SHA256 6f4c0bbe1807412382dfb5ef438f76d25474df51ca65947fc4b6efd98f49a840
SHA512 1ef1d0bd91022d6b1b06eefed48e0adeb5d4d988b65e4fa1819d5ce4d95e56612f73f0ed8f5fd1ef37ed2f354757ccbe0ca1bcbe76196eb265a098741f04a2e0

C:\Users\Admin\AppData\Local\TempIQCJN.bat

MD5 89aeecb52a2220185f9c796c6d65c102
SHA1 cf6fd2f64d8a7e8e2a914660dc518a44d059f1ab
SHA256 c3e66a6d7ecf3d2b408934acee54892c8d6d0a2aa0d1d666d83d29dc8d0eb824
SHA512 99abee4a494e46be9bbf945f5a8dfa91fc92372f7199844ab4f9a6381ec0056fbb74da29512411a53792b1b60620e6c8a7593935fd44934a8977c9a25adce923

C:\Users\Admin\AppData\Local\TempVLHPG.bat

MD5 9d1a78b99bf4b3d346fbaa3c0ef3ca47
SHA1 944068cca2361487fd9d9c9079cbe17dd002e117
SHA256 8a0d3a21eacd041ae16f71c335c24e969f3106765424fd07ce2cfa5d3f58ff26
SHA512 9e6382e356871f8aef1057550e0942e242a82f9a147251c075a42f19b2f2e13bdff62e9f28cb0fc8e4644c2ce204be69571bad9e74d6ffc9c89d3a8a9c9d37a8

C:\Users\Admin\AppData\Local\TempWGRXO.bat

MD5 215c569c494bc0b35b3ff85c64b3fcab
SHA1 ed33e51ba911c5a360d9e1ad17e531860cbf2637
SHA256 6039b42b9c82ecd88d42e5ac42835ca83b5b616b33413f3dc8f129c21da898e1
SHA512 8d43a5ae7794eb0f525c512a8f2a3c22f54c586ef1e498acd3995daae62c9e9bdfb194a609aed83a05707934e65eb3d75bbab2b003339a8c16e397d7cf20d15c

C:\Users\Admin\AppData\Local\TempDSXJF.bat

MD5 93215aa027d5aa1ad9de1ea6c813c145
SHA1 3989ff0aea627444c44f1d52923f108f1567c216
SHA256 92f2e85aa71ce25e1c3093678c400bef44c9b5f8a124c3ffa0d50f1d3d7e7742
SHA512 8251a2e2bef405bf04174e95ded7753faf7f7d3b2aa4c05d667d7eb595986859b5ddc450e84879f4d75c192e3002b7edc8cd3b16ad44a20861311f10ef56f615

C:\Users\Admin\AppData\Local\TempAHIRM.bat

MD5 b5bff1321838fb2b8dff0d33e1060a19
SHA1 bbb2e9a7c11bddcd3b948e820a180c2fbee9848f
SHA256 3e029f2e74fafd0a0026d54d7bc8713e7589755efc6a324c958657e26fc75f18
SHA512 c0011f08a80013f9942a8c55edafd7cb41c3eba17dedbc5ce827e2c207dbc0f054babbedd55311584b67c0dfaaa84c22f28a2da9c0540ff7e5446f4f268f4e51

C:\Users\Admin\AppData\Local\TempPWMKO.bat

MD5 dda85f8b0d58ae1c32bfb3a623293ee1
SHA1 5290027dda62b16265d2cacc70fc8dced232ded5
SHA256 3a56eeaa48064e930e0a457a374cc3c44df9445ab8c0ce37a43a6848ee18339a
SHA512 055f9e8eb1ae0295896234448df3b0d79ea3e6a40a227a1b2fb5dcbf1b974d8d78c7bf4e0cf9d942c9bd76c6248e34d2a8ae4e3b6ea70ce8b1c621c18d177dcf

C:\Users\Admin\AppData\Local\TempLYGPG.bat

MD5 2538190c6062703177adfabf523b9e75
SHA1 85c7ead20672b32c7efdfc2a759c252cd82bac7e
SHA256 16f5e79997c3314eb05c63dfb750478c20bf0f0b485544e73fb8521214643c42
SHA512 3e99bbd7c635083eb18b1f53f4abcee43429493725ce6cc4b557a7fbf8f6fc0a61315e85701b42ce2f52f16c60cf48bb5dfea3b5061db8c54fc79276fd67d846

C:\Users\Admin\AppData\Local\TempYWFGP.bat

MD5 bd2237c7ac780902289fc98773bf052a
SHA1 408bf76edb3d6762ea829853779076d28dfde6c3
SHA256 1c8fb43d288c2463e85ac1cc604ab70ed8251cc3ad830eee13f74ebffca4361f
SHA512 a6280437eb3bdfcf7564fc01a90e4b630f63a6eff7e64b02652727b918fbe8556eb69c8af3bd04d8617dc33ac68c0358032874f4526d6079afe820fc2a2c478b

C:\Users\Admin\AppData\Local\TempPYPEN.bat

MD5 d9885332ad1d18e4487f28249af37e4d
SHA1 71a2930a344da57ce46735fbdbe631c9d5610a58
SHA256 2003e36e4e6d6ff4cee47dfa721b5405e0c6e6350eca95717179a60ec8d739f6
SHA512 7ed75aabe1f02b6af699b83db8b499afa311b354eb5f59d16f810973776b51ada5dc55f09948b540874c3ff756e5a7b20d9fd9b643cf85138a4a0b635a617ba9

memory/2140-1170-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2140-1175-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2140-1178-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2140-1179-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-24 08:36

Reported

2025-01-24 08:38

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOK\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CGBJUWRPRHVDLCX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDECKCHW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSVGKQDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YWAOESNLQDQSNGJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHFMVLRJRFPGB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LGEVTJJLGCDNJXW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DQPCKBTLHCSLMVY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQCCPVNVJTJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTHTEDHYUWIOVVG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JIVCLVTDYKEYFVO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOHNUFGTYAQYMXN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QVSGSDCGYXTUHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TATDPOPLJQLBOWF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KQVHEIDLAXBYTRA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFOFKCTKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHWCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRPSDINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQLRWIFJEMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OJHJNUDPTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHIFNGKBM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DBFAITUQOQGTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOLUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LSWIGKFNBYCVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TQEQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNCBCXDTOBJD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MREIEBSYQGGIDAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LNDVTCWMCHQHFQO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KOTABGESSFHCADY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQPXLLMHFMIYLSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ECGYXUVINUVGAOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NJHJNUDOTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDBRXPGFHCAJXFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQNBNVBTXSOQCIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELHWKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WBTXSPQDIPQYBUU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEYAVPDKFJXGSYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NDXVUYLBPLJXOAN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HJVVWRQWSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGEIDLWAYTRAATJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBRRPXJQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQDAPXOCDYUPCYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMMTIHIECJEUHPJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FTAJWSQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLCTKJUR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSGSDCGYXTUHNUU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVSSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BEPRMKMCQXGRWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYKKIQCJN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKPWX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XTHUFEIVWJPWWHB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAVOUMDNGFHXTUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESOMRDQSOGKLUQD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVRUXWYKOTABGDS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKYXJRJSOJTEUDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXBEUQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIWRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOEKCSKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCNUYKIMHPDEXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LDTDKUAQLGAFVWT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUVRPRHUCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1288 set thread context of 2468 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3648 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe
PID 3648 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe
PID 3648 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe
PID 4584 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1856 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4584 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
PID 4584 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
PID 4584 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
PID 512 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 512 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
PID 512 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
PID 512 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
PID 4300 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4300 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
PID 4300 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
PID 4300 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
PID 2336 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4012 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4012 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4012 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2336 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
PID 2336 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
PID 2336 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe
PID 100 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 100 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 100 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4304 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4304 wrote to memory of 3196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 100 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
PID 100 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
PID 100 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
PID 4192 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1880 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1880 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4192 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
PID 4192 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
PID 4192 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe
PID 4772 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe

"C:\Users\Admin\AppData\Local\Temp\70f4953bb9711a1860d37507a822c04ee074b2dc95deaf1d510bd66d9853a67fN.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAOXKJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTHTEDHYUWIOVVG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NJHJNUDOTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe

"C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLOPVB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYAVPDKFJXGSYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe

"C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPKDHI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NDXVUYLBPLJXOAN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHWCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYNWJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VSGSDCGYXTUHNUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFJEMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MREIEBSYQGGIDAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDPTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYLKX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XTHUFEIVWJPWWHB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSGNIM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KOTABGESSFHCADY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRSXEF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JIVCLVTDYKEYFVO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAPXPJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ESOMRDQSOGKLUQD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe

"C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFYNW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QVSGSDCGYXTUHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe

"C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAMYJI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CGBJUWRPRHVDLCX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXFNEY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGEIDLWAYTRAATJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ERNQUSVGKQDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNPYU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIWRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOEKCSKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEXNJR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCNUYKIMHPDEXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe

"C:\Users\Admin\AppData\Local\Temp\LDTDKUAQLGAFVWT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSEMEH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HDBRXPGFHCAJXFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHUCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLUQDA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWAOESNLQDQSNGJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEJYXG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQDAPXOCDYUPCYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\UMMTIHIECJEUHPJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIQHBL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LGEVTJJLGCDNJXW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLMJSE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQPCKBTLHCSLMVY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYAUT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQNBNVBTXSOQCIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELHWKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVKXIH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUQOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJJWDT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGYXUVINUVGAOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempURAMS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYXJRJSOJTEUDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXBEUQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVLHPG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LSWIGKFNBYCVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

"C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBUJXF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KQVHEIDLAXBYTRA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\OQGAYWFOFKCTKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKPWX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe

"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJREDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WBTXSPQDIPQYBUU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe"

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 218.99.81.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 106.27.33.23.in-addr.arpa udp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempAOXKJ.txt

MD5 29321513607c0c119c775f76237d6d7a
SHA1 9748598691bfcfc190c7926dba03a77bb0298d22
SHA256 f8d9b22ed6509c63cdfcfd687d2822abc0eb7ea94498da8ff146fff4dd92c6bc
SHA512 3626c8a267a07a9ffd407c897ff38eb8c9bbc75183568d6651c1066feba919d5e506f6f05bad2fc8e25781ec5d4536c1abb04e63090d7446db1b0d9a52e2fa8d

C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMG\service.txt

MD5 5cceb9fe3c184c5dad5b1879d5e8a890
SHA1 fec62ed4e0db6938dd267d164954e38086476dfc
SHA256 8786280ba2c5fe174aa653fbcd4c382bd9bad0cdd3d1caac360b2174f1d7155d
SHA512 fac859b52edefd61ecbdb6e2d86f39a13f629214bc6612992e74e0a8d15663506356afab9051722c809bc1ac7cac69b217968cb983fadd75e04e6a1e5dd96da0

C:\Users\Admin\AppData\Local\TempMHQHF.txt

MD5 5a25b81aed74b167ea51919cf873d2fc
SHA1 56b2f2e5184300b74b0e947721dd445ab94b5fc1
SHA256 c94980ad5bb0ce23cd44cd7ec3580a7fc7f4104201304ab657e3506921f5c05d
SHA512 a96b1a46f7957df8ea087efaaf0fbb2b6045df6b371cd56e5b4f475e0c0adfbc2c3dfb3d2fc85041202874bc4a58d6e28eb98f8dd08ea2203dc1cda217d3f0b1

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe

MD5 74d1a45118cbff55a34b1d5f5405d78e
SHA1 e3ece577d20d2f0e41fb0af6e4d9a184e62d722e
SHA256 f2650975b1fe10b05ce43411ed3e3cafb59323b67eff891e9078a4b443557425
SHA512 2b255a06014ef5bcffa67947f24272dab0c4977c065c15d49f7cb45c87fd1fa2e2648a323f40c497b27b95fbefa60515f9eee07d2ada01a46df0b1828cb28d09

C:\Users\Admin\AppData\Local\TempWVRSS.txt

MD5 beb0003da9260463a7cb0e32e3704637
SHA1 a2e726a978203f3fd4c53408cb3ce429a516e816
SHA256 99f820126e97c2a537ae489f2904e4746b85b55bbd13e08ae8e20f74dabbea92
SHA512 7c1a9270763b66b31032096c6204b9a4873961943694b790ac71353f37a95d3347bc0eadc8571de416e22d65aa65c22c70d6ded61fd19de7aa84fc8732e6c6e6

C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

MD5 1610b4f4635fa595747035745c537d71
SHA1 d9a92ea76d5fb2cad19c9fce5b2854df0fc74996
SHA256 d6fa33608516811a2e7fd41324788e022de97b1ff720b8e4c23eacc1a5914a30
SHA512 f4e3c0c64690c93ad6c2214572f83d3793a85062ef447b98c39089342f22070471d7de5c491cf762addfa20fffd953d6c18d8f9f781ad877bd5b0b88341e0239

C:\Users\Admin\AppData\Local\TempSDXWL.txt

MD5 06759fbf084239e9ee1c0f2ef4138a48
SHA1 1fbc18020db2d4cda85d756d957bf75f14fe7a05
SHA256 c100e9f8b8b4f04a07b4d309e8260245bf1a6b6506af1fb090c5b05e92b9bbfa
SHA512 46fa33c2ecc23586735c40232dc43dbfdbc6170bca5b11083895ecc0e82b458c4776cf05c74229fe9315b14d02d6d709d2e27c418f69afd77a73c833ef8768b7

C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe

MD5 a145d787210b8a90bdad84e234afff47
SHA1 a4d68fd48c1ec0f09da272865eddb85e2261d97e
SHA256 33f214185b2de10151e97c49120eb69a56f2aa589fcb49eb4d337dd5ca155041
SHA512 5f4faee44cf0f96b6a0564241314eded26e5b73fbdff9b848ecdaee53488b6ced43adf7a272b79633005a24f36d47b77327f7efca2fab50b905e14d7c7ec4fa7

C:\Users\Admin\AppData\Local\TempLOPVB.txt

MD5 5fa3d09504478c861ba80b6d0fa6765d
SHA1 cfc7a0e9ecffdf8a8c3406c73cfa4caa889198f7
SHA256 f3ec550714854be007e6baa6d6543ebea691ce45c543147ce4a639bb94d79866
SHA512 32dff33bd9d142c4e57c6be68456bc5b39e7d92c01fc98cfd700008ea4600b5cd0805a2cda45a2aa685bc91989e557a776f8b35225fd723b4fa19ca36b119d91

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe

MD5 ec75969c15bbe407a6351147d6c66574
SHA1 9e18f4eeb3879b66a22f020a7fc56d654e52a3c7
SHA256 abf19e5ff0fd37d6b446f68a830934fb08f72694900c6ebc8f0e0f32c2169328
SHA512 0c32269f91168d0aae106e737f6dc88183be4ef4d8f417ede1eb6728ddebd80cfd0db151870f24f97be5e553ae92b2784c24320f3c1ce60a81790884b8afafb8

C:\Users\Admin\AppData\Local\TempMQLTI.txt

MD5 b6b840ff8307ee32791b0a11dcfc6c1b
SHA1 48ab0432da2073016e17dbd5475f8ad1df654ce1
SHA256 4ae54b9e9997d21ea0277357a399b36349def9b6f1ad5fe59d2ff90951aface4
SHA512 3b3d034efd66858153a7b032357ac6bacaf75be3d46c46f16f0a1471871aca13b8fa70690567f5af92617e9250086c76d664126ab8dca87c5d48b444224f0762

C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe

MD5 3e0c6dbc810ed5bf2c2788b62a2e6ea4
SHA1 7e33d008b0f44af7a2209c531deea1ac296673c3
SHA256 28b97e9fae4212e06edd11c27c7b6c19039db5a58689ffb153d1c8fc1612ec30
SHA512 c3bc294f9c628ce329e3fcf5f514f02e2d23699013670e171f1e27f4fea808e0b219794db9ba521c4b3a6a3380a38405f5d98d568942e3ab8f202f25ee9417af

C:\Users\Admin\AppData\Local\TempXGGPL.txt

MD5 2d88b6f973244a550fc52969ff4731d0
SHA1 c2ee94c917051b866b4e86c4a9172cb5bd55fcbc
SHA256 725fb8315a8dcc5fc12d0de6a3a0e307b80ad030920bb41897555c0948b4372b
SHA512 7c09587a68a3813cf9554294c66cd27828ff4852dc1fc2d66aa792da3f78716b4e626b749ce0264a0148093c1400b6a1f8120777d76f1408f295854d6e8fb693

C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe

MD5 a5a23c228768ae9334922f61400ec136
SHA1 8e5da7756cdc4d41b79344b9404d78846386d11a
SHA256 acda3ae836590ffacb67a200e2201c8c659bf92db493d030916cfa58750addb8
SHA512 af8b58a98151f69f2e2284aa9d566519e22722609a0278a2cc0abc17b447d5c7de77ee8fa8acc66189ea9110ce518b2684e4a0215eea971e70aa69de5fe779ae

C:\Users\Admin\AppData\Local\TempPKDHI.txt

MD5 cde8f82092a7c710b845f2a0f43cf7aa
SHA1 6d68571b4600c17966c15a5549e1b3325a267fcd
SHA256 3da7ecd2cdcdf8c57427e467a4ad2ff0e2631f67164a4baa8b27aa3f017b60be
SHA512 0f07b87ca6672ae2b6424b733b1351136bfeda19e776f68886ed1f93bdda2c38929f09bdb7bd882231380f11108839a54dbb5970be9a6a3d8c4a93492d13f5f8

C:\Users\Admin\AppData\Local\Temp\HJVVWRQWSIVDMDX\service.exe

MD5 7c1ac2f6c07f40e9073c73df782ca1fb
SHA1 4b6fa31b1ebe4b2a7874cafa39468316634b1ca6
SHA256 f2b93ef6ef528f56942c8c24dc4e119d1df2711c26a1431dfe84b698788da5e8
SHA512 4e835e5ab2c2e7f1c0a37b516608a57a286977e5f60dc415d9857f631e1194a722aec529760ea4e9d49c849b771fa73cdaaba2e571d4287102babdbe893e4444

C:\Users\Admin\AppData\Local\TempPVLJN.txt

MD5 f3931ccf4bdf284ee5fb347c6e43bbf9
SHA1 f538a7c05c86b67b4989635505496f06645b6758
SHA256 aae5447814b780af09a0f1a0e4bb253dc6dec2fb60f5bdb4e9bc7b27c21f77b4
SHA512 64cc45490c27133d4599cf71ecb148c129b33e83229572c6da074334a7016f51c1fba50ecf66b401fc2933c08b8a0a07a7292bd86bab251655555b34f8471514

C:\Users\Admin\AppData\Local\Temp\BPLXOYRPSDINAMU\service.exe

MD5 8a516acb00ce0156dc51a288b2c79034
SHA1 6cdf300d75e2c8328400ebf005adf485753c16ff
SHA256 509d726365d867e5141d9506379d5c7ae9bd825191136d43b3246f045ec7ecae
SHA512 0201c7c2fafd3d39f6f17abfba63754936711822420c39958d1a5dac134695a0dc2279fdc34cc6ff80357f1cac228c2a4fe1cdab775a03090ec81a9c64fcc8bf

C:\Users\Admin\AppData\Local\TempFYNWJ.txt

MD5 df01f4a40aee87b7ee5954293fa4b573
SHA1 a740458aa28514b7e90142f52161a4d18352a963
SHA256 d3a10ba0ec2363628cda14010da7e80f4c1724eb857831f644c9c7db39a88522
SHA512 0b310096fbc962bc77e251d7081fc474c271599e8c41b7e2cd8e822b3dfd5b70aedfe7604f11d1bc7365e29e3ca6e4b53fbe7b8322fabff3bdf8c640e6222809

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe

MD5 5d1b224a375961e4a5be0089a70bbd4c
SHA1 3c7b066536a51786db6c15b91bfaba55f6e2d92e
SHA256 106a32df8303288c3120a08c575d43c63db0883ba5997dbabdf21549a254122b
SHA512 0e9aaebaca7fdef09091dcf8b25fc0a88ae6f1847de2f4131f2f4d77ade2fbfd70d8ff2f289e2c3b8e75f38a66fd267061ef97039566b2c1accb559c3e85f316

C:\Users\Admin\AppData\Local\TempUSBCV.txt

MD5 cf0710f0f5e21858095eb02d90380c39
SHA1 dc568d72b993c384aea74f7cdcb7fc4140f90f45
SHA256 0582f4f97298d78b0de11877baf24c7d8146262d615bade867d1d4fb9a4bdeec
SHA512 3187a9d1599d9104819d7e4340fb52bd3878f00b053080a5d11595bec8eae7fbb040820c3f4c7b8b1ac45e60f7a7add6edc62c55dba975206474d91cc2dfdd79

C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAJ\service.exe

MD5 1a0ae144833f4a96d24b9336070250cc
SHA1 d1680a4aec80bf72cdcc42e931d902d87ac157ea
SHA256 dd61794156e3a776d59292668d5f4ad9a0411b13b0eeb3ead12799d96551147e
SHA512 2a3dc650d20d7e2fe06e5f5a519494e5544a1b4eb2601c7a69745206cbcb56bb2755aef3cf2b36e66e57bd56ca29a9cc05c6fd332db7cb7eeee06e2ced5352af

C:\Users\Admin\AppData\Local\TempKYGUT.txt

MD5 d612c52e460fe347f03804b504fe08b2
SHA1 c5e6e2ba2df4fc978d564c07e208e6647177b1af
SHA256 1eadbe5eea3a0c6fe9bb4281d38f4c12141dd02c87b97cbece76fee8b9af2dac
SHA512 1dd02bbd9d0123ddacf2aa2303153c82ae0af66021f23f9fdbca4d21aa64787f737867e77befdad1c764706d8b9f7456657ea64652d8bb1a920676939cb68ef3

C:\Users\Admin\AppData\Local\Temp\LNDVTCWMCHQHFQO\service.exe

MD5 8a4aaf848c64eb00082059da52aeb808
SHA1 9cac45bae5fdb4e29bd2bf3ffd442c75fa3b3e2f
SHA256 a82a32dd93e8e08076007db2851704c22e579e4f7ade3c69e816e277d1f9ef08
SHA512 6b50c4a9bf7d8ea6a9500ee252fb2189e03cd41552b9433b2901cdf6c0f56baa80b8fb1d6db387ae583a86864018b8b9683e5f60b4e09bbf4bec7320045c737d

C:\Users\Admin\AppData\Local\TempWVRSS.txt

MD5 f7c2b529214710d2bba1b9dac4bdcef8
SHA1 0341723ce1dc588132281d460b672d26556c9c99
SHA256 71600a0cf16a5798f7590d1088d945259ddf2dc2548b5b04825a70066f685691
SHA512 c0d55e5894c48b924681a5c4d5d7adde5a4f3b3caac8decf33e4cc604c41cedfac18e4d6174442b98aa590327492851a054cb291371b425c2b45f14c40ca4f2c

C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe

MD5 317ccac9879b345fe8ac4293631969d0
SHA1 6407976edd204c973f466a90d76070ceb03d21d9
SHA256 72f0aea8dee6ad3a3bafbbe77fb220d84d4f0fd76c5dae6e5f5ae1c14808e5d4
SHA512 19bcb6b0b350eb1cd646ef2c4db23072b1d6201b78aef7b65a7f4cb58c68ffdd3c0b9ce3f863075e678ee097bea627319f9393c2df77e452d0ec7e3ed1a084a2

C:\Users\Admin\AppData\Local\TempPYLKX.txt

MD5 84973159198fc6a47d4ee7e2843c299d
SHA1 aa83110f2b15b6fb05ee0fd34a05edaefc9c5a7b
SHA256 77c3bd7cc0ea87c59d4aed7055dbf3365b89ef8845dfe2728e53c25b0bb26391
SHA512 08c45c8d5463c57f6da07399416b6a2bc8cae74c022ed462c56cadcbaf323eab43b4f8a06431a02b4c14e39c50ecb6a95513f54810047d798c8eb4eea4c7cbbf

C:\Users\Admin\AppData\Local\Temp\EAVOUMDNGFHXTUC\service.exe

MD5 e9002683034f1657e0d7fca3d03844f5
SHA1 19554cc8986e5f624be8846ec2b1194493c51001
SHA256 ed8befcd26b5764a941a2a1406056fc79548647310e1ee77051c7931910bf77a
SHA512 668e5100573a2e8b9dc4bfdc2f18674650705d0d31237ccfb064d77149e8b54fb1822fc50b5fd5e0a1da7bb4152882f10e21d546b01a85ff5488467908e8070e

C:\Users\Admin\AppData\Local\TempSGNIM.txt

MD5 b184f2f6fceabf37ef0d7f80f6ac6f91
SHA1 04712f75ebb47c4456185ab2001cd3a9c0c709c3
SHA256 e7985ce90b7608b32921376f86821a7d5e63f2b8a30120e4c2beff7975a6841e
SHA512 c71fbd33eaff9ea012dca66f119b493c03011dac2adabd32b937f79b12913f39cbb6c1b9df7dc537e602c9f5bb127f7cc6884b18ec223724ba4ae63aab1e9ca8

C:\Users\Admin\AppData\Local\Temp\XQPXLLMHFMIYLSB\service.exe

MD5 c45f19fd3b4c0f17d480a9c79d9901a3
SHA1 c165b6735c6d7bc2c8c5ff315cdbf4fc1b95aa93
SHA256 d47227d315e9ddc8fd7bb8b06f6377b44e4833590245ea5af13b4be7beaf0136
SHA512 037bc39ef52879e00d39ee5baef6e9b0d2f2b92f24a36f44df5d465d274797cf2fbe6b0ee4348f11b660dab9d0fdf6d2d704684c402b718555bb21541e4d7d5c

C:\Users\Admin\AppData\Local\TempRSXEF.txt

MD5 9c69a49bc663b0a59d50e45155108d50
SHA1 44ce998eee7669f8c36f1c1dd1e32a7b3f5e0931
SHA256 4437fa602b8c9b981570ff66dc7f23bb13c5324b65586bee76ba92c5c32fe1d3
SHA512 d2ba847997fadeb9e8139f8127de763e994141682ffb0883933f7814d779a4bc48a2073a2df63e5b9150c6310affe96d07c0ef2a7c0457994f421c975f006b8d

C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

MD5 43c401bf191dcdbbbaa86ac0c00f8a8a
SHA1 297a77b05cc38549ae91139bffd9a9cdcb3c34dd
SHA256 697d310f03c8a6c89f19aa28438143a96ac90c35749623f4497b9d745ee382ad
SHA512 fb016278d836c4140dddee3c606f4b2d7d77f9e81470fb49046c647ec247499844cdfadd2bc898848a23c5d9782c3310d5a65de655caa1aa367155b26fb5513b

C:\Users\Admin\AppData\Local\TempAPXPJ.txt

MD5 80cf7932020e9b5016495e4b020c6887
SHA1 fa0b1fcf5ec01feb2bae82623b0c5aa7703ceec5
SHA256 6c7ad0abef65a55ee46641824b177a82ed725ec7d8dadbe76622b232b2273652
SHA512 68a58ef747f0442584dd7180c2b45fc0d332f36fa41416298907d85be7d5ecf23fa706e289a49e44308d1e663df6996822267b4d4b6860bc459bd7c88e111fb8

C:\Users\Admin\AppData\Local\Temp\HVRUXWYKOTABGDS\service.exe

MD5 a17c0dcdcd8165a18577eed5259b829d
SHA1 6eb9cd1a2c6e5d1fa77c765460cfd1832097fe0f
SHA256 6bc76b7a4c0caa7b2aa1b6311ee06dac1661b53423ed7e296c1a70c6fc178c89
SHA512 8069324e659d1b22fe9329ebf78073ee3ba26f4f667b48ce09773d8170be87f87fde2382c2957078f7e50dbaeca4539100b31e8cb675dacd621b0c09b5d8464e

C:\Users\Admin\AppData\Local\TempUFYNW.txt

MD5 808b10324ef2c9f3667a72caa4dfa7fd
SHA1 21dc798bf9ae600cc0cd31745caa77cc4fedaa2d
SHA256 3e0a9595d08e5c5dfe573208bcfeee5a3773e82dc0efdc9e15d9a91ed7fe0af4
SHA512 8cd4978bfa56dd1b967205e32c7eb027d6b106958a0bc06d12b579a0523647c47cd1054446e85f832336b73140f5be351d9ab8c2426127c5f52e6646b51a3d59

C:\Users\Admin\AppData\Local\Temp\TATDPOPLJQLBOWF\service.exe

MD5 11557f972413dc88698fe1a880427533
SHA1 74549fbb46486b667db540fda4ecb9e6f3515b49
SHA256 2e6ba94c9bf754c6b814df4b5a36d16aa1c9a30be533377b7f4eb0f0513f3c5c
SHA512 f227bcd9403a0f861ff84cf01a670c841d9b388ff02246170a6c922e2714f2b94f4e05902094be763cfc1ea18c5f9cc8c08447271d7fe6d1a42100b506681f25

C:\Users\Admin\AppData\Local\TempAMYJI.txt

MD5 016472b5ff8b2e7c4dfd8c682023930e
SHA1 2f079833f22d53b327b8e2194513f3c97ac02fb6
SHA256 d78348bc794fdb36c93970519aab2dce2dc4b40d1942a758f34d610c58f33a97
SHA512 18eb250179cc497252429fffc882d658e6b072835d6a620209da12afc0155394850a093ea0f935d9b6c02b75ed609cb012870b14cbf9b30a3bf9503b24bf09aa

C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDECKCHW\service.exe

MD5 77ed43c054f23282fd3bb0137d6a400a
SHA1 a9a0e1cc62434eebda877dd7ea5371c9616da706
SHA256 3dfa8febcd173e5e4ba8ec6d8791b3ca86d067fe42626e3283f41c097b0b2895
SHA512 34d036d728b6f3cc1ebfeaf859043da4dc360263c8a9f4cd7082e043342bc3c0df28075c9fd255b90e1b952d3c2e8da843776df111146bce8d19fdc4f09831ec

C:\Users\Admin\AppData\Local\TempWSRGP.txt

MD5 035f1c7ed9b27d9073d73906455a2fa7
SHA1 b6edffed330d3b9db173f4f7ab44438b8de0f0e8
SHA256 086f99f1b6aa48c8e62a088b99ec7a6ae9334ee35ecbac29cd73903cbda438c5
SHA512 838ebc31f4c26a0dbdc9ac895fdfefe7f1ee0e5674c75e7087c52e01ae1b45a1271e1149c24353bd036b49dd8b319328779e701370de2941b276241eb7710d8e

C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

MD5 6e5e85540000a34edd68e4e5d00583b5
SHA1 c2a31b6afbe0468b94754065d9fa78a2bcf0dbd8
SHA256 54f1d57a086ff03289910c287df01bd35d0fa45c23fe59dbcee66672e25e6690
SHA512 3aa41f78292cc14dffd1eea93c3e4cb0e0fb84c4060d77be3edbfdddd11bf737a02eeeb81586132f675995dc73b318f94fab923083b371a0a79bcbc7a634250b

C:\Users\Admin\AppData\Local\TempXFNEY.txt

MD5 0e13ee2c6dcb5d6db9961e93afe834a1
SHA1 0f1a311cd3e6ab578813b39dbc0ea36efe53fc58
SHA256 7a9c0b88733dd6037a8413a2ef0cd1f5725c3c007b10ae056774c901ccfd4db3
SHA512 deaf2ca0f316099b683a3b139d65c10ab2f60eafb458bf4cc1ca9a62828b224dfa71688f26f4dddafa2920ad31eb7a1c891c2bad52cb37fcb48012d5271a8efd

C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBRRPXJQ\service.exe

MD5 b24255355b6ab0763d155661af09352f
SHA1 3857755c6e78430cacffc3cdf301ca22a81a2f63
SHA256 fc21753378c8bb183fd16c22bd611ea523aaec400f6a82c098b79cba9470e4aa
SHA512 24e1a6063e6897f898a7f7cfbb87d4985e02ad31dbdc60c2a0cdbcda260a7a09b80e8ddf2795815a0571af376b8c90691b116fd69612278c124d59e92117210b

C:\Users\Admin\AppData\Local\TempOMQLT.txt

MD5 ef5edc187dd574db15bc13db15c29730
SHA1 f3b596b9657f17c374bf27f16fc9a6df8f4c44c9
SHA256 71487f836772b1b39fe00590cd2d3670db8827008d6032759d213851ae7848cf
SHA512 00077c646294c3abfd99c621bb844c02c9fb37f1dd17c740cb5258ed2f877cdd00d25f641ccb2c022182a79cc9013080024945a6c86dcb6e4dc114ca87708bde

C:\Users\Admin\AppData\Local\TempKNPYU.txt

MD5 2eb2f361f855b94606ef7e80eff0bf2a
SHA1 3aae294038096ac207ef9b6850651299e3e4922c
SHA256 d45f39789853899fe4feb550aa2ddbe4c77d309342a7b578d0566c016116db51
SHA512 01de80786d23d61ffbc6d8e2f14a4044ab05d7dde4ff463cef9b232db01c8f4e322ed294233e8059bf60b5275e0d3c99b1c0fbfa2faca10f1799f621840ce2e5

C:\Users\Admin\AppData\Local\TempDGHQM.txt

MD5 0a642b13e305d30ca155412d35b152af
SHA1 781496d9955791faa48807abc37e66baaf0169f5
SHA256 1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797
SHA512 de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578

C:\Users\Admin\AppData\Local\TempEXNJR.txt

MD5 15874e9166b9a49fcd62435843b07430
SHA1 2654aa23dfb896878702f52586eafb8f39831a72
SHA256 4122df0cdb9895f48a3e278c65988c3c6c5197d6a6cb09d32217ef89100a43d6
SHA512 428a3b68e17e2404592e39b8eeb056a3d17de12296ee1a0b788a0e489de3d7e6d5273aba85afdaa143235b3c776e79fd520c22aa30e3fd9b6ebd32dd23837b5c

C:\Users\Admin\AppData\Local\TempSEMEH.txt

MD5 4fff14f3f96afc630022f1cd49679797
SHA1 bf9f7d514150513bb4a169657ded6dee7e323042
SHA256 7fa849ee648206dcbe76d2ddab3ccc18de8e595a77ec3950629ed2b79cf60f2c
SHA512 4385ddce5bf79f94eb37b72c4917c247fd8204128be70229b16ff548ca47cc872756bfdeef94f911ed569345920ade5b740747be1f725f7c448853cfd1a0f32e

C:\Users\Admin\AppData\Local\TempCWAMY.txt

MD5 4ccca2d921a9ac73b28b6b9184427516
SHA1 6266377f1d89239073b37acc6b7f568943359209
SHA256 1f98e0c82803e42487e3c3043f77058742d13e42276b0e7eb93cc8f692eec01f
SHA512 f1d2d4c76aa1d103c00cf85c9f87664d7cc622d2d0e95caad7e86a44657c9bf29210aa31e5e49108a70d9f4d4a50b84bc1905cb1fff6b79d49f01121ec6a4300

C:\Users\Admin\AppData\Local\TempLUQDA.txt

MD5 0887f8a053b6634da227e398c394d81b
SHA1 7e302400941306dbb1fb3a489a23add27b1209d8
SHA256 2f72e4b614fd3ffa97fd87de3f00824cd240546d92b4b5516b558b17097a491c
SHA512 e5fd8516383823287089e860205c0da879e62c25160cfd7dc752c0e265fc60847c03aa72c49d2bd0ad1b71b9b3cedbc0be03a6b81d27410251356f5b4f801eb8

C:\Users\Admin\AppData\Local\TempEJYXG.txt

MD5 73053e23ed5ba3072ad1cc61295e8261
SHA1 f38fe651f708324bb06c21fc99be059e2de7e663
SHA256 3ad189bb0eef99337f1df10f209508a205446a5ab7aef7a6812041313632e385
SHA512 6b26af6d8b8ae55a33c4d2353a91258f9e5734d0732355490a7210db03eb9f43b97888fbfdad19e951072171a1d1f6f05cfc747d14720c88295fde5ec8942463

C:\Users\Admin\AppData\Local\TempIQHBL.txt

MD5 9ab7cd71891560db437de792cc8e89df
SHA1 d24b02e2f1b4ef681a14d8b47bc182e0447d274e
SHA256 9bdf3defc869d9c7c1bd75f76494f556ad93d962b6f42fcb89fb40ad71398b80
SHA512 21665fef517a55d16485e68f385d4e3081d8b3b53365d4dfd1e6b874ea183a03937f8f29471dd55102f38a37f8dccae2f8c9a11b9ef3ffb824abae2376724591

C:\Users\Admin\AppData\Local\TempMPQVC.txt

MD5 01005956b2e2f9618ee5d54677a17f9e
SHA1 d06659adf8a2855ee3ad04156b940a9563c9dc64
SHA256 ee05376f2a67ea7274259ca95873248ea3ee11b830ec3c4337651ad369e0a20a
SHA512 56de6a0800e4b55ff3bc177e923cc78f83c3254a186d5b876c4085c203f4d4b40785e8609e44074873823e1fa2b6970c8c30d677f1701b53c77efd33daa125ba

C:\Users\Admin\AppData\Local\TempLMJSE.txt

MD5 35509e2b03676f4fa2ad6b3d194846c4
SHA1 a346fa6c96e1186bb0dd1e3188c302ae136cfbb8
SHA256 a60d2d437ce08dc8d030a70e52d182e4f2fa67fd5f2be1d78ac6eeb9615344bd
SHA512 c737fc6ffe178c970f97e3d261154af7a67fba8276b995ebffa5c19faa00066c4cb00732a7466d5e370206af7e8013dc7eded5cf9b15bbd8e250b07da5fc3007

C:\Users\Admin\AppData\Local\TempPPYAT.txt

MD5 8017c40b3b87f358920ddc3a7822801d
SHA1 d1707ebb4875777b38e09531e15d0cc1bb133731
SHA256 ae1c8c15c6aa20d60fc888d7e2067bfcee9d767bfe85da8c6922e998f4c2ed5a
SHA512 b9f5f59b6d2d8e5250737c461625785dd78e697c9abf87e5f94751aa0f07e1f62fca270c00202ec6af2b18afc052de611eba4cd126b5ce78c913b0d518ca9354

C:\Users\Admin\AppData\Local\TempPYAUT.txt

MD5 6a5d696b87c0b6fe1cee953dc16b18d7
SHA1 60c05a7bcfc30fe6820c354216d291b5bdd4401c
SHA256 99e1967b9d201e2b8d8f7a4149191c9e3884de073943f85c7bad42d31eb4a9c8
SHA512 07e185e1f14bce9e436858891a62d22489e4c1bacf7be01ed8b415ba03c05f5337bc0ffc052a11335ad5f0b60031126a1e398d0683ea1a461845ca104dcb589d

C:\Users\Admin\AppData\Local\TempVKXIH.txt

MD5 1d04dcf7878702fd18d7e6ed7562894e
SHA1 7eb33af482be5164ce41ef0314274bdb945898f7
SHA256 12fac302f2e1efc661afc1594b5e5ab31298e3ac7cca736909610a7d48203890
SHA512 90194afa6724fd1ffe21cda8776505cc7b5457813b0bfd230f5679d75de2477e28d2491956e19588c55d4f97da897a8ef687290a0e8077ee130fce7696df5c42

C:\Users\Admin\AppData\Local\TempJJWDT.txt

MD5 cf2241bffc3e3a6c62f7bb879c8d873b
SHA1 9bbe1c96f7400b540aa9b0b5db830a5cc44b2d84
SHA256 c3c1dcea2cdc75e2ae9a319fbdd56f25f89dd24f67aa59e076196d3c948c4226
SHA512 032432bc43f2780531c3e9b15cf30628cc15f4ccd85c8ff27a0ed7f6687deee9bbcf0f088af769c79b22529708e6bf9cef29bcf50b6ccbd0baa0770ab0cc8cd4

C:\Users\Admin\AppData\Local\TempURAMS.txt

MD5 8242fb5d6fa630c4073388efd1ffd44a
SHA1 08cae6cfde916d69ad71d6b49be42d24ccffab64
SHA256 63725b478c68cc24876a429fd219ee83d663c7628e8fa56909231cc6e4a6f566
SHA512 8f35c03bbcfda32266613552ae644ab96bcd1d97bd21d3cae80b8a465a58ffcf1051e8eadd2f01869d86a739936c77d24cf103b6703cb73661e1d70eeb225ec5

C:\Users\Admin\AppData\Local\TempVLHPG.txt

MD5 9d1a78b99bf4b3d346fbaa3c0ef3ca47
SHA1 944068cca2361487fd9d9c9079cbe17dd002e117
SHA256 8a0d3a21eacd041ae16f71c335c24e969f3106765424fd07ce2cfa5d3f58ff26
SHA512 9e6382e356871f8aef1057550e0942e242a82f9a147251c075a42f19b2f2e13bdff62e9f28cb0fc8e4644c2ce204be69571bad9e74d6ffc9c89d3a8a9c9d37a8

C:\Users\Admin\AppData\Local\TempBUJXF.txt

MD5 3ad4916c06e2d08e999c89860267d573
SHA1 8e6331e4b1ff713fe532cbc208a4264fa630aeb0
SHA256 b53498f2410b619ff7a7a9bdefbbcdba03eab7899458b91820792ddbc7e62e20
SHA512 9b787ffe1c510b0c69afa87bfdb895894fd9ea916d0d3a5e44e40017f03827bcc107c43b2a9d9c8ed364bf47f9330bd49f94e96d433631f103621c05e579bc1f

C:\Users\Admin\AppData\Local\TempEDHYU.txt

MD5 b0e3f78dd578c1827bffd537f7263b0f
SHA1 866ca32b655e01effdd00b4526f5756a5a6df846
SHA256 da7a574d162e97a70dbce195f1ab7df74022ad3ef406bf41325a0ab8c5554018
SHA512 73a574929bca426493fbebdea7a601429811a25462d827b9c0011529ec14a7831b005af48b66cfde904ad8c37c055f48c06c0a077a0e7b5a67c960bf62b86897

C:\Users\Admin\AppData\Local\TempIACQM.txt

MD5 1725034dce64e5b21bf9bb34f976d7f2
SHA1 a6a51a02e2e4434a8dbe3be66f59ee9e9198e035
SHA256 6b7594806abe8ee858a0469b3bd160e6066e3c8ee725cf7dc6a3e9af9c119caa
SHA512 9ba942b7912e4f69c72238317d4cb8a1d57c39e193d9523ecf106b1351fe804c67cd5a7473b4faee9da769902a8335d6046ec6b3516c8d699a0b50c62f2055e9

C:\Users\Admin\AppData\Local\TempJREDR.txt

MD5 5fec7328af99ecb08c5f2ae5a5353c1c
SHA1 e45990b8c428ce291e6dfbb0e3c9f22f9d421cdb
SHA256 f6ca5177631ec299a33eba5241e28f45169fc69bbb8b6e085f9486bb495525b9
SHA512 957ced51998e63ecd28c2fc9530c855495dd3594cb0e4bf4a20400cfac82d673818e9fa64e71fc8d2d33d93e1cad0e98cec54bd824236e34f5d29ba903ff4526

memory/2468-1074-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2468-1075-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2468-1080-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2468-1081-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2468-1083-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2468-1084-0x0000000000400000-0x0000000000471000-memory.dmp