Malware Analysis Report

2025-05-06 00:16

Sample ID 250124-kmbc8a1mck
Target a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe
SHA256 a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0

Threat Level: Known bad

The file a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Blackshades family

Blackshades

Modifies firewall policy service

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-24 08:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-24 08:42

Reported

2025-01-24 08:44

Platform

win7-20241010-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMI\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RDMDVNJEUNOXNOL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCYQWPFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHBVXCSL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEKRCDQWNVJUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBYEWVRSFKRS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKALEYCFVRSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EBFAIUVQORGUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEWNKFYOPMVHNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEMDVNJEUNOXOOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGLSEESXPXLVMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQCAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFOAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRTFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNMOJHOJNUDPT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFAAVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYKEJXGRYO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FUUHIECEUIPJOLW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBVXLQVBCAIB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLPDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGOG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QHCXBPFTOMRERTO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGODCDYEUPCKE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
PID 564 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
PID 564 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
PID 564 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe
PID 2936 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
PID 2936 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
PID 2936 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
PID 2936 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe
PID 2960 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2960 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
PID 2960 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
PID 2960 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
PID 2960 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe
PID 2412 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2212 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
PID 2412 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
PID 2412 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
PID 2412 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe
PID 2196 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 764 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 764 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 764 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2196 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe
PID 2196 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe
PID 2196 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe
PID 2196 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe
PID 2348 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe

"C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHKMVR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QHCXBPFTOMRERTO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRTFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWWSST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQCAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGMRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RDMDVNJEUNOXNOL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYKEJXGRYO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHBVXCSL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDWWLU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBYEWVRSFKRS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EBFAIUVQORGUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHIECEUIPJOLW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCJXFS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLPDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUGNRD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SEMDVNJEUNOXOOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe"

C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe

C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempHKMVR.bat

MD5 3bccfd4b06163ac67c33cb88c7ae7a01
SHA1 d8b2544ea4168fd36d4c2f1702d2c8d5b8f4ffe4
SHA256 bd236bed554c64d36b5dab5dc3bfc82c1bc32a6f2d7d1736ed64b325b5ab46b1
SHA512 16ba5b1f07d63538ff311535243882b72e7d25e0e33c1c14ff12ca36b334690f12c3baa9d3c8fc69874a22ff4d521bc328761370f3a36663d226a0710f9bf0dd

\Users\Admin\AppData\Local\Temp\PHXGODCDYEUPCKE\service.exe

MD5 bfe6fc9126381c7699bc5c7d486bfc20
SHA1 aa40b7097c054568e1769a888ddeddd4794adca7
SHA256 eae47c5df60c53f21f559702f40f5f5f086162bc460b19f1fb576843b4a8e9ab
SHA512 be98a497afb2c697cd9bb754b7161e4e8bcbf4590844fcca42ccebc8a83f996c85452bb7d02c98dc7a2b915fc6c36f630dafa05f5d9a35fed51c013f5a578513

C:\Users\Admin\AppData\Local\TempDXWLU.bat

MD5 dfd4cab5f88961f37b56f920f0a3bb11
SHA1 20ff1258fc401b7bc515f6d7718123bc2fbae639
SHA256 9cd237b7606401f31ec6b1f136480b59cee627b1c57c6aa16c8dcfb01240fe6c
SHA512 2ea225c72ce94447d6a204a98ee8038a03e8d043f81a4f2f66ab930592dd984923e272342a08e2ac08e02b713dd4d948ff931fe8df6646058a71d6ab9f69e06c

\Users\Admin\AppData\Local\Temp\SRBNMOJHOJNUDPT\service.exe

MD5 60f49dba802424e3c6bb1afd7934f4d2
SHA1 d9e2020d8958e6d1098f89a3686e9abf85ccd756
SHA256 291753ceb4bb5fafff88967b345ad71dfdcf9e0b837ca37fea960b9711ce84bf
SHA512 0521e45592c57b39da9282b88553cc5f44f8187e09f4507c87a812a347333804ba78ca995de3ad77e458ca10e6dac61967b4fbd999dcee7c5cd6d703157d57f1

C:\Users\Admin\AppData\Local\TempWWSST.bat

MD5 7263bd0df17a5ae271fa59745cdde26a
SHA1 1c9d8b250257a149b67daaec96471871de9129a6
SHA256 7ffde724cf09f4918e391d1a352935f9561ca1afe0131db2504ea27c38fb07e1
SHA512 12aeaf2ab4867e8f1784b361c6d847302dbaf5b407716f0cb3af448e6478fcba19c13c95185bbc5d717215223dfe0dac392d6f4d0951c67d770461cefa8dbce0

\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe

MD5 31496d44f2289e7e3469a08f62804bc0
SHA1 487525b58c3e684a8438f800db5f14586be86454
SHA256 1621d0c31970ed164b282bc2048b4556633ede090a0aec72c7c904320a6a71e1
SHA512 a89b58ec9d734570d89558ed119767602e46b5b59c80235962c9ba603732ccdf459422881199a10e0fa31e322c1f2d8c9256f96539fa368284a494b3e63b5e9c

C:\Users\Admin\AppData\Local\TempRMUIJ.bat

MD5 759a614ace0e3352f7d48e1e47c9c016
SHA1 3f96be3a19dde37ff44f0630880feeca3c6a2fd3
SHA256 7af5d185d2338b34d83e10d849f5424ff517bbd2a1947f15952e8b346020be89
SHA512 6a145c0ba87f9a98d69c68bb1f6f16eb85e1f10019e75241fe3ca77010cae4ec4fadc6625b11a8725a0f7c48a0df57062adf01f74ea5156bbf5fb76e83e8c4d4

\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe

MD5 0feea7168c1d934c0b64b5bff31f623e
SHA1 0428224f62c3a1f8d7661cf3fb64121175ad0e21
SHA256 c557d10f3c479b914ecb934da80984240b994d88b9579a840584a0834a0b0a2e
SHA512 c4897d0b639899f6145920cf283735f00381775ed3c1b4474cf44442b41030d60c021fe312a8655ccadd3daa4896e4be62f11a36312bfc9fb61408e819d400f7

C:\Users\Admin\AppData\Local\TempUGMRD.bat

MD5 8bc446799ac1efd505e98f107b57e679
SHA1 82af7d010f7271ce26fc4d6b05613e713c54e7f8
SHA256 b1bb234cd272d589fd02ae79d372c4d8be2fa47c77ba2b3ffa1e1c07eead5947
SHA512 7ad69ce6c84280193766049a6583b5c2b0a58b11f96faea8e50ac6f4bc5ac91d4c5214aa6abfc7b4359557d260c28fb6f68dcfd268bfb4d94357ecebbaae4806

\Users\Admin\AppData\Local\Temp\GCYQWPFPIHJWWES\service.exe

MD5 9ae5cb00d1eb9a3ae39ddc5b8e2668fa
SHA1 71c7f9775a3288634fe89fa0225459ece8340b1e
SHA256 ca96fe61cea9c791c52264dc531cc95e371d3170955de638b78a84769bfd2848
SHA512 b9e1df7932aabb5247dad939e8e38865d442f60c6d11ba3b7d6a1c51a7e564f40f3f3b082ee8bc1fed2e1ba5c24d749ab1a8fe13ad791586c800343b61953b81

C:\Users\Admin\AppData\Local\TempMQLTH.bat

MD5 a9cc1386d7d3d38de7068a49bec17a6a
SHA1 855b3a57690b2c86127ddd9c746b273dc6b72414
SHA256 38a0efa00618cf832804271dc356a7687235c67987ba96dfa0d3b90f7cb43023
SHA512 6c244432550399155c83ff1fe8f8f72b31bde6cbadf67353770f1fa6482a01f7a5807951c0a270a7df8cf7c277fbddb30740cbdb94e3ec45c298180296fe57d6

\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

MD5 0d0ca1ef70ab71a89b37717feb4ca223
SHA1 3ccaba631325aeb6cd15241fbe99c191227b9b05
SHA256 433f01ecc910c5b36b85fc55d30027e30f36c8faf7a2c736addb8ce2e7978069
SHA512 1e02adada83edc6ff3b3157a2cd568043981248f3576fdb48f69e0332ccc37afca7c779833203caa83bfbb902b8624502e9528408f154df751020f8f71c25fca

C:\Users\Admin\AppData\Local\TempOPYUB.bat

MD5 cefdbdf3e03e35a03922a2739efb8950
SHA1 3a31bd0b4348e8e7674bf50c7914d4f20a2008d7
SHA256 dc8ff0c84c87ad432951831214861088639a8d0b992f8adb206caadda2fcfb69
SHA512 308278fb087d6df2de2e68bedea72fb061a38bb332e7bf3b13f934cf457a65b0e380c4acd79c8e2262dd2b45a5c6efc935abe3dd554c0fca0fcdb7f151b8cb90

\Users\Admin\AppData\Local\Temp\RLEKRCDQWNVJUKG\service.exe

MD5 a6d30373b25cfc1f03d91b0f835478de
SHA1 4eca4c337344abb58aa9c122a67d48e80b166032
SHA256 504aa23a80b02b93c0b7ce1594c1de61fcc35588b4bcee4148a023431741e8bb
SHA512 276a62769f0bf9dcb3e175163d105bdc554f74fb487d3cb1b626635c41202933e2a9c6adb3b5b32db4814a3d4a2347232d50ac272b87666b622bccb62962cf88

C:\Users\Admin\AppData\Local\TempDWWLU.bat

MD5 64a8a9965a16b8538c8f3541a69924e1
SHA1 ceb4453715c04935c1376be56523462262bf7193
SHA256 1c444f758b36a224d05f34e4dc704134b4e01e7af502400510f78f52e5f5be42
SHA512 8032e25b88aadb819af06cf12e73ae96b09bb6848b0e31ba765feba3c95dd6d3270897f843c8f436ace393da0639bd740a485b5585d7d9efb97a6b4ee0c2a92d

\Users\Admin\AppData\Local\Temp\CTMSKALEYCFVRSA\service.exe

MD5 8f566e475a5ca531e1dc017b80e92eaa
SHA1 07ee567af430b8faeb34e339787f18a8618f333c
SHA256 e1f7816c02d24a42934ef6b40356db35dcaa24d5318ad94f41d28b550374ec26
SHA512 fb2d7decab72f10a3fa2b1091f7934d338e8d31db904565a19a430206e8a8c6af52593e59cbf1435028ce151cfc61cf1f383a1c37036c8ca17f76edc0b34fdbc

C:\Users\Admin\AppData\Local\TempWALYJ.bat

MD5 eb2ea627f21ace553a67e97ce09cab97
SHA1 60f02c527ae3a018931610f9e59ca66efbbdf9b9
SHA256 5768f8f93b792be1be2bf03009cf2960d2ec9eca16d547add7a94b061a79661a
SHA512 cb69c766291dad88b4e668adf8c4153407beff55ea9e19f1df918d6aa29d19354fb1b6faa821b2fab01b4b97bb57d8080734217b56b3c1e245c37a6a3316c418

\Users\Admin\AppData\Local\Temp\EMEWNKFYOPMVHNS\service.exe

MD5 90ab16c3cbb1562da69bbac98073e5ca
SHA1 6afa860e41dea43e51f2aa36f2a157df7c8211d2
SHA256 995f08cbee3889e27c5e405c0171a1fdd932ff3472ad22168d288fab476e30dd
SHA512 658d110767adb779fd13638a49d7f724ccffbcf7f1102baf40f1ff5cfb63f85a9f10fc1decccd891f5aeeb8cfb249d687c201ab925d55cf4211e1cf9b50036fd

C:\Users\Admin\AppData\Local\TempTRVQY.bat

MD5 837385484a466d032600efcfd1c06143
SHA1 ba302abcf881a95266b89b7a397e752bee48d4f9
SHA256 42a8b1eaf912dd73a214ffecd50d4e9f4b6067f9cc9a56cdc7a86cd2d466b7fb
SHA512 86901bed761a1afab9811772576a5ed433a3cbc79eafb967f37cb4bbab376aefaea52b4b4a86bb0c799b20456cceda803988ea35548728a70d4945afa2560774

\Users\Admin\AppData\Local\Temp\AJXTBVXLQVBCAIB\service.exe

MD5 003f9a3534b477aa112bac5127200a4a
SHA1 cafd7b19788160c52c3fe65914bc977857898639
SHA256 f20663556ba543b0ce90ebdb9ea4366b7bc5e268c10879b4ea0d54b9f07a56d8
SHA512 5a62d07976db5b5f855f72058705a9bf15a4ee9ac6ee772b540db61dee61af598277c7d6fd2d7733b878381306654bcc1266f83dc73376754f6eca17ded26ae3

C:\Users\Admin\AppData\Local\TempCJXFS.bat

MD5 2f95f2a96658de6587b87e60c3a5cbe2
SHA1 adc5aba721622c629fd84f0c493bb2afdb9c58fd
SHA256 0bc51d72d47501bf212eee4c04d487fc7db5efadf1a2373ca5907c833b3633d8
SHA512 2fb9e6872702aa9ce979dbd5596796b6df4b24ece974ffe1a766b238cfe71a9ba2927806fe71ecbbe52e14797bdd3d5cc69b95d2f04e41b43ebc4907b7cee188

\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOG\service.exe

MD5 d6a09e3e5e9fb7269a25cb90e67c7023
SHA1 9bb91e1a15100dda973de39f03ce9f1c2f1b04d0
SHA256 881b4299aaa166ce5732e826b68359fbbc2c26627eecba7e2ae9180e01a6c0f0
SHA512 53d7137cba282bc0bd98189766ad35f3fb4d3782006dc8232e6cba6a552e332e5e345dce41ef196283ae75982bdb333171365d91ac022b432170ab5d0fb80821

C:\Users\Admin\AppData\Local\TempUGNRD.bat

MD5 f05d37af3f91e2c54faabe704576dfcd
SHA1 620e2c5c81d8a2f30b828a440557b8d3e305e5fd
SHA256 b127e76ee6e4eb444a5d761567dc00e960710f97cd43d9af2a41d2274d01d574
SHA512 55e86526fa510435ec3654e35ab74451c7ac4a897af17cd49120d9a7b32812c25a4c54a6cb30e996d20ce56ab073511f26dae82e299633ba08fe5f468e1f5831

\Users\Admin\AppData\Local\Temp\TNGLSEESXPXLVMI\service.exe

MD5 b6346705910a45040743125c86a47165
SHA1 7216a43709e35399769b618184d6129daa77db4f
SHA256 16cd0e0b3849aa86e6584c9cf2b8b4010ad202f027c7616a9dc632805c160e23
SHA512 1e790ff59c50966ff076290b4632f5cd5e5b909bb57bbeb7fb9b0737709b0264f20185f460136f2fb170ad5ec2be60c6bccddd6b9794585bfdac6e0412b4b2af

memory/3020-352-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-357-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-358-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-360-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-361-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-362-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-364-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-365-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-366-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3020-368-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-24 08:42

Reported

2025-01-24 08:44

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CYXBOFSOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYOHAGNWMSJRGQG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKXEOXVFCMGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKQHYPDOE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TYFFDLEIXXKMHFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MIIURPTOVKLDKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFFGBGCXSFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XUTXLBOKIYXNANP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOFWNCMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONIRYJFAQJKTWXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CUMSKBLEYDFWSSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMJJVRPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSXIGKFNBYDVTCC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IXYVEEQWNKPKRGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGWFNBBCWCTOBID\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDXUOCYJEJYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FERHVROTGTVAQJN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXVEYNEJBSJHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMNAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UMLTIHIECJEUHPJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCBDYTGNINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IVRAUYWKOUABHET\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RREGBBWRFMHLITQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QWNLPKSGHYAHHQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLRIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSTQLRWIFKFMBYC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWGSSTOMTPESAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBKBTLHCSLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWOUMDNGFHXUUC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LQNBNYVBTXSOQCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVXIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTLRYKAKEXCEVRS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SGHCADYTGNINJVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KGUSJTMLNDIWVHQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INSFCRQEFBBWREM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOOVKJKGELGWJRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MLYFOYWGCNGHYRU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWADTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUVRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKLIRDJOBEQRMKN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OQLJLBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPRVTWHMREBQYQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4612 set thread context of 1928 N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2280 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2280 wrote to memory of 668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe
PID 1980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe
PID 1980 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe
PID 3476 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 556 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 556 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3476 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe
PID 3476 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe
PID 3476 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe
PID 1928 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1928 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3632 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3632 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1928 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe
PID 1928 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe
PID 1928 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe
PID 3108 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3108 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 228 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3108 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
PID 3108 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
PID 3108 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe
PID 1524 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
PID 1524 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
PID 1524 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe
PID 1352 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1352 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe
PID 1352 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe
PID 1352 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe
PID 2576 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1104 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1104 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
PID 2576 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
PID 2576 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe
PID 1040 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe

"C:\Users\Admin\AppData\Local\Temp\a1ca993e9f72fce51af07d45d882cdaaa4611e38f2d1b6414fd2cb95427a78a0N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGLITQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INSFCRQEFBBWREM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKDGHR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXLBOKIYXNANP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKLVQE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOFSOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVHIFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYWGCNGHYRU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOXTAG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVROTGTVAQJN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKHQCI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ONIRYJFAQJKTWXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMNAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGHEN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKXEOXVFCMGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

"C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCBDYTGNINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe

"C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCQXGS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKLIRDJOBEQRMKN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOSNVJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RREGBBWRFMHLITQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempULAJV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QWNLPKSGHYAHHQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSBCV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DSTQLRWIFKFMBYC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMJJVRPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

"C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBKBTLHCSLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWLHPG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXIGKFNBYDVTCC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

"C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQNBNYVBTXSOQCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVXIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe

"C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGHPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEEQWNKPKRGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe

"C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXLSBM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYFFDLEIXXKMHFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPYPEN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MIIURPTOVKLDKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFFGBGCXSFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGYXTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJLBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPRVTWHMREBQYQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOLPKS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDXUOCYJEJYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUPWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHCADYTGNINJVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe"

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSJTMLNDIWVHQ\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 218.99.81.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 192.168.1.16:3333 tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 163.154.216.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\TempGLITQ.txt

MD5 d3fa1ebcd3ab74895688615a59794f94
SHA1 6dca95af0ed8a6407196ec24c27df51b1958fb82
SHA256 84b85b72a54dad84321e7f99465bed1d9b5f36b8beb56b72db51cb64a2423532
SHA512 168a68eff85598f8ec3054703853588ce96ab9d0131a059badb22bd597f6f639408448e78b870280e639716e1c2d58aaa4b1dcdfd907feea82e9957bc936c2bf

C:\Users\Admin\AppData\Local\Temp\WOOVKJKGELGWJRA\service.txt

MD5 cce79fa7a7bf6c7700d5a1d5eb42fd4f
SHA1 b8e839145515fab98124b7e13da197f5e1aa5c64
SHA256 c89847a298323c00e235d26e43a2392fd770be5bf8b41c12fac4aab762efeed6
SHA512 1ac5c2b4eb6deb44c38676feee3a902bc4f9faa7fd9e5dc8000b1b87e9e3e3f04b51fa3cf387e60d16ebf34245931aab85b4f584f3ebb351d7a64b689955d8c7

C:\Users\Admin\AppData\Local\TempKDGHR.txt

MD5 25d052c8abcc5616b1f0e7a985fc79bd
SHA1 0ba35a86740963ac171c43595d01552ba85aaeca
SHA256 1a00782514e566c8a5ecbcf69375c3606c057ad20ecc00a4dc1b88420a014c3f
SHA512 de907ef9781e066eed68634da9264cc639187f2ad06d5f8986784fa2b5b27f815139c109dd719f71ea156dc422df85d4ad6d332f7b9178437616d8e7e724cd58

C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe

MD5 55dd83c5998c976d91d7a202b09da00c
SHA1 881e64bbbcb2abca03b56c582bf64b63336b22ca
SHA256 957e77007002657acf73d1d0e00f7bd0e930b7f04ddf607744f33cb5a68a1175
SHA512 d7a93de02b0294fb59de864dac74c6c89b466ce57825c9f31ed13ffc0f1dfde158e162e00ea104043c9a3b6cc0c87fd71668c5a90ac48ba2175e9f6ee43bab5f

C:\Users\Admin\AppData\Local\TempKLVQE.txt

MD5 0772b3f1aeeccfd133fb19957ff9231e
SHA1 caed1401d7556c54ef25a5d29b5bcf8a0d1f52a5
SHA256 477b4387b01ff97a51677008098701a980aa0e8742579417069d94b009618734
SHA512 a2ed5eabbf35c043f4768453601edf8bd6647041aeaf181d40c697636e03dd9141a54a49e746e315df86b2be5f5a155aaafce288d4fbfae5d95f18d4ed406b52

C:\Users\Admin\AppData\Local\Temp\VYOHAGNWMSJRGQG\service.exe

MD5 d4aea8cb3d8a94504e7d52f2ef9b0186
SHA1 265d356176ba23e07c557205c20f3f081af67671
SHA256 12f3376c45d663f80ca2b13f7a74eb1f40af0bff49e93baa85148d081302a2a8
SHA512 aef5ff0cc6b65384b8ac6d1487c902e92cedbbfddc17971aafe25bc81f3e3020d5f829d1ea578740ed2667636fe03323a4efd8ab41903a82b3aad3efa790c083

C:\Users\Admin\AppData\Local\TempVHIFN.txt

MD5 bd032580b7effbda479aa5f35e128787
SHA1 50508bb841bfd66058e19d4d0d971214fe972095
SHA256 a9692075f56f7d52e431da2ac5574b7c74a01dde78bd823e0c4796483c39fad8
SHA512 3530dcd2586f93cf7061be08b75951e8350e9df9153c0619f9f7b06f7448ca59893777576a5c0fee503a22d83147a6e4a56614d549b9c685c1f4730c2032944c

C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWADTPQ\service.exe

MD5 a5115d950dc0e2fd3b2ef37d5bd282ac
SHA1 7bf77748ada1531294e27305c8083c9cf3227195
SHA256 330374a1b9575728162e906b8d08181257d2d739bb61e12a40db49b08c988742
SHA512 07a9400f4d4c99fc1e6e17254e794c8fe11481158f9bbce30ddcde4f53b96dfabdaf58a04b722b1bcd75acbf152284965b2f92c83727483d65e681faaf30f739

C:\Users\Admin\AppData\Local\TempOXTAG.txt

MD5 188035e192b69b039c0ab869ab12d229
SHA1 600c49f198f66838326e57ee697b89441e6cf48d
SHA256 fbff84acb16ffa33468ea7160cdecef4d634ad0c60995dce8fbf5b1f9e9e6375
SHA512 b41618cb1fd7a5ad5c255178bffb3a40c57f4296ef0957b39aca353045bd225bed287846f2ac2cbc35bbbf653a70199263ae50e9df18ee3658f846e28b0a6d9a

C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe

MD5 e0e901fc4e62805bc4799ca8c71ba993
SHA1 299addf58383a13c99ce674ab7fdccd6ffc4ad37
SHA256 412b6c741a00ce1c8f1aeae2ff42c1d5ba03bd0a249440a29a120f0d6cad4982
SHA512 22db6962b304000f9afa8b75461132e6800dd6162a3a378c71b5c75ba39305e687f1bdf389146a88df6f82bf9e0baa9d89f659fa32168b1e49718f9d2de9ae04

C:\Users\Admin\AppData\Local\TempKHQCI.txt

MD5 fab5d0126cf77eddf769e492bc1d084d
SHA1 f445840aba09a8d1f8a7add52a172fd605b0b0d5
SHA256 241c1c9a1b55d5262cea18859160431f9fd7d1cdef980e265574ebf86f357fa8
SHA512 9781dd5be35e276acbb13fa3e0a1e1dc9de43e3cbd57a277e09aeb55358470c4e9cda38674162d324deb09e33f07f35f20d847397d845d466975a61f42ddfc5b

C:\Users\Admin\AppData\Local\Temp\CUMSKBLEYDFWSSA\service.exe

MD5 562ebba8e8ff548c768a5768737dc31f
SHA1 4745a0d721603ccaca200f1a4b66d49cb685150d
SHA256 2dc52af521965936757888b7e08c7421820accff41008842f4825bc2f6f43e87
SHA512 6dc6a59e1d680d2025ee8e781a262f890ee4b04d8a0a2e5599ab4564776afd384b1374c028405d9df5102ecfa934636895aa52b684078e9a188152c395ea53bd

C:\Users\Admin\AppData\Local\TempWSRGP.txt

MD5 035f1c7ed9b27d9073d73906455a2fa7
SHA1 b6edffed330d3b9db173f4f7ab44438b8de0f0e8
SHA256 086f99f1b6aa48c8e62a088b99ec7a6ae9334ee35ecbac29cd73903cbda438c5
SHA512 838ebc31f4c26a0dbdc9ac895fdfefe7f1ee0e5674c75e7087c52e01ae1b45a1271e1149c24353bd036b49dd8b319328779e701370de2941b276241eb7710d8e

C:\Users\Admin\AppData\Local\Temp\UMLTIHIECJEUHPJ\service.exe

MD5 d213b637d13419955365cd9df3c89022
SHA1 7fb5981d3912ec3aa9cdb2f3687d351c29ace750
SHA256 2db1efa99e25dfc4022133a184d94221b526b02e2522b8db4ddbee6c18572b6e
SHA512 d7cf28978d6c6634bd67c16a21da66e8278038eb3375fea3fca74487c17c75e0196fc4174d281ae139d1076d37c7f8ef54489662acfe93859c6fbaa528f3edd5

C:\Users\Admin\AppData\Local\TempCWAMY.txt

MD5 1cd39d2f28bdc0e35e059bd9a929c777
SHA1 e0f0451e82611dc51329c2cc1213543133393057
SHA256 4af301a83cc0fea0bc0e6a4abd8d1a0b066d987fb79c9c58ffa225a3813236b0
SHA512 640b1bcd0f4c14b7eda5086448d19042cdfc4284752da5ecc7c99d417db5230201b6260f06a0067396d4389ea390f8f20e7a56788cde2587fbe11ee37546e12b

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe

MD5 594b4d4264ecfc63aff5df7dfaa81330
SHA1 1df944645301b28696a34221852bb41b4506ef97
SHA256 07bbced43594ae9a19b211dc5935bb956127dcc34a07d55d15c763e58b864b3c
SHA512 39e3cff3c1572d862ed432b21a371ec74f1d778c2fc774d706bd2e614c4d01a4e24a1f8a37dc78dd554548d8f0dc41c9d16692231aee8b9445f9669393aacb49

C:\Users\Admin\AppData\Local\TempUGHEN.txt

MD5 771a0d697e8d2daf76b5fcaeda95e869
SHA1 c935556bb99880967d7d32477ec39bfa8ea1fe78
SHA256 f64146df60407c9c4acca8467db24c82df7848197178bbd42420724fadd8fa51
SHA512 6c4671b23fdd31bb1d0b0bfcd6d622cdec8bebee3050b2fe72c93a352789f82f81dab4ae561f137ee8e64968295f02acbce80cc5725a088b786b508709367900

C:\Users\Admin\AppData\Local\Temp\TWLFELUKQHYPDOE\service.exe

MD5 83d61bf6b40a8c3e5afb8a4ea53b08fa
SHA1 ec029aa9fa255bf0cd3bc43e6e9f6509f3f04696
SHA256 ba652cd7941fe48176e0264dd5c4f591c477604b915c84002598944e96427a54
SHA512 2bd599bad10a3fd4b82a13eb6238755b20ee428db2c4be3f22e69e6176733e45dd1b8832dfa5f0bd959607d7ecdcc646119463e5e8e2eca5233681242b72e500

C:\Users\Admin\AppData\Local\TempWIOTF.txt

MD5 652f407aec6e62db91f8dceaeb49bb33
SHA1 0eeded2abdfe0fb8c0eeab654b062b4bf3030bfe
SHA256 9a073162fd314d1076ec3bd0432a678aa65b00df5414ade34a9f5fb716951e5e
SHA512 7ccb3fc2c29cc1257bb2eb0d163e07204c476d0c26a2208a38bef33ad45781d50738b8c356d29f478bc467efd4d767cc406ea26035dc010e6672de293d228960

C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

MD5 937e130bc276f869bc2faa47411975d7
SHA1 b29d95cf5b2498415bb3d456b44edce8ea084522
SHA256 35297739a1c62d402864c4de871483a5e25210dad63fac1054b2a10f158622c5
SHA512 42a2affaba85dd0c4b90624bc6f7f92a881878025816211729668123ef12beaf7c35a3df2a182dce3e8ec866ac794eb3339be52088eba6b18113c43031f24fc8

C:\Users\Admin\AppData\Local\TempQUPXL.txt

MD5 77fb7b3b674bb437efff72e6f9af15d5
SHA1 e0996042797ef9aa3021581752684135473e1b9e
SHA256 c93e4840f6e06266123e0bfd7e059e5aa695953efdc870b0a63a5afe3a28c0e2
SHA512 54787de251dc7e90d9d6234fdb8edd3f21efa278d106c0b4a1cb11591363dfedbf81f65ee9f26ee6d63d24f0dcdf69b22b939b2dbb1bee30ebc6c616e3e132fb

C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe

MD5 860a959ab547833a675ed2895ee06fd6
SHA1 dbbcacf5620a21e9a9321a0a4fa1fe31354ed466
SHA256 678e8cf54cb2449ae87ae2d54946f94d5b73f47d388e3d91bb8c6f804ced292f
SHA512 5993a39e9c7dee5de0100947f7fde7b521a8bdb2a596790354c683c0410df9320fb43c729177efbf87b67feacd756f44d0bc065341e77936b6d1466dd56d80fa

C:\Users\Admin\AppData\Local\TempCQXGS.txt

MD5 ce5a5a3b0882fffb6fd22e978d01ab45
SHA1 5fb9c89c6499a33e9cd3831e32930aa5eed8e347
SHA256 2a7db1fbcbc42c9ceca442efa08e73b3b3dd2ce8166874541c9d0fb36b410eda
SHA512 2cf4324f2aad4f952533af515661f14f0458942125b68291d6c16daff7f4bf135c0d6e17e26d25496a1d9a443729ed8e4d8beda608abb245fad53883becf534c

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe

MD5 b971164d38acc0205d261aefaaee4487
SHA1 0cafe16c53a0ccbf6da9a2a140f8de57024e50fa
SHA256 c12b6201364e727feb0783adcd9afd92a1bcf1fa531c65c0a7860dff79a5576d
SHA512 fdfde5ec6eba5cdfbd5b2906f0ce10ffb731bf81bc74a63cad57e12ce721cd721fe5883d15495c40749c75e6de7555ef14710482897fba4c375afe50a936f548

C:\Users\Admin\AppData\Local\TempOSNVJ.txt

MD5 2b60fb123c8bf9bdbd0c5445de3c045b
SHA1 9c050f4674a4c42b9d9b5b3527a962ef45b14474
SHA256 8352b6331b16b72a1adcd8ad414abe52f42088e58701ec9fbec18793ff291a80
SHA512 6c165382e51913f41059fbcbe8973cace7ee85366f94a465450546c37b09e8d25f680290c6a7744c448a084e4bd96aa340ab6b87935efb49815a23904383d4e7

C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe

MD5 5d1e8dce6f569882eb64264bb75b6eb5
SHA1 040d7760cb70d11b42da5fe3f6f49e1340dddf80
SHA256 9d02af59bfa71eed58523dde330989e0f44ec19a0fde52ee9e97f99eb527e88f
SHA512 25a124881efad0f15bd04316194f4b9c6987620b1ca92568644d509f8281aae43ac1686b5426850658ee31856ea745a10845f917669dd0a621ae9475679f1420

C:\Users\Admin\AppData\Local\TempULAJV.txt

MD5 00a75ded919bb75bb3ce6dceaf4e7b80
SHA1 8f2f197fd077b13151d428f70e23c6a0148fef23
SHA256 b8f1e98aed569e6ce3d958153895476a67cca02183968170b01b89ad49e2c7c2
SHA512 d97fbf2c3b71cf5b5888c41c5acd3e8ff93f87ec4a1654aff94fbfff3bb894efa3b704c86610306c6ed7ed7dc3321198ea5edb5d6e2a31bd0f94dc73a4d60b11

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLRIQEPFB\service.exe

MD5 01b4ed810318c900411412e85698e9c9
SHA1 b1d60f43d2c3b6ce47d138a27715a33189bb7cb2
SHA256 3a99805a6e88e0a07f44401d14a53622bcef65c6c6fa15ee9122d82523389439
SHA512 81588b03530034f07979bd2b9954d9b6b5efe371fb6886132e9dc8fb6713c1f619a6f68799ba37f9fddbad614d8c7fb8c442306794d1c2e11f764fe30482f799

C:\Users\Admin\AppData\Local\TempUSBCV.txt

MD5 697d191a1e40243d81eb84e57ff474aa
SHA1 fd3aeb22eb7a9a0dc6da26efd96b8d42fb32cab7
SHA256 2a9b1756c3dcbdde5a61dda7613dac2dd5297e065bee0c2400f3b88cad9f794f
SHA512 55a5612fe505b547641d56297c4eb0e9963b8ae833d97bea71095a14f63aa3a5ed546c4daae7e34f1dc422aaf2845b7eb3d7249da01cebcaf42e8dc952597a17

C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe

MD5 9f41f533e15e1ecb3c3a3fadaa52c68e
SHA1 a8f99c7c7184ad6658888511ddd76bb146060744
SHA256 9e6c54575c939143fa69a25142c615ee278dcabe2adfc4d2e3a9b78308e2b650
SHA512 7538edf3d674dbb32042f3339c8d3241a56caeeb5d1107d64cb10d905801cd24f3123223ee869dc8114b34dfcce2063a350e6d6b8073b21d2ec3ccb88da5cf6b

C:\Users\Admin\AppData\Local\TempUQYPE.txt

MD5 bbe5f152b4f3e3d5ef9931d5cd8d0fee
SHA1 5211e43dc2141d5760599ff6ff543bf75cf64a57
SHA256 6891da7dc2d09c62f86c43a3fac820a9d119fb92e6a31547cbd02785a46ece9c
SHA512 d434ae818450ebc09541f35981b839cca71d8a9f6d2947cc1b81b4bc58c9c5c4948502017e1cfa03a7a9c024fe644353a88d77ebcf66e5280169682e0d2aa3c2

C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe

MD5 47a6a3d7e5a19136d51e6ffc10269311
SHA1 eee480552578efbdafdb174cfa3ef501fd0fddbc
SHA256 cf9b404e0da3f5734f69686f675aa653b047343e758a86d15d0aa23abf27ce32
SHA512 b768a897aa9cbc3c61a3a64ef0a13a2326a3c889cafb39c274bdc3eae7ac9131348670555c563b8c285645d7a4f638bc6c09de1eafb2788afb5f5f2f6cd26db8

C:\Users\Admin\AppData\Local\TempMJSEK.txt

MD5 cf937b7d55932faad09ba835458e6a83
SHA1 1e3445e2c1ca834a6b29cbf5b5730873a42f8cd8
SHA256 8a75c414f3c319a6212bca79c0c2628c4bcbd12114d0f248290a5733d08ab9a1
SHA512 60111eeb8e2c72c0ee781a23f819c5889a07a553e7d945a67b1e4b1f85d1fd862c19e0ae101e3b90c615817bf48a8c9a40830d36e81877ae0f5c5ab2f7957693

C:\Users\Admin\AppData\Local\Temp\EAWOUMDNGFHXUUC\service.exe

MD5 88770301ab08d657fa121456d6cd5652
SHA1 b7b4e5a828807937721f6cc024e83d43c5d4cbe7
SHA256 4de38b1b82d13f20daf00cad819dd9cb85d935a021c98edd9faabb19ac7bd2e7
SHA512 67e6474ba7b12b3dd1f63dafbc2974bbde2e18897584b98b8dc75b3fc63d98dba991b241df21d266aac38b85fc0054329cf2e88e72e5116cb643f83363e78a5b

C:\Users\Admin\AppData\Local\TempWLHPG.txt

MD5 ebdc032816aaefb79e13fcc01617ed76
SHA1 60df98023e3b3e1bb01b27248744736ad911275a
SHA256 ae7c352a3f0ef3534ded27c45250a72c2181851f1094da8964635dd531313a13
SHA512 1470bd9a80d167c1dfb54c1aae97cc855fdc9f0395f05b472656ecb59a3e7b076a70a23ea35d2165611ce97e364ec8c9146c44ccd44f84d5ee0ae25be3a8facd

C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

MD5 ca2a8417b141583ff6912c03d7d14ea4
SHA1 870d17903eb55f99b00a24524307fe5a0a199129
SHA256 7f1876be7e993af47f25339489c5679aa3d4b6bd7f3b0bc02c9efc3ee7a30383
SHA512 d564dc93e6b6e5ed9852f2940e9d40555601975fe49c814d010878828698598f1c3bef017a90176cc75cc91ee88f3d4227f40e493284fa0c1e337e954b61594d

C:\Users\Admin\AppData\Local\TempPPYAU.txt

MD5 8091f700af1dec52239d936da72f76de
SHA1 1c04177cac4f084810636624c8c32df53c4359d5
SHA256 5535390657902e65292e71ca08c60749d634da0ea2b29e7c358936afdcd376bc
SHA512 733c544f08ced5fd56454839e79fc5e225ee1f0fe1b8e309d9b0ef20b412dd6253180ce66a621d71fa1b3e7cbc5e07597fa231740553c0c30306a05a330d7435

C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

MD5 56f93e0b31fc97bcb9bac1ddad00c720
SHA1 c62a225237fe055bec1469c0652ca56f7ddc3ed0
SHA256 8520073c1f917811ba97478b79e8bef46b3456bcd9d44cec58040e25f4682c4e
SHA512 ce286f8983ac347e408a20819c8c4ded5bcc2717557b75738cba6a542d6a547dda5c6698411140e8477090ab63c71934cbb0c7567d8ca0e0831972c1c314c3ac

C:\Users\Admin\AppData\Local\TempGPBHM.txt

MD5 208e3a0f906b0b72f4d8c1627360b872
SHA1 ab6473eb79f2067297371802228f733fb84a8d82
SHA256 3a38af70eb9eff06c24abdadbb3202280c08623bb318b02ade8f808ffc83a89e
SHA512 acdd4f1ea9bff2750af8880e2b1c442d6481a84f30318ffcee3d751feea518870d9156a6683b791452688ef330a82fb0b26d975d54d01cfb71b9097454b6cc39

C:\Users\Admin\AppData\Local\Temp\BTLRYKAKEXCEVRS\service.exe

MD5 4770be7809e521b6110e586c4668c921
SHA1 1e591acdd684f65980f45291fc2327c14a438d66
SHA256 1fb7d90cd734e0f379e28ce8c691eb418cc116d432dd77124e96103d453abdf4
SHA512 260e4073d167209801fba77661f812ed7a55e2a8c18c8575e23738286c04a0bf43444ef8074e5ed8d011b8aa91a70ebd1b398b334eb58451943b3628f518e168

C:\Users\Admin\AppData\Local\TempXGHPL.txt

MD5 8dfc297eea781ffd153772001f007318
SHA1 8239321a5600d63ca07fba4fd71b3a9fb97b030c
SHA256 0ae65a09c15b9b6292a4fc952a57a0d63e013350cf55de5c5db4dad59e323eb6
SHA512 bf11428c3c5e4b169f719356f6ffbf8573a29ea2c6f6d6099ebfe733b31994c311a1ead69874fd24d169e2d778c045dabd385f3baff8f6be5aa9df2735e25bb6

C:\Users\Admin\AppData\Local\Temp\NGWFNBBCWCTOBID\service.exe

MD5 b6e826f4fa6ffbd91c3c76693eb65930
SHA1 1f77211d95629df8fdc7f84b2a2c079df74d733f
SHA256 481b7d91863e59703e45e7ed2ae78fda099d9610714c491a616e26b19eb3f7b1
SHA512 9dcd15491f9b6b5b7b685334089125f747894567799db2c7bddda91ea382b0f08d3a8173fa9dd693666fced5269f46b5228ff80aacb43abb5684ba59a4cb9666

C:\Users\Admin\AppData\Local\TempXLSBM.txt

MD5 7b6aa8fa3a23f066ef2ae9e0139f2445
SHA1 057b8582ebf931f088321f2f62006b5069fe7653
SHA256 bc2f6f5e95690c3a07bf70b5b29802fd355cfc4fe9e2d1a351819673a1721846
SHA512 9aada9f4d0ea9a23637b6325f8f240a5320bdd3e26d476bdb6e9c7478d0230d87d39a698caf314690085fea422b2a53cfbe4ab71bb3bc01726e8b0f5f70cdbaf

C:\Users\Admin\AppData\Local\TempPYPEN.txt

MD5 55bd3a47e06c4e9b33e178babb5bd08d
SHA1 7a9be0964f4a0089321addbc9e7fbb972e6a46cc
SHA256 9ad24f852571b6c8ef215cd87bf67cbfdcb04a008cc896d9bf5cb6c8837b71ad
SHA512 5e07900f2a170912ca5b831d4eca63272a2858ab8b4a0b349077d44da12ddcb407985c75e22a1e3b8de0dc834127db35b092c6f329016c581a6f2fc3d5d80ad0

C:\Users\Admin\AppData\Local\TempGYXTU.txt

MD5 5d65185cf81a270b57e5eb51921d7ec3
SHA1 cd8923393bf26361256b1fe8c08f0b727290df62
SHA256 b3190eeaf9f16458ba697b7ec35039307993c297f7ef229c57fe0bb886f8c4c9
SHA512 483362daefb7b81f5792a12de29690f86909584c9d86a1d8d576d4e80a60d201401a51a86daac988484d8d2bf8f9713b7f5b4a5d62637f37b931c42bd662ca8b

C:\Users\Admin\AppData\Local\TempOLPKS.txt

MD5 db41aecb626bb456c0df32e097af764c
SHA1 dfb3673ceba03c44be54080f12f73c6ce85215e9
SHA256 4e59d99236405abd65f6e08fa469aaadd915f2fa1a1625cfe7971a340b29a7e8
SHA512 5b3775c2062284c2b922c0950ba7c8986304bef682b1ac7211d517b715e08f52c8ba079bd2c8ce8408609d0036f3a16497806bde899851162dd53bd422c415fd

C:\Users\Admin\AppData\Local\TempQUPWL.txt

MD5 cecf77ffb4676f98aea1eba4214be944
SHA1 b2daf9a2223d232945f30fcf49bb6d230326404d
SHA256 0bff23ed7c7942adc9224c0920e5a39f26ca7926337183aca90b95cda676e016
SHA512 e47b6a4a2f9c17fddedcef371258864c6b06b48298d898663809e6b40049cb4219e08ca1282f92d07f91b41db24f6ac68109471ce6cbab20951ce824d7ed3de4

memory/1928-690-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1928-691-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1928-696-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1928-697-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1928-699-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1928-700-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1928-701-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1928-702-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1928-704-0x0000000000400000-0x0000000000471000-memory.dmp