Malware Analysis Report

2025-04-03 10:13

Sample ID 250214-1hjrssyqhp
Target 314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb
SHA256 314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb

Threat Level: Known bad

The file 314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Blackshades family

Blackshades

Modifies firewall policy service

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-14 21:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-14 21:38

Reported

2025-02-14 21:41

Platform

win7-20241010-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBPYP\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WWKLGEHXKRAMRBN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CMVDAYOSXEFCLDI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LIIUQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJKDXBEUQR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OPMUHNSDBFAIUVQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWLFELUKPHYPDOE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XLMHFIYLSCNSCOA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DNWEBPTYFGDMEJX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAVQDKFKXHSYPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FSORUTVHLQEBPYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVHWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPKXNXRPSDINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\TJFESIVRPUGAUWB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPKAOVEQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OCFBQVOEEGBIWER = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVHOS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\VKUKGFTAJWSQAVI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQMBPWF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSQAVHAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUILHFVUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLCTKJUR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\OJHJNUDPTEQBAYE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCQVHIFNGKBM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HSQOSGKFDUSIIKF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPNSERUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DJWVIQHRNIYRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKGVJQL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2884 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2024 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
PID 2024 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
PID 2024 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
PID 2024 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe
PID 2700 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3036 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2700 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
PID 2700 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
PID 2700 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
PID 2700 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe
PID 2820 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2188 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
PID 2820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe
PID 2996 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2916 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2916 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2916 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
PID 2996 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
PID 2996 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
PID 2996 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe
PID 1640 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2008 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1640 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe
PID 1640 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe
PID 1640 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe
PID 1640 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe
PID 1116 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1116 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe

"C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBVXCS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VKUKGFTAJWSQAVI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe

"C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVHWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWVRSS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OJHJNUDPTEQBAYE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMVREC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPNSERUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRKNOY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TJFESIVRPUGAUWB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRDLCG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OCFBQVOEEGBIWER" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DJWVIQHRNIYRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe

"C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWBUYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WWKLGEHXKRAMRBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe

"C:\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIIUQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempORGUC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OPMUHNSDBFAIUVQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe

"C:\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXCVUQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XLMHFIYLSCNSCOA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe

"C:\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSQAVHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOJXWJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFVUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBDMIW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HSQOSGKFDUSIIKF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRMTII.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDKFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe"

C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe

C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FSORUTVHLQEBPYP\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempBVXCS.bat

MD5 ed8739a9cd33f7b720a241555e882f8a
SHA1 c703e91ff793108bb285145bead3392e1f00006a
SHA256 d5280cb9f191f0b11dfbc69ab1fb7429adc7d393bb4dcd4c7abf456ca8524ff4
SHA512 c2c23078912709abb4f73673573db59861d5d24751e4e3f9355bc141217ba87ae2bfb5a62b196b3b58e0d22a4cd2dccc4b04c1e2b5aeaf30d74c90bf3eba9666

C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQMBPWF\service.exe

MD5 3f8afd18a527dabd07831c3ceb15eea5
SHA1 e5c2d57654f5f7cce52a48fedd15135bcc54628b
SHA256 fabcc02a3ec0cebacf77629a1b243df654f2a896ee129507944f9a39baa084e5
SHA512 76ea88b00066b04c5ab920c6a3245cf377c78ad153dc3dcacf18a2820036cd3f6fe3da753dd0402ef377815c430c5344c5840252e98769c8edd8b69f89d61b49

C:\Users\Admin\AppData\Local\TempULJNI.bat

MD5 8ab8d8737c089f91367a4db4b75b8847
SHA1 1c67bd18ab853f2396cfb9affe879a2a5e7deeb2
SHA256 93b6d6bedbbca250d3595b855edead489a761d3edf88f4ba8d912705a93c46a7
SHA512 d992c610bdd3ab3d5ec71460e15e6c686557ea18e3c8a306611d8a7913c6d4b34d3e2580cf6d635e242a6f557944ce36f23015ff2468cad5cd1bbc3972e2fb1d

C:\Users\Admin\AppData\Local\Temp\BPKXNXRPSDINAMU\service.exe

MD5 f8fbc1dcfce402571a8b4f468a861c71
SHA1 86c8fc1ab792ce3306bc8e5fab0579c2000406b6
SHA256 ee685d59113f97bd6afd3345798097fa0d9baaee3e5b6a66e759f758030a633c
SHA512 0b386e978fafbdef7fe141c4b80c6b6bc5a002619ae9f6cc4184d39e905dc811181f38ce01ab328d583b27ccab6b72c60635d355f226d7184e9c21eab4a49370

C:\Users\Admin\AppData\Local\TempWVRSS.bat

MD5 f7c2b529214710d2bba1b9dac4bdcef8
SHA1 0341723ce1dc588132281d460b672d26556c9c99
SHA256 71600a0cf16a5798f7590d1088d945259ddf2dc2548b5b04825a70066f685691
SHA512 c0d55e5894c48b924681a5c4d5d7adde5a4f3b3caac8decf33e4cc604c41cedfac18e4d6174442b98aa590327492851a054cb291371b425c2b45f14c40ca4f2c

\Users\Admin\AppData\Local\Temp\FOYGCQVHIFNGKBM\service.exe

MD5 c51fd855f987d2b0044fa759e10f332c
SHA1 7e7243d30659ed9fcfb31fe51a5fb793ed5ce113
SHA256 7c44b51d44052db2e0ce750f5f360bf5735d5a6527dbc327a1285219bf3c89d5
SHA512 9e575edea313ac3d221ba80ae259067372bde31dfafec50e59b4dd5b4dcbc07ee561e96b6c50b7d1b5b01d31a0670f5799d80cd9fa3f0ce840b67ab09c32a9d1

C:\Users\Admin\AppData\Local\TempMVREC.bat

MD5 6edac9d3462022d02e120279da89ddaf
SHA1 f278c52733191d69d88dbe1df8b6a02a93ba3fea
SHA256 22ab5108adb550ada184626694ebf822a31cb5f87674570ffb6ae03af94fa1bc
SHA512 ac9a38118f86ff136674e058c047c65089df3f0029a4226e3031a41b31a8ed17b1b82bb1abf51abfe993eca6ad044ce249016b435891c4674d1e924517ed110b

C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

MD5 dea05cea9ef16a111ff7ef63f4ff7d64
SHA1 dba3360819b69c0ef9c2f768943632c17256db9a
SHA256 fcfe7fe397c4876801b325844c5f4a18cc97ad3a0ebadfa0e7c7d3e6d33cbdd1
SHA512 8ac1cdd73a08b5d91cf711407ef084419f0a64a85756dacd9c4fb0832dc7ebf0c3d83a9206d5401846cdfe61f6fa92b0eac1e255a20b398d28f6c3499756705d

C:\Users\Admin\AppData\Local\TempRKNOY.bat

MD5 4b770412ce375a35a58abd7de450d150
SHA1 cd56e313e5310b9d758637d8ab81b72a69ae8328
SHA256 fd5db41aa215edf07a39b7220365dd622609033cec149383efb5a34697c71ca4
SHA512 b60902499b05c04a9fc0857a39deb024bd2cdf95b28a9fba11ac3a7a1eee0acaee141694d66cb5616335d52787212768acb1b9f79eba301276e0219c8e6fb588

C:\Users\Admin\AppData\Local\Temp\TSCONPKIPKAOVEQ\service.exe

MD5 3025b6da15bf5eb69638ca8c98bd0936
SHA1 021fc042fd5e83a3e865f85e7cba8228014d6789
SHA256 857b6e32f1785c4d91ed00ba7520072e10e066dce0cd89d8a9eff4b3bdeb1418
SHA512 1771fc8c0f96b222ac551887c337b3aee975fcb607c17e3b8c0a2acc14dc31b487634e7219572377430ec10a202a219142f9b69d2ff59f983d7c06c714f9715c

C:\Users\Admin\AppData\Local\TempRDLCG.bat

MD5 07fd62323f0e9df4e837d49e2544cf1b
SHA1 a4f5c788ca895ba065a9de87a8e8f211e9fdd54e
SHA256 e08abec500ee0a30e3dd9c0cfd968ead95bd276994c2c64a25174e8d35bd9b1a
SHA512 59e730c7763a3e4f354b0c4be8a40692b80a767622add44ea06aff4df7cf1ac30814662fda1d999ea7de111c0babf6c2548ad49d1b91df72c92155d1d608d3c8

\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOS\service.exe

MD5 4fbdc3076bcb95cf5f9ed866ddf42820
SHA1 a37ff2b4395dda1714228d225f85e24e87b9d256
SHA256 9abddab5b5799b4ea56d9f14c2789c275adeda0800e441a4ba406a72d5daeda9
SHA512 5ae678d8f00d0d84e7b773088dfe95394daccf77af7477e930c3a79f59d1fe840064e15fef0ba77276307316444e1d9e578986de7dccdedc33d8852007321717

C:\Users\Admin\AppData\Local\TempRSPYK.bat

MD5 7e3ba6760fa5d2ec978eac24910e7499
SHA1 312a044a1e793ae55a2094d15bee9751dee478d4
SHA256 019c7b82957019e1806698920121728228d93489832907e2a42be76b79ee5349
SHA512 054b2f06108e5c0105ad8794ea07b9a0b8dcc41582d13154266073f3102eec38b51274faed5f605754ead96a0de2e942861f556662c3ccd7ceb42e622093d8a4

C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKGVJQL\service.exe

MD5 e75cedf8c698a7d8050910198f84d7a8
SHA1 cc787ee25767213f72581c0dea751ea9bf9c6ac3
SHA256 5285bb6820aa8bf9fa0c59d434bf112da3eb2135ea97706d3875a89bac134b88
SHA512 4ebccc8c29b5616e3abadcb5bb0585794ab0847867cab3b7e82be4d753be96d46355bb4ccf4706dd7bb6764550cace6993348fcf40cf9b9042fe391d8a02f5e5

C:\Users\Admin\AppData\Local\TempWBUYT.bat

MD5 2f92e0d7753a32279044f3178eb02a9f
SHA1 255dc3664a10103b3a1204b75db75e6d097aacce
SHA256 6075d7b53384296ae6cb790c4a29fb9c7cb931d092c48d5a99cf7085b0724d20
SHA512 834832ee66bf26458d4009fc74c39d13cd813c6c76105bc364943a4bec1e372707691db40888bae70ffb7f0186be95ff7b839fc28dfb43486a41b28119331e41

\Users\Admin\AppData\Local\Temp\CMVDAYOSXEFCLDI\service.exe

MD5 b0cb414510ca3de51d16b40633290122
SHA1 9864f6507e2268f6f5e5bddc6be19f6c66ae7d10
SHA256 adbf664f8192091be3746ff6401230433a10557fbd91153709e5f011baf1fe6d
SHA512 cf6942cdde7c34b68167cb5e37a2fa5ee21c340a31ee7f281e7229479dfb64720e2da68253416434f85e1f7de9f9b2f4a5e1a3f0c26a5039a7e481d3e086ffc0

C:\Users\Admin\AppData\Local\TempPXODM.bat

MD5 5cc498ebc972e86d765b4982d0f1c2b2
SHA1 0b8ca42b417acada67de91521b83a9fca4b9cf24
SHA256 c7de31d3812e6ce26639a27a94945048f0baf3707adaba932c49cfacac06a20d
SHA512 b1ecf4c0161f306f699d6271a31c650339cddf92a994d50d5bdd0695362cb842f731ba6849ec4e5850d50f2c7b5b8a12710894e53f703b0a85ececb09b3bc948

\Users\Admin\AppData\Local\Temp\YBSLRYJKDXBEUQR\service.exe

MD5 faaccbbffaa809f448151b0a455c5817
SHA1 98f0ab2791d53582039dfcd5ee8380db2d57cbc7
SHA256 f9e58824f9d9d99bdf762ad94e4c87500787968138615103403a9b77d49a8d1d
SHA512 485f745670cf14e112ab484b97db0598a1da2aa6f7c74302593dcc0bd98c75b56ec1a56f3b50a265e75130229b6e5cf8851004923edace55d136e6236f551847

C:\Users\Admin\AppData\Local\TempORGUC.bat

MD5 5f5429d36a494e8322ce41c8cc4155ff
SHA1 49b2995fd13a6ed5a20dc93027b8661e99745f9a
SHA256 66f7845e24953c72d12ffa23aee60711a407b73f0dabc6b1415c37b8b894462e
SHA512 358b0918d5df670e5cc3eabb8ad3f939812fdb53d5e9817ce055268d523342f1fe59eaedd9061f53938a74504fb63f384f69433f558f3aeb825325f591915a24

\Users\Admin\AppData\Local\Temp\TWLFELUKPHYPDOE\service.exe

MD5 4bd867a9fe877634a910ba26d108f021
SHA1 bcdc23b1db87b1cca80c4bc28cf27cf3c57ea8ca
SHA256 2747e3a993058ce0b1b2fdba3a5186a33d2ea24a6dc617358cad4d8ea649f6e8
SHA512 aacf1682bd3d5c3909b8bed77365a0ebc140a728c03e7ac03e8fad4f691bfec679982c3831ea183520f4edfeba4e84455490004abf56156551fd74debc5dab7e

C:\Users\Admin\AppData\Local\TempXCVUQ.bat

MD5 0711a4f1388f3d331d1bc5da796436c4
SHA1 00f10b2094b622d171a3c875313f6a2695c5c104
SHA256 01d35adaa0f5bf81e51dd994896f46c8b28f8e70e33c5187730d0227c75f5a68
SHA512 f601f7ef7a978a9fa6a369206446aa1a4e72a4d92323dae86e8e288fe3399a1707faaf43dfd5fdc27a534ddbc2a048412483fcb43576eb15309fc2010ad7dbf9

\Users\Admin\AppData\Local\Temp\DNWEBPTYFGDMEJX\service.exe

MD5 899e40f02d8c781f2d9b70c17f4d1e62
SHA1 6cdb3500650a9cafe17b735bb869f3d2c5fd3d87
SHA256 1582ebb4429f80f3bd1332b2cf8b8854d6b6780d357482f32c1d5029002919f0
SHA512 7b358831239f2251a9e1c71f12d06e00cd48b27a4711a93a6f65c45a1e5b66ac35612b2440a09dfae17176f53dac8ad03fad10aa66e6f0c42ffd1ae45c9ceb61

C:\Users\Admin\AppData\Local\TempOPYUB.bat

MD5 1dcb9ce1935e3f2e3959c214d3b81be4
SHA1 0e89b74f8d835004fefefb41a98911deb399cad8
SHA256 2fcff6ef08af5bc7a51c34f59e9df2c106699a5eabedf9a73c724e15680cbadf
SHA512 b6ee736c94c8eae49c5e46a01f61b8f9befe1564fba565b78bc3b8b69cbd3646191ea43e85ae70825c3a3cdaca67be47832ef4e08666574fc11e9dd6fd46c43d

C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

MD5 3e4622f9ae05598cc9528af5a59c2d18
SHA1 0abb9e51f9e13694263eac03af6b3ee78e351a5c
SHA256 ac2396d3983ba964d291111231067a5afff42ce84e24cf0b9e8dc19369a63ddc
SHA512 c3e96c6b24ff919d2e58b72fabe0052bbaca1abb1ce400297ef335343504b3643a77559bf30917649e3bbf4e6a79255fd5e1b634740c244021a27716473cdc57

C:\Users\Admin\AppData\Local\TempOJXWJ.bat

MD5 c2b1f1aee91002f968818f11d47fffa7
SHA1 d628ec8e54904d99a1514a3fc8b7c0213271b3fa
SHA256 5375db52ba6c6212b32b77b61cb686a0b9a302c83bc8990197cde586a9a03c4a
SHA512 4c4c1fbe3871736b0bfe9a39e6626a19a8889306d61a473f838118db986879f4d4e70bbe74a8023ea47129340fff4b3b41e2ba0ca4b8698ef2baff6dec1056d1

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLCTKJUR\service.exe

MD5 8c8014683a2c71e4efc4f2089accc554
SHA1 e3335f66df1afd7013b29a6d64b0462c83c55e93
SHA256 8327a63b4d20111afc725725588128d605f8a4847a9678ddd26f417f9e9fc614
SHA512 cb6fe0bccee35c3576fcb88b0550e66f75975308d82953cb0b30b871cfeabaa99a84963f56c3782838534f5b42fbe976b1be53db036cd1346545758ad980cfd8

C:\Users\Admin\AppData\Local\TempBDMIW.bat

MD5 69a0ce7ea3682910e93cb727cfb724c1
SHA1 0e22581391e2634002038091aaa412376f2baefd
SHA256 e13424373255483a9953a20465ba38d8986e2da554213fcaa142eb5e680270ac
SHA512 944df9d1265baba5d947741b561f269ce4e0a345b92a9a9b9cb597c3062db6634ce3d10028614e7b3d91a60ff0effb6d7dbdd28673a9405b552ecf5a98ba0ef4

C:\Users\Admin\AppData\Local\TempRMTII.bat

MD5 bb27e4c24484dbe2d39e8d88d55b3c2f
SHA1 86007d26b8075efcf83cc8f6ef77c6d381291658
SHA256 cfe74a40b353c29cb95f1610b3290f8e32a0f0122d125dce317f63d35031a5f2
SHA512 52f774bad56549147e26e62d2688ff06df16a3bdaab619d8e98c3b0cba2525f2530515ff868ec444e773ad05d5066fdc7dcfb086676c0cd831a47b83ec2126c6

memory/1548-426-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1548-431-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1548-434-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1548-435-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1548-436-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1548-438-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1548-442-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1548-444-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-14 21:38

Reported

2025-02-14 21:41

Platform

win10v2004-20250211-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe"

Signatures

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ILXWAXSRXTJWENE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DVNTMCMGEGXTUBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TLKSHGHCBHDYTGO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MIXVLVPNQBFLYYK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQHESWIJGPBHMAC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNSAGDSR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JFUSISMKMCIVUHP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLKSHGHCBHDYTGO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DVNTMCMGEGXTUBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFUSISMKMCIVUHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNSAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIXVLVPNQBFLYYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMSOERIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTHTEDHYVWIOVVH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVKEDKTJOGXOCND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DOLKOCFBPVOEEGB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVGSRSOMSOERIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVSRVJMIGXVLLNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PSICYAHQGMEULAK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HMREBQYQDEAAVQE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABWSNAWHXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLYOYSQSEINBNV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QERCAFXWSTGLSTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUEPU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKXENXVFBMFGWPT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRKDJQBCPVMUJTJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LCNOKIKANVEPUFR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FKPCOWOBCXTOCXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPFTPNSERUPILMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKBTLHCVLMJSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NRWDEBJCGVVIKFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXSRXTJWENE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HYUWIOVVGAOXKJW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDWNOLTFMQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LHFVTKKMHADENJX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLVDXNSXDEBKCHW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PXPCEYUPDKFJXGS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOLUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ESSFHCADYSGNIMJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HPGYQMHCBQRPXJP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FTSEMDVNJEUNOXO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BSLRYJAKDXCEURR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AUVJWHFKXYBLQXY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEWGSSTOMTPESAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USQUILHFWUKKMHA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIJCWBDTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QYQDFAAVQELFKYH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAIASJGAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SECGBJUVRPRHVCL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNEWOKFAYOPNVHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDXUOCYJEIYWFRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNQTSUGKPCAOWO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIXYVEFQWNLPKSG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YEFCLDIXWKLGFHX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASKQXJJCWBDUQR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PVMKOJRFGXGGPKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTFFSYQYMWNI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FABWRELGLYHTQNR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVUWIMRFCQQE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LIITQOSNVJLDKKT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RKJRFEGBGBWRFMH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CEWUDDXMIQHFRON = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ADOPLJLBOWFQVFS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IJECFVIPKPMXUAS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESOQUSVGLQDAPXP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EDQGUQOTFSVQJMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOGWOCMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCIQHGRO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NREIECSYQGGIDAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODVUCWMCHQHGQO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BVWKWIGKYCMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSHGHCBHDYTGO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WTRVQYMNAGNNWRR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DVNTMCMGEGXTUBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AQROWIPTFDHCKVX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VXNHAFMWMRJRFPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JTPKTFUEUVSBMTX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQHESWIJGPBHMAC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRWCDAJBGVUIJFD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWENE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PUBCIAFTTHIDBEU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWRHVDLCW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KMHFIXLSBNRCOWC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HUQTXVXJNSAGDSR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YKIMHODEWVDEXNI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAYPQNVHO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BKYUSCXJDWDUNQR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIXVLVPNQBFLYYK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MKOJRGHXGHPLTLI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNICCRSPYKQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PWHDOHIYRVWHIGO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQTSUGKPDAOXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JKFDGWJQLQAMYVA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTORVTWHMREBQYP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVPAQPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLXBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PLMXUASWRNOBHOO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EAWPUNDNHFIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KUQLUFVAFUVSCNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPBIMAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TVHNUUFYNWJIWDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOXGCQUGHENFKAY\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QEQCAEWWSTGLSTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRBNNOJHOKNUDPU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NMHQXIEPIJSVXIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMABVBSMAHCG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAUSRVIMIGWULKM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXCUSBVKYAGOF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FJYAYLMIGIYMTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AEHSTPNPFSAJAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UGOFXPLGWPBQAQR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YMYJIMDNTLCCEFT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WOIBHOXANSKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHXXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WSTGMTTEXXMVIHU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFUSISMKMCIVUHP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIRISOJSDTDSTQA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOEPIGJVWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYXLPUBCHAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FNCDVTCDWLHQHFQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLYOYSQTEIOBNV\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IMRFCRQEFABWREL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSRTOMTPESAI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNSAGDSR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIXVLVPNQBFLYYK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXSRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLKSHGHCBHDYTGO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DVNTMCMGEGXTUBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JFUSISMKMCIVUHP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNSAGDSR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIXVLVPNQBFLYYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMSOERIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3120 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
PID 3120 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
PID 3120 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe
PID 2472 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2472 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe
PID 2472 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe
PID 2472 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe
PID 2348 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1240 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1240 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1240 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe
PID 2348 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe
PID 2348 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe
PID 4132 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3316 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3316 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3316 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4132 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
PID 4132 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
PID 4132 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
PID 1628 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1176 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1628 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
PID 1628 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
PID 1628 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
PID 1264 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1228 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1228 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1264 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe
PID 1264 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe
PID 1264 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe
PID 4412 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4412 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5032 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4412 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
PID 4412 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
PID 4412 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe
PID 3588 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe

"C:\Users\Admin\AppData\Local\Temp\314a65761aab8a762e423c3aa3e2f8dcdc6c782ab50afc63c8cd3dc0c6bd81bb.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFVIQK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRWCDAJBGVUIJFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNUJJK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FABWRELGLYHTQNR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOULJNIPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSWSOO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JKFDGWJQLQAMYVA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYDIYW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKPCOWOBCXTOCXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPMUGN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTSEMDVNJEUNOXO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe

"C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIASJGAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOMREH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FNCDVTCDWLHQHFQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNMPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBEFPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AVSRVJMIGXVLLNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe

"C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRECQY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPFTPNSERUPILMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWHGKX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AEHSTPNPFSAJAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

"C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEPVMK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIOTE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVPAQPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUNTFB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVWIOVVHBOXKJXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXXMVI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QERCAFXWSTGLSTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQGGIDAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe

"C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJBDRN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJWHFKXYBLQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQUGEI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYQMHXQCRBRSPXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMSDAK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TVHNUUFYNWJIWDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPXODM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LIITQOSNVJLDKKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe

"C:\Users\Admin\AppData\Local\Temp\RKJRFEGBGBWRFMH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGVJQL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NRWDEBJCGVVIKFD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXSRXTJWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXWAXSRXTJWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXWAXSRXTJWENE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGLYIT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IMRFCRQEFABWREL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSRTOMTPESAI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCWAMY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SECGBJUVRPRHVCL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe" /f

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDQzMzkwQzYtN0M3Qi00NDFELThEQkUtRUE3Nzk4RjVGMDREfSIgdXNlcmlkPSJ7OEI0Nzg4MjQtNDA0Qi00MjlCLUFDQjgtMjY0RjdGQjVCRTgzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDI3QTQzMjAtRjVFMC00QzU4LUI0NDAtNUM3RkRFNkYzRDFBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzMyMzQ0Mzk0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNEWOKFAYOPNVHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDUNSE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HYUWIOVVGAOXKJW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLDUMIDWNOLTFMQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXXMVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQCAEWWSTGLSTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe

"C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUDPU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEPWMK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHXXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHOJOK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PUBCIAFTTHIDBEU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVUWRPWRHVDLCW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKWIGKYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSHGHCBHDYTGO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TLKSHGHCBHDYTGO\service.exe

"C:\Users\Admin\AppData\Local\Temp\TLKSHGHCBHDYTGO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPCYX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTRVQYMNAGNNWRR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DVNTMCMGEGXTUBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DVNTMCMGEGXTUBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DVNTMCMGEGXTUBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXSSHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PLMXUASWRNOBHOO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\EAWPUNDNHFIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBYYSK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WSTGMTTEXXMVIHU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFUSISMKMCIVUHP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JFUSISMKMCIVUHP\service.exe

"C:\Users\Admin\AppData\Local\Temp\JFUSISMKMCIVUHP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRFIIC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEWUDDXMIQHFRON" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDXUOCYJEIYWFRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe

"C:\Users\Admin\AppData\Local\Temp\DRNQTSUGKPCAOWO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMHQXIEPIJSVXIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFUEMABVBSMAHCG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWIQIC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LHFVTKKMHADENJX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLVDXNSXDEBKCHW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOSNV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QQEFABWRELGLYIT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVHOT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUYTPQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KMHFIXLSBNRCOWC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNSAGDSR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNSAGDSR\service.exe

"C:\Users\Admin\AppData\Local\Temp\HUQTXVXJNSAGDSR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUTFNF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IECSYQHGIDABKYG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe

"C:\Users\Admin\AppData\Local\Temp\IVRAUYWKOUABHET\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTPYPE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMIIUROTOVKLDKL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLFKYH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMREBQYQDEAAVQE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe

"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWIPT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UGOFXPLGWPBQAQR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGGEM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LKXENXVFBMFGWPT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRKDJQBCPVMUJTJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRIGRP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YKIMHODEWVDEXNI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAYPQNVHO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSQSIW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AQROWIPTFDHCKVX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VXNHAFMWMRJRFPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCBFXW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LCNOKIKANVEPUFR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHYGHQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXYVEFQWNLPKSG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGDUSIIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBSOYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYKIMH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KUQLUFVAFUVSCNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPBIMAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKRBMR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YEFCLDIXWKLGFHX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YASKQXJJCWBDUQR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWDEBJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BKYUSCXJDWDUNQR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIXVLVPNQBFLYYK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIXVLVPNQBFLYYK\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIXVLVPNQBFLYYK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUSQUI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MKOJRGHXGHPLTLI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBOXKJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTHTEDHYVWIOVVH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVKEDKTJOGXOCND\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDCGYX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ADOPLJLBOWFQVFS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDEOKX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "USQUILHFWUKKMHA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKQXIJCWBDTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempLRWIG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIRISOJSDTDSTQA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOEPIGJVWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYOMQL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PXPCEYUPDKFJXGS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIWDRQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DOLKOCFBPVOEEGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMSOERIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMSOERIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMSOERIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFDHCKVWSQSIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXNHFMVLRJRFPGB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVRPTO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ESSFHCADYSGNIMJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe

"C:\Users\Admin\AppData\Local\Temp\HPGYQMHCBQRPXJP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWSAVYXLPUBCHAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQYNNO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IJECFUIPKPLXURV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKIURQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PVMKOJRFGXGGPKT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWRYNN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IJECFVIPKPMXUAS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESOQUSVGLQDAPXP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSPNRM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QYQDFAAVQELFKYH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHAEFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KAUSRVIMIGWULKM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYXCUSBVKYAGOF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHLCU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PWHDOHIYRVWHIGO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ERNQTSUGKPDAOXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJHLGO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JTPKTFUEUVSBMTX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQHESWIJGPBHMAC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQHESWIJGPBHMAC\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQHESWIJGPBHMAC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempOWOIB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DRNLQCPRNFJKTPC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

"C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FJYAYLMIGIYMTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBPOAI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YMYJIMDNTLCCEFT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WOIBHOXANSKSGRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWSAFD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDQGUQOTFSVQJMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUKECJSIOGWOCMC\service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 2.16.153.222:443 www.bing.com tcp
AU 40.79.173.41:443 tcp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
NL 2.18.121.5:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\TempFVIQK.txt

MD5 3c13dc03be990bc61cdff9abcc99b089
SHA1 345455667e3499ed7e073f3cb361af3fc518442d
SHA256 44e067e475a0e89c865b14a7a3206ed7d4b9a8b9d8bb01d82d1b3ee4a2a76574
SHA512 02a2242e531f45cb158a1db9eaec3a7808bd9625e48e772cea84d41ba81f0b7d0236c1af323d913aab3f5994e4f646604d5305bb2febe1aeab5e97576aeee3be

C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.txt

MD5 3ad89eef971442f1c2dd0951af19552b
SHA1 ff7f0a440506cf62878cc8cd33bbc1a11ddf67ea
SHA256 d6ba461d130511d7397953b2012348ec11d2966672df7efc1ba796ed30952862
SHA512 d245398388c4ec9406e0bd727157ed0e1ea360886103476d97448d2903d3d07a041f254f561fce4c95a2b2f4d06ba5c0162aec0a89fb93f552ad4d15004802e4

C:\Users\Admin\AppData\Local\TempNUJJK.txt

MD5 3438a5ba0394187544cb4b142d476e43
SHA1 17e1c63cb20478fb0bad90bc4e4cd654ace0657f
SHA256 2b2ae4c92fe916e516cc7a5249d11c5e09f1a01b4076e51a410175c580a21e7a
SHA512 b3099d9b0f721826a54b17e793fc40aee7f5b16043901196c62d74ea9d673035530de4d2179b37a1bf5d2a1b4489d82c6b12e6c4a9becd017de262e15f9c4f6d

C:\Users\Admin\AppData\Local\Temp\FTPSVUWIMRFCQQE\service.exe

MD5 e69e5d50c6cf1bb87b1af805dfa8be2d
SHA1 870700d4bd40dac4637555b6e92d7dd0b2fae298
SHA256 1fe5f31c22679b34bfc4a2ab7792d8411cd75937e6f8f5c64e18dda7bffaf67c
SHA512 e01f1c851f009e87832b64a9c93b29a5ddaf9c60d1a94b7006eb12526da75d9a8c366dff8c4097d553017fe2ad021ed8a83aa943c41a5c63a6ddf790712b041f

C:\Users\Admin\AppData\Local\TempFYOJS.txt

MD5 db157818a0a97e73babc2855734c5406
SHA1 60cdc711249b42a0fcb60fa5c0838e6e48fddf5e
SHA256 d0feb07077e444f3a8b3695e9842c4f49ceb09e7851e3217c01c37a85ecd92f6
SHA512 3eb01002c5e7c13e313c9f329b0c9995f8105df987391d1c1dc947a6668841c48a275e37f9fe118a2b160e4dae3ea485270e88c4ff4c5f49427306478cc10e2c

C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe

MD5 2a69133c9f3596debeda198ced4ab592
SHA1 838ce2256cb9f6760ddc08b170cced452210871d
SHA256 17fb4ae4f0e79bcdd1b51d871e171c6b6c727b21152c886ab51012205d064fdf
SHA512 7d425cb7678d43f144fbc4456896d638b426f388e3ea4bc962b986013d762634dcb50991c98dbf041c135b5c8c8dfd478ea21835eeb0d35d6389e9e52b741992

C:\Users\Admin\AppData\Local\TempSWSOO.txt

MD5 7b7da23ef547f9763a879642267e3737
SHA1 a178492f23c726c4659a320a49332ea0067b8c45
SHA256 c7822c62c6a4024f7ddfcb89ece00b9dbb6ed5c73f6d1f82b8d4f73e68dcac77
SHA512 1ae7d9aea927e8a7505936c52528c688d71d0bd92486f4f67f342046318682d812a5df23769e4d31e08fe63db83da6405cda0e359d3cbaecffe13672ab0aca99

C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe

MD5 5d928234631b3d464755bc7b9db96392
SHA1 f31538169df02fcca5e02e78a38ca9ff07c66e84
SHA256 16945a173064d0d41489b902c613d92f6a382236c7b2395f4ed791ec914525a8
SHA512 f86b50af87af8f13d26bf1c03ea7cbbbb1e4b349ba335f7cbeedbc10ce4fe58ece3e210716399973bf919610c53d8bf67337a5c3e806c7f1847c265cb205f2ac

C:\Users\Admin\AppData\Local\TempYDIYW.txt

MD5 3b0ae7f19a45f34e619d5139ec8e956f
SHA1 0cdd48befa10ba587506c0a6c79a34a1edf9bee5
SHA256 bb0765f8e4df8b67a4f6e6ac8f50ef9210b77c59824339aa088e9b9efc3bd553
SHA512 8f3b2b476e5e8dae1f06509c9d4d682f87965b96ec220cbae5a686d9f49df7083f69fb0b33cfc2a217a021dbdb78b903d88040b6b02401644f7f73e0e66fa314

C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

MD5 2be942ec6980f9a732dad20a5c4f3850
SHA1 ca1c7ddc2a1632f035d45e815e59abcede6da547
SHA256 92b208b0fd6600d53f1a73a0e97e17190cf683f8e0d2dff56492064d426a8630
SHA512 23dab0cb3e8adcfc2bfe5f0c29bf4923396f3b6e7815dccaf1638860fd876f79e5d892d17b106a00e17fd01575241f6050257956e68da614ef0bc717f3f36cdb

C:\Users\Admin\AppData\Local\TempPMUGN.txt

MD5 903ab05b48d901b4ed99c95aa487754a
SHA1 81e13805c174903228c50d02c4efd60346c881c1
SHA256 d406d1c29e2731246c1c7a65bcb67979eb53dc752bbf7ae5ebf6af0a53d1108d
SHA512 223d77e07c63ff9ff163cb2d7837c4117dd08a3854b4606ea8aefb3daf971c1ea1836f7f49115fe089fd0acdf34808ed81e07fa25bdce31551f82b7d20f69f55

C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe

MD5 5c5f26ad07b63e630f795caace1415d6
SHA1 7aa9575a731bf134c156b6e312c210aeb83379c9
SHA256 4c9e262bb36bcdd94d70a82945fb32e7914e6eecb944215538f694bbb63f4d54
SHA512 3ca232f24a08bebe92bfb3fa6f767a72619a92c16bffe5ae604d68cbf55586402de330221e42334ca08d4e370c741a9d74725826aa979f1a0ceb79550996816b

C:\Users\Admin\AppData\Local\TempKYGUT.txt

MD5 1c95cf0a551ea20f4178aae177d34802
SHA1 20066dae2ed26163ec9a8a4ce88b7ef4aa99bb1a
SHA256 8aee5c73502e5e832cecf66dc66a0831d219c4decb1f3d9197255ab59fe7fe48
SHA512 82f0fa523d17a176fa6d2946bec85f424fd784766ebcc0ba730a4ac2ca6aa536c3afa8a7803cbc1868a8d26b6c41af3c3f3f070a64a76066b5e15332f74cb11c

C:\Users\Admin\AppData\Local\Temp\LODWUDWMCIQHGRO\service.exe

MD5 d88dd28d51ee42a1f0a8c0189b76480a
SHA1 8bc547102286192995f9e27ef221712f109c148b
SHA256 55d0950b733b72a71480fd1e83c2cd1ffc9f1c96ce9fd67e69298dc79efb386f
SHA512 ebf2eded9f576e18b14609d12ac9a01ea67cf21279e6065dd74ceca5d0989034db9df223e0910c96385d7aa6ad851d513e8ad053db94193ee63e705a71030f05

C:\Users\Admin\AppData\Local\TempLIRDJ.txt

MD5 008f09d4a9596413a35753aaf2f30f10
SHA1 9663bf5fb193085ab9ab711ad03116781948dc0f
SHA256 905dc5021822db8abfc9f76bb44c83fc1e0cf0727bd5c9223a56aee17b717957
SHA512 f43605803b05a816fd415724504391baa4aa94d5a3fa0ce2b90b7c510c85e88f548753c0403686adc744e981d0b00fa1694b2895c9cc94670f33a56fefec088b

C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOK\service.exe

MD5 b1156d7edc0f3f2dd00edbf8a51dce56
SHA1 c74852f3c2080b983bc38f9534f362c9d60c84ce
SHA256 718bec3044f585f596e2e6f828dfa9a6f4d8c9083bffb735453fcb6e5d620574
SHA512 6360044765513b88d89280f6fc06cbe6f540e2be54055dcfd944a641eb8e90c4ea60f4f0e7e68b8ed8e46f4272dcd2cc1f1f8dcda57e0aac16e6a21c2dafd40b

C:\Users\Admin\AppData\Local\TempOMREH.txt

MD5 373838e579b46e24f1189f5e21214223
SHA1 7fbe09349025bcff6ab3d5647f7617fa5dd5f998
SHA256 245e90c8e4200e1170d71696aa0eec4a8a5fd16576bb6a2778123123d0ea4c70
SHA512 224ea06cbb917f93febe545629aa785e7adf8a01df6b6c2107bd34410a9a4a3136fd279a321053ca7fe98c26703d5b85f119300a7b8b3aec55bbb1f5faaac47b

C:\Users\Admin\AppData\Local\Temp\CPLYOYSQTEIOBNV\service.exe

MD5 4dceacc4e644a14a530b1780294a2cfd
SHA1 b8ea1d1c501c16b0bdf61c11049cebaa1b53fc53
SHA256 0ba88230019260a786ee35e31e8385e9e14c4c7e430ddab0852c66fe15656698
SHA512 41608c39566d09f8f24639cdd17e3ca8f63df24b30dd60825e47276e2db5f679bff1aa58edb12ef782897f861633bd54388b37810a1aece6c3529740eb72185b

C:\Users\Admin\AppData\Local\TempDGHQM.txt

MD5 c1e9cc859b16b9aaf13c7abbc8695e56
SHA1 fb49c82be270cefd43f9154a833d9f1fd2b811dd
SHA256 fd1db65b4c055373a0a760d16e5e68b96b8d83802200465c0c07a43eb6050027
SHA512 dd2803c4bb852df4f419bfd558036ab6503de0b5883719540b71b7d134fd9eae0e1d3fd61add84ae9203c08af3f3483d18e23c122af0f408e5382b0b831d2114

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

MD5 fbe1ceae0728a94c6ae041f37b5b9675
SHA1 2134943fdf6e01fe815cbf6e71cdfcf9c9840e77
SHA256 809be9ed36c79e4b13bcc49ec8e1564e50622e8609e85b1db26cc2aa4172eb7c
SHA512 3dca6b2f96c9a2449d4fa24ff25e5a39fb3fe9629614e2b514c1072780bde7441f378a48f7ad5a72727ece579c342c91b79089e86e1feda8d9d6ed3262de8ba4

C:\Users\Admin\AppData\Local\TempBEFPL.txt

MD5 06d296f775cca1756baeea0ea8c19981
SHA1 c44d01cc012cfc820decc11d1130bd7735d7e304
SHA256 0492b900c330872577dec7707c8b3b2c38406dd6b9ae943734b43e356d4f8e9d
SHA512 9a93e9bddf001eda01cacc3af995a069d686b0cf1b530062ec47cb3bc38b44b205335bc4e3929b31fe2fd84482152b800c83964fb3edb0e40854a71223025d88

C:\Users\Admin\AppData\Local\Temp\PSICYAHQGMEULAK\service.exe

MD5 b187fbf8ffcc757578b1b31db73ba582
SHA1 8b19534bc9f734dcf9812a23e316a35edcb27eec
SHA256 acd1ed0309632766d47a376989795728a769a7ad4500dd2f45dc4c5ccae7cfa2
SHA512 cb109ff8f340d51f78c9e28b8d4632ebcce39c5d7ad7b97b7c358be664e583b9ff566c66c53c591945f5a4abb9e32e94ec7f739e8c3f7dc97616066c01b1a63e

C:\Users\Admin\AppData\Local\TempRECQY.txt

MD5 706df07b281a1d2eef8427a0ba5c484c
SHA1 52e6301884371178d50818affad9bb4e0ea20982
SHA256 7b4df99ddc2f5c7b6144ab4f48f994c03bfcfd3ac84605b914b9780440e3492f
SHA512 b7927cec8b99afdc00cac719f15cf537b570bf24d5e6124b502dfc3eaf4942e2e887418b35f0c202d69cb119cce26fd721bf04fbfc5c9d3e92e3314f0db6086a

C:\Users\Admin\AppData\Local\Temp\CKBTLHCVLMJSEKP\service.exe

MD5 5c2e001dec9382e330d40c55a3fbec4b
SHA1 510954dc581d9c6e7e01d259b268d3ef38072d59
SHA256 708cd5a9c33e184c3b07094cae1ff2494ce0902e7c00b66cefdcd5813bd0afda
SHA512 dc044ec8e19aac786ba0f77631660d0481c8dfe91aab1daba182c9cdba7831ff9a11eba02ef51878641f60f40809905dbc6bbaf3307ee124b6f38af1e121065a

C:\Users\Admin\AppData\Local\TempWHGKX.txt

MD5 a0bf8029719166b1a6c026f99f593d2b
SHA1 7cbfbad53528b645012afd480b7e3481a49f90d2
SHA256 8e0fac100bb0a3ecef65a25a3c706db139cddce7eadb258e62af9073ace6c362
SHA512 270d9d0ed13ed4ae81065678b5d06106b1b569ed9fe4d422c52d8efeab42c31f0c1e57b2641fcf1768f08da78fb5580fb90b3f9727970503bab52a2d8892cb28

C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

MD5 c49977258faf8f3cc850d6f5cc804772
SHA1 9ef2ab44c469bb6e93638567621238ac205b81db
SHA256 647a1644e417c825d6ac1598aa58217e505479d54e06c83ffd1d0dc78430a65a
SHA512 fce92c8b6b14657b5f7da31a05691d80f3de367b1d0119acf007da9d6d3e68ac40cf05a3f8fdb1cc5de0e9f76a11fd04f7e6c28f9ea95da34b435ebf8de939a2

C:\Users\Admin\AppData\Local\TempEPVMK.txt

MD5 ae8f202d4ed2fc59ac1768676e99fa51
SHA1 b1b8df096565f00058f00fcca54eb39ffe6aff35
SHA256 5c6ee0ba63d1015f3ca9bcac2d85aeff2406db14fcef7f44dd51e2a0182d3db2
SHA512 af4278dcf7b56a1ca2f87e420bfc8364441453edb9c0df7f541a90833f86e8f0dac1a53ed93fcf81fd5e5b21ae69acfd5244a01b6895ce900b29a93fb8d4cf4c

C:\Users\Admin\AppData\Local\Temp\CPLYOYSQSEINBNV\service.exe

MD5 2eac6306388d616f1474b54639a19084
SHA1 9c63d50a491b896d35eedab108ee58064a32b56d
SHA256 fb3f31906a3677b1daf32cfea4efab727a71d5993c11702587688af1f5f3b002
SHA512 c415cc2e946bd9bce5838595169d9c4111a2f038a80363ad6d39f9ba3008cde47c0ffabb929b28163a0ef6ac7936d736896d1add678ca17a03d64d2bd76c256a

C:\Users\Admin\AppData\Local\TempWIOTE.txt

MD5 21343373fa3df55d7326902ef73a77d2
SHA1 18c1af04af5f2a7699781f70ba94599e0866d9be
SHA256 4c4fc3782a2dabc1adf075d4b2d1898d81994c4077e8dfb8dcee670243d41911
SHA512 6a856d9fe66d101a76ae0119d1a18b36dd9802624c6759b53948fc0ee6c8b225369b3d4e6203a3d17988a0a252f8082d033b9cb4e86ec25dc73e38468dfacd4d

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLXBYGU\service.exe

MD5 7328d67b52f6ab8924dd2001fbcde70e
SHA1 aa3273ecddb2e9fc0b28ec8097963c686aef4d6e
SHA256 0c35732898bf042cdc718d1fb365aba543fc45117c1cdc8dd29fc393665ba328
SHA512 3781c5c9c9e8b6097b8b0e6b5ff51a27ece2f32520b2d58f4d4d3487999bdbf416b9c3a1a09f85838f08b826f48cb3b4feb0333f94ccd3700a238671829fcb63

C:\Users\Admin\AppData\Local\TempUNTFB.txt

MD5 df991281594bf3ed08c989ba03245429
SHA1 9cfe994e41c8c02cebc6c2788e16f10555b772a5
SHA256 b3cdd60c0ed22392b83413ebb0c6ca139d5d4405e134e03a6130b223cda4974f
SHA512 591494c2ac161b8c4f276c6cabad63e97aeb1be19f25ce1790e3c284a2e749b4ee0a21e78c53d5522e227b2a5cb26ef51df84b4ea06d4087fb39c0014c68e782

C:\Users\Admin\AppData\Local\Temp\MIWULVOMPAFKYXJ\service.exe

MD5 48872a884799a95338558802a957e731
SHA1 d5825541b8b39ad8b7e9c516f0cc9cc546bd4e7a
SHA256 482e9dbb59c8ee576e04b4fc0619a649fad4000119567f4de62b919f492cfbc6
SHA512 aceb08610d321e89740f717299e7dce6b8e5cf5c1481ff2b8fcf60c9892595a633c990eb55f142872efe9b95f050e8844b1fd5d2aad157242ef1022ed6b892fa

C:\Users\Admin\AppData\Local\TempXXMVI.txt

MD5 a9624702f92652a8857b5b1fda35b468
SHA1 dba8956c33ab63c2544c86fcada1e576d798b110
SHA256 0a307fa8706bd033fb4b08413e371b0c4a33948c34abc6dd343d0646b87b52dd
SHA512 9bf6ed6a64f1c8d621fa1e7eddfc8b8d3a14190bfa9d765365fc290635862cb575f0a956460b2161bbec874c511c68c9f108ef90b7794db11b0be38520aba216

C:\Users\Admin\AppData\Local\Temp\SRBNNOJHOKNUEPU\service.exe

MD5 30ade2b299971a8a07650dc5ad71550c
SHA1 8abdc2ac8e45212ed53b6b01e1db5de0f626fff3
SHA256 21d5ac245c3e519d9dfac719c1447d50fdb4b85635a1ec467aaf997112f508eb
SHA512 5b640b70bb8fdfe48305822cc82c105bd7d71553b7f66dea7fae124dff8e137742843605b40c1e717bd5b4726cfda2e9fe2247d6c274a2437dd658b42976da2e

C:\Users\Admin\AppData\Local\TempKYGUT.txt

MD5 bf22cf6f9bae1f7b41a408cd84a905b6
SHA1 78ebcab3479073876ed748d4d66901f508d8637c
SHA256 67c06cd367116c00235ef003af5f05324d54196619793f1118017bbc73dcf78e
SHA512 23c6e516c923edc7d1c308ff6ba3021ac5c81be3d01421da3cb7e7a61472c52fbcfd0e2da182abd2b46ac9b63a5677d2844752bc001125c90fa58e4c084a9176

C:\Users\Admin\AppData\Local\Temp\LODVUCWMCHQHGQO\service.exe

MD5 2093faa2e48a645033d78e07b95871e8
SHA1 934dddb5b62eff6bfb1b7b03da8dccc540371631
SHA256 0bf89febcec1c39ae38de3a9f886c1033d2a3c66624326c5347c23c9967d69e8
SHA512 bc759c7484b3b46cc6a2c38e2fda904577a6a09ef584b7471da6dc2f74271e4a9f73159a90973b575770c090a1d0e7b2001131064f990dcdd906743289deac3c

C:\Users\Admin\AppData\Local\TempJBDRN.txt

MD5 129084c988639cc5dd06d567717615cc
SHA1 07e3dd6c8e6e193cf1d6408280da3b114b9c4349
SHA256 2633a7f9ce0e7c0a93e3ae5966b7e7987c7c0245c5546e3ea0cab53eff8fdfb7
SHA512 15eb24f7b0e5c005b88f97a1c203b4cf87daf051cfc73ede2e6c3a727930e0cd328bfa66a9e08bc53b70f3107f41dd8c71d75d6a10a1e992481e25aa96474c8a

C:\Users\Admin\AppData\Local\Temp\XEWGSSTOMTPESAJ\service.exe

MD5 5c4eb97af77950bfb35f5bf6e7e044b3
SHA1 cd7b2268b132665cd205ef0fd774bb7d31e625aa
SHA256 23d6bf77a26c7c1a354d096ecfd1bd1f841092add565fb4eec070f60a927f753
SHA512 76fd2660d0097547af97759ed36bedb10b5a68e6bdc62f8a15f4296c6dcbf3ef813fdfcfe1fd1fe59ec21dbbcf119adb1add05332d32e38acee5dc0dfc512e62

C:\Users\Admin\AppData\Local\TempQUGEI.txt

MD5 762176b93392d3fa185d87beae5d603a
SHA1 661f80428f4c1d317155659a2063b5454e059ea7
SHA256 d90e1600d1aca150e396b865ba705281910a05f294ec56037f762927bced96ef
SHA512 7570c290aae23c81bcec7ede20e85811e4dd31168dc4f5eb992aff042d4a3ec7ea4687680003cdece0d53c142f6cdeac50f89d29cf28d1c82099be6c50277f97

C:\Users\Admin\AppData\Local\Temp\KGUSITMKNDIWVHP\service.exe

MD5 0b722b7410ccc34bdc2368e84ff9e066
SHA1 e16073613877a0f73cbbff36f797c5cd86dba5ac
SHA256 acee8a068585939f827897a4bb42bf5a85f8a630a78e45f12c33bb09317fee06
SHA512 f4e90f2e4badc9f262d008f41fc93ad67e77ec2c871394d26a84800d1d7a8f53f22b9441b5e85afc8ced143d8831f07a726285c89c5e6a9f5f98692866e64a42

C:\Users\Admin\AppData\Local\TempMSDAK.txt

MD5 3fe555cb8879d9622ce24f773a557d68
SHA1 121598f14d4d63ac7de4e8aed591e603158eeb13
SHA256 41616ce36b6f705cedc6c3eae410144cfa72d73a3859c9089fc14717dbd1ea4e
SHA512 662f1df58a1dbe7b5529f597a94fd0a9919cd560a466fab1af1039477d2fcf25afcd5406fc8b233313aa34789456719552488ccaae7e80e34b9e812dce1374ef

C:\Users\Admin\AppData\Local\Temp\FOXGCQUGHENFKAY\service.exe

MD5 243b2a5ec6205a0ea1321e560837777f
SHA1 e15b985c233b12d595b976f127b5123fd56e1eba
SHA256 7bef1b3f019e8e06e40f2d5d70322c9342543e9cb7df66ab802180e8b200cec6
SHA512 f64158b11f6a1357bb5a14648be064ae37ab7c9f5d5b2195ad0629d8a02cb50595f61b19f86bb464a13fe333bca617cb6af88306d2cc2ed0e72daa86fbbf458a

C:\Users\Admin\AppData\Local\TempPXODM.txt

MD5 064980d572e573e41cfb79e310369d69
SHA1 c48f752070a34a7bf790e1b3e2e95503275edd1f
SHA256 11f3448ed0674a7deb1db20a2eac212e743461d223c786c01b3e5d7472f46cbb
SHA512 59cab5247fdc3567b394bea3024d42d7f04672efd90f0014a4b53407c84a5c495a705105ed2e8b471344d2ada9b2b460a17707d76205290f9198658447f39a3a

C:\Users\Admin\AppData\Local\TempGVJQL.txt

MD5 5ab92508eb3850a2eebe874b93a12809
SHA1 4f2d46a53271392b77f698e0e81010b1831ab84a
SHA256 e2a607983a61ba1e1d5a5892b296b29fe6aea0b20ef0b0a713f029bb2d16dc92
SHA512 ab65c2c6fb836e6b3042f5ef4375446a896aef88ce4e3eaa76fb3e6027c9e8e60a625037ef8dd6ac25f5b24cc36ad1d26059f38c33ecca9fee2aa35ad3c40b27

C:\Users\Admin\AppData\Local\TempGLYIT.txt

MD5 6680d5435f0e55e8bda4e1d08ce85927
SHA1 f157914007529c2ecfdc9458193f7dc6e28fb659
SHA256 eb0b27752e754ae4bdd6887e6642e076a43d5f2f6f7269ff88e2e06c125e28c9
SHA512 c483e7a4523fe6042b964be2f7201b183d0f7aafbd4f607297b57c59f8b0a51f86e1a21211b01a1099db9dbee0265e50e06fcf97e6ce0deef12e410d7cbbb5ad

C:\Users\Admin\AppData\Local\TempGUCQP.txt

MD5 9d8c823aa9d6fc3f009d667a0b5c2aeb
SHA1 9cc26bc83d1c543b737c4880b73e40a6ed254bce
SHA256 980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4
SHA512 66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42

C:\Users\Admin\AppData\Local\TempCWAMY.txt

MD5 1cd39d2f28bdc0e35e059bd9a929c777
SHA1 e0f0451e82611dc51329c2cc1213543133393057
SHA256 4af301a83cc0fea0bc0e6a4abd8d1a0b066d987fb79c9c58ffa225a3813236b0
SHA512 640b1bcd0f4c14b7eda5086448d19042cdfc4284752da5ecc7c99d417db5230201b6260f06a0067396d4389ea390f8f20e7a56788cde2587fbe11ee37546e12b

C:\Users\Admin\AppData\Local\TempDUNSE.txt

MD5 9e2d17ebffb335cfcea4a41d7a5fa914
SHA1 67f00df6335f8a465b2f3d0a804b43504f29d6e5
SHA256 ef95b308cbfdd478fd4b0a520c62163117ade9906c46b2b0c1cf302ce1517ec2
SHA512 88a20e1e983dd3d2a7f6c88840405bba7bef5e5549c1a80f16c52a06715ecf57c3cb3d4b697d02e86e8cf47fe410d68e8ff425fa765dbcc09666e16effc7784c

C:\Users\Admin\AppData\Local\TempXXMVH.txt

MD5 71e54ab76139107a7737607599940869
SHA1 109f17338ba1b10331dd7e7f6a78ae33d5ab4e16
SHA256 1fa25a81a8a03c14124ba72e6f2e3992dcfa67075d7a09921e51bb4ccb95709b
SHA512 80b5d18c7d7397b4a05c83f1a3522f5e0e2f5eca7c95e73b7dbe9fb2d6d4baa2dea0b720e23776bbd7bea004a5b403c5b7a075e7bd8c28c19f12876597749fef

C:\Users\Admin\AppData\Local\TempEPWMK.txt

MD5 82ea3acb38f2cddfe0ce0a4dd3625967
SHA1 e3641c25d35e256d5ec5a27a79a6621d80a71984
SHA256 2cf61e9f1e595b875e68fe8d259ac62d04905307547afc0ebaca0393ead904a1
SHA512 ddcd21f510d02586ad67c3cb21d1485d2340d933cc69e0ac37b2c587de5f646b663775aef3a41dae24ac47cda8eed18d74c8f7a92af158678030bf948c413daa

C:\Users\Admin\AppData\Local\TempHOJOK.txt

MD5 00ef6719c49879cdcb674c622a77514b
SHA1 1e26d8b717be7ab42e65354a3eabf1c15284f0c1
SHA256 0726d49581a365967d6a2eef35c7c9d6fe76a66499c2b23ce5461d7b751f3398
SHA512 a3c29e2fdec01b45f97f836bd08de20930df8f5b3c0a1506e091be1ec3fbaf4d63025d17f78ce43e68fd88395044f8327094a971a1c3219e53f5a48d7134436b

C:\Users\Admin\AppData\Local\TempACESA.txt

MD5 c6dadd9daa4f7839b639405d6c0aa376
SHA1 32622e34687bedd75b616bcb03689ec3878b6d8c
SHA256 3d80e6c36247c550ed9a5d8a98864bea7a158176df8af3b06125d1866ec5eb41
SHA512 6b2d45c53d65da5d58ea7cac29a4c8c08c77c8d510fe1b29568ed41c59205a4a257a229d0130d60fc01db033348de17126ef3f0f4c70cda74c07d5df1942e26e

C:\Users\Admin\AppData\Local\TempVQQFO.txt

MD5 68501ffc222bed302d40b7c24000506a
SHA1 5ef27330e33028763e5a1df4314f5602f992fd2e
SHA256 21d2606b5919d0d98e22100862e07fa902c4fee35280d6d6fd38636237f285d7
SHA512 84e54e97246bb6293d574d06c6555059dddd5d1726c968d6c848c69ca0686ed64824fabc6197d91dfe39c1c33e7a9e15a7eab9aef035ce7e55de14aa9e656f77

C:\Users\Admin\AppData\Local\TempGPCYX.txt

MD5 2e67cd5272350671843a3ce6c107e84e
SHA1 1a6c3a90358ebfcd28c14c338651e0b0ccf2bb85
SHA256 d28eb3a5af76ec7f0b2055525d511b04e60c05da27c8fbee1eb95b820f84601c
SHA512 b75fb1ddac3e24fa714e8493af5d3e86fe930a96a567fcfac852e253aee067e5ee73c9b5144198f2d301eaa308e259f4fa2ffa037c8a30f083f5464f3bc55a63

C:\Users\Admin\AppData\Local\TempXSSHQ.txt

MD5 e6a3a56f354855fe945e574726a74e8e
SHA1 9a2f7f9541ef3997b00d38310130f56ee9789103
SHA256 1fbde454d26f4f85469a429ca9861cc0295711a2b25b2bdd6753358a00cc756d
SHA512 ee981d685614b86bce6871aec61a273af62dc300a3c993ca473e2d16fb7cf923d145b2803444aca60569860efc83f1390035338557996bd1dcde1177ca471d27

C:\Users\Admin\AppData\Local\TempNWSAF.txt

MD5 1a15ba0942c96ad946befe1a84299150
SHA1 81cb5052e3dfbfccfce36ebe614cda1163f72d99
SHA256 00f4acfc005e1e8dd5cd682d989afe03f1e7ea57a57fada424cf43a6d33920b9
SHA512 e9833508ee354ba75bbf490d6cc67783a27f8da1acd56d42045d81257d29057f350bc5f98943caec0ca5d8cb1b9697ee782c6795316c38fa309227e866bf6268

C:\Users\Admin\AppData\Local\TempBYYSK.txt

MD5 fbdf40fc33db432436fea5625cec9708
SHA1 52fe08ac9bf723eb3272f83ebdf6ada1f8e572d1
SHA256 386ae3019291af3d93426485790af6d6555ca4f52bf0a097b9ea54894a635ddb
SHA512 6a37de0e089fd35026db73a0071454ad2d93081e4cdbe62093915ce5bf2efb5e5b814605fbbdd9109179f47a253323f5c738f8e3d2f3167a55aaf457a3ba31d9

C:\Users\Admin\AppData\Local\TempRFIIC.txt

MD5 c6109ea3e924c40708dc5bfcb379e840
SHA1 26094da054fed9080e892c828fedde828b5c662f
SHA256 901424916d1e432a6b7750d48818f3b25c0badfcaad6f0794c71e717f1c9b319
SHA512 c6f1c418b14a6a00ac2563f2692f5191292a32b2e0904c12e34efa90a8ca3cc0b867c1a41f480c67bc5823096becd612502fe585f8cbdbe7b42cf8dbd6eb6758

C:\Users\Admin\AppData\Local\TempNLPKS.txt

MD5 dbc03ad51b4de1604a0a68a15025ca65
SHA1 091da25146b4e3d63f67768163b317048fd429af
SHA256 c369a59d27e8ad5f6b2e3ebdc05346b56314093edf78d575bdab6140eef11e74
SHA512 9c661727d2d6bc86e5351ce399d75c38003df8dec6159a2508b9ad69e690f3490348524908bccf56646d7dc446cbd86f45e8d271b3fa7468b07a0b96b8ad7c81

C:\Users\Admin\AppData\Local\TempGPBHM.txt

MD5 7bd1ddc9c9fb9ae8e0dfc9964adc6f7d
SHA1 b95bc762a33597ef00c74ec7b61f5e1a12436aa5
SHA256 f439d7f73f3e5b01b75f3928a9e8363d37048de94d6ef7bce540848bc441824b
SHA512 c3e3ba8e33d81e7cf4db7766f23655d40ba5231cdbddaf727224b2b0e455a16d6eb080dc0571077add5397b35fd96aa07ad8772f267a38c924222651a9d271b3

C:\Users\Admin\AppData\Local\TempWIQIC.txt

MD5 839894c6f6c66a4809d2685fc4933ce1
SHA1 a3ef0f1a0b0ab94d342ca958ccfda0e0781c40f8
SHA256 4f382685626a0774909ff0e2aa0fbf7fc2873e5700976c082b5713a53a344d9f
SHA512 1ddd29199ad40ee06a3248803ab1c4d83a9f3b9983e1ca7555efc70b256f9834c61f6c839ce4715998034e242812d49489a1802d6993fb61ba6ac22eb9c16da4

C:\Users\Admin\AppData\Local\TempQOSNV.txt

MD5 519542171b0e8b9bdbf79f969d78084b
SHA1 86ecb4c893008cc9618274512cd611910216bfa3
SHA256 656fb5bdcca7191d61000ff8158011a455bcce6166332a3ff1c416dc1f259360
SHA512 694ea3df3b3a56fd54a565acd5026e821db8f954047944fd65d0546233cd983f94e05058401cbfc1b8bdeb0ceea63d29e2e61baab4cd093fb0000813a55650f1

C:\Users\Admin\AppData\Local\TempUYTPQ.txt

MD5 c0431c2a9820033642abcaf1a9935020
SHA1 f1d19e2dcca85a2b12ab0c6fb0afe15ea3ba75a2
SHA256 e029970db3deaf8cc60cb32dd8a30f3c2b7fba373eeca9c7838cb33cc1ba3957
SHA512 ff9eff9794aa7295c8298eb7abad4de921906fe6754ed18144f2508c7f5bd226bc024767ba3a1776707289826e16195a72e5fbc5117dcd74d4096d70589aca12

C:\Users\Admin\AppData\Local\TempUTFNF.txt

MD5 53860cbc401182108cf1662332261aac
SHA1 abb4775065ee6a9df17b3e3fc63afe32802063e1
SHA256 ddc09d42b7e4024729a856807ca93e935b7783ee883355b860270ecafad9ec0b
SHA512 80b10ea3d75c4354b259697d0df52a569762bdcb69503e79b1c9417d30f47ac2463e197de0078f93e97468798923325020a8708fd76bfae516bfa91c9f8e3b8c

C:\Users\Admin\AppData\Local\TempTPYPE.txt

MD5 9ad0aaca92ce759661a15ca98c758109
SHA1 78615dbc00b5c0004e26216721901d1ba91c1c0d
SHA256 ff9bbc18859da565ace8b30ce4703e6f8398f4472ba887006e97951c12c4dc31
SHA512 17969607d0530bcba4103cd3f5e306c4d71b0711f3e68e9b9c73bd237847df8b3de796396c3d3a9b405ebd55b6f57a5ee28b576726f2f13248d3d5772a13246a

C:\Users\Admin\AppData\Local\TempLFKYH.txt

MD5 7d8548a762e8564a5dd9313fb2165683
SHA1 e83638a0dd5874e5658b978a0f66f482a4a90518
SHA256 3baf59f6194b4e62940b203629c9112512e5d24aa3c57d595e0019091df8af20
SHA512 80ab6935369a081b55e22b855fc46314aa5e7336e63b21b9f8735640bfad4b646f98f25263f89a4aba94229229c59c8b41a25374094fae8175077509932311f6

C:\Users\Admin\AppData\Local\TempOWIPT.bat

MD5 892d595252c111c13be0d652602469b7
SHA1 504f6bd4afda9404bca6ac78bec73efb5b75bd09
SHA256 5924571c254ed787f27c1614ff774dd9cda9afdab363af5666e0df9155d00b4c
SHA512 241acc2230eb71485432dfcc45f03325f5dfb4998fc3b4eff0d773f720b6978c675048d0523d94e5109efb49b3892a276cf72caffbbb1bc52f3fb8c80647100c

C:\Users\Admin\AppData\Local\TempUGGEM.txt

MD5 cb35568ec71995821f0b3a13437ca477
SHA1 bbfbf82e84b4434d831b06ef568f1ce5ef49b0b0
SHA256 47bb0d0a893157a922a1eaf7b298b815e1e3469ca0dffec16331b0ada3a4943f
SHA512 decfe7c649c7485349b54bba0ad1ec7467cb468911696c0eb8b7c7ce20e9380c54201ef70ab1f195dfa2f246e2e9d5697056e928c7a3b51bc363113f03230422

C:\Users\Admin\AppData\Local\TempRIGRP.txt

MD5 344b4df1087fd1b9586f670fbffbf236
SHA1 8bff9b430b4d1de0180ec6fea8347339906090af
SHA256 884d5a88d46b19fa77d39a116e3ad10286240a6b501177acbf824ad964a66af9
SHA512 eda1f6f404134a96bcd3a2a5d94965e2405170a1c06d8ec74b950e891346f76749d1ca9122cadad5a8ce48cdf87f9117fa185f47ef42a2aaad026e70c6af1984

C:\Users\Admin\AppData\Local\TempSQSIW.txt

MD5 23cc944014c2f5500944ec642caec8d1
SHA1 58eb569cf4dd6b6b410486fc4b7fe1c7dfa19458
SHA256 e520b05a6218236eea04fcfc0d6fab1d016cf72898c7cc6ced1815987f29cc00
SHA512 55ef092fe93b1a874e5f49204e764865e339ab40b796366fc32d9a3652b12fdd780b09193434776d86f8f197fd3bf95b4aa92e7fbd89209c2f056a789b9bfe07

C:\Users\Admin\AppData\Local\TempCBFXW.txt

MD5 c189ea2aa4ef00b4393e167ab3a6f06c
SHA1 47e4f0191b051e42e0540ec07787bca8e2085971
SHA256 cdb5c563ba50a84f28d088948e63805c9bf39b7ead5290e76fd00a0ac2a1148a
SHA512 7535eeb3eb2e221dc9281715738a8bfa4ac5a4c1eea2222f54ff97574b62485c72f6882d28f93cfaa98c1167021f0d3641fd9407c045d9468c4b7227c0f70c59

C:\Users\Admin\AppData\Local\TempHYGHQ.txt

MD5 389b4f45d0e0643bd00442e1c5843549
SHA1 e5595790bdede919f211f3e0999b3889643b6a83
SHA256 ec49d9f82af9573d3d59ddb9cef044e160709f6c612db230a89debc5fe575c7e
SHA512 b86a581194df50ba91dc7776676530a40dfd8580b9e7ec9a8c52f33ad0009468c541282eac25e5b3945cc585c1441cbbc2036abba45ba3f032da9e9aeec23f0f

C:\Users\Admin\AppData\Local\TempMIWVH.txt

MD5 6624ad33b423369b92d13c7978f0aaca
SHA1 c99893edf1442fa4d009fc917ec0d25eae7e69df
SHA256 8209f95925aa48b9946d2c9bb2cd39a9b99cf24271c3a028efe776924d8a6f3f
SHA512 63e3a66ae5f18bf707cb973997d9fd9806549336435812e98db72b8d24a601777547995d88829c019019c8adbf85088f2dcebad9a20066287d346976d45138eb

C:\Users\Admin\AppData\Local\TempYKIMH.txt

MD5 6c23f7054e4f5905665989cae4be4bfe
SHA1 7d4ea66e543c4bdfafb495794d7a53fd92032236
SHA256 914f41ca33be07b5d1945dd646a1b1b0d86cd17bd8b4fac2022bb76e52e0d202
SHA512 8cb1ad3fc21607a7ab6f54f2713ed28fd48457e95b1315abb4e61b0ab82948b9569b69719093313e4e3c394d8ed551590354baa8ee53bdad4903c334b96eb9e5

C:\Users\Admin\AppData\Local\TempKRBMR.txt

MD5 f777ca17317dacd3c5f78228061afd3d
SHA1 a31a8685f44fb9e28ccb1a90196278aef66903cf
SHA256 4ee25370955da8c4c3c813747077eee3783deaa19708833bb2169bb6ac34ab0a
SHA512 a7e6726b457554bd3d1212e14eaffe8705e092bddde3b5a1e7c111205333d793dd12a2199d2f5cb008fda9cd105ebf8b2be7f691a702e045df5bddef40c07f0d

C:\Users\Admin\AppData\Local\TempWDEBJ.txt

MD5 741139ec64cef0011003ed0d5e29473b
SHA1 a397d449ba5fbb973746f159f80dc8a5b7bb9c5d
SHA256 ab2ae6d39468b74e227f06974bb1e1a575e6f8ac1df24a924a1fc7ecd184b84a
SHA512 c8f2e383a000b76856d3460a7b9734af1f52ea90ff221b42e1066cae17e29f7a9ca2e48c5f0b5a74f0e62cccf34793e959f8907c0ecdfbd59f851e6d1d02433c

C:\Users\Admin\AppData\Local\TempUSQUI.txt

MD5 a01be767e318791464c86a3be06cd653
SHA1 8661304b90c606ee2d14b6cf34bb216dcf98f278
SHA256 20546bd431b28badacad416cbc090a21727897dced19b1ec71f0c2b85dd0ecba
SHA512 163d2c548fdfa2736697b76c5f88d8f9bfd5362f8fcc7cd3d4705aa2720d2b814e9ee4fc56c5b6fdf25d6662b34725abbc564e851e4694d3854fef08c7aae485

C:\Users\Admin\AppData\Local\TempBOXKJ.txt

MD5 249d74b11fa14e13af98c7168329642a
SHA1 67d0610bb70c8f0df124b8094f323b82d2893df3
SHA256 20eaae9251267847ef18b543408002b757ca14110994c668c973305ce494f307
SHA512 4e5ae988e26a12fff09dd9846baf529a83de6e0516812695a7f35d6fc91c80451933629cfcffa831e429cf4a45488f5c0e264e79a0a1c19dd404e867c8f056ed

C:\Users\Admin\AppData\Local\TempDCGYX.txt

MD5 1eac20b56df3bfbda9806a9c01f5f822
SHA1 2cf1029626644e77453ef2ab8a2d1549ebb76b32
SHA256 54f5b1012f2c23f5619fb2482429239beebd2ba4b508a46cdc72e4b0fa0f2f97
SHA512 0b88b30ee9298fd7b29bee6be2ed616a17f8505560da820198af0d329824a5d182c134a2614cac0f0743743d19b753f5999b5d98edf5ea4317929f0288f8eb1c

C:\Users\Admin\AppData\Local\TempDEOKX.txt

MD5 5a67998fa3a42302aeb384df72774f6c
SHA1 e964b1169f502601ac260f707078b7a15ec89d63
SHA256 4fef31e7af4d786b06de7f9599dcacffda3143419558f545d7c8a3fb805a020b
SHA512 7c99dd9403ac8e5491cdb6edb5a0d153193cba6d17cec125edd272aa3c5cdb8d5ae8074c12f5dbfd42b24d345672d4c37f23aaf5dfc3793e98b96cfcf34eb828

C:\Users\Admin\AppData\Local\TempLRWIG.txt

MD5 a5874376da9b1170b97c6c21b6f44f56
SHA1 30bbe69afc59a369a737e28ca74ea7cd8ad913c4
SHA256 a725a04cdedc7a505d54597972e71e83764cb39f0431de307030fcf6706a20e9
SHA512 f979d6c95eb5b3283497a8812390d38a19bc3667adbc0518c556facd3b3ff40243e825cdabf50c2c51efb9d3b579263ccbd40505386be2fce168f3975a2d2f01

C:\Users\Admin\AppData\Local\TempYOMQL.txt

MD5 a9d76794c3d10640588108f4a80104be
SHA1 de33b2b193706c74c2df34c0f1f6ac4a59b89a79
SHA256 1f8b255519346a8403c1516137a5d72189a5825786829aa3b307286df7169ca3
SHA512 a0dc7ebe3259238a99c60065c529171f52d217c58de6b6c82e67db3f257a4e83435e0881b57a1d987aabf4b0dfa4a3957bff39760d52c7e7ee316f5fda44437c

C:\Users\Admin\AppData\Local\TempIWDRQ.txt

MD5 468c8ac4ed9c4f250ff3d9e14bdfcbb9
SHA1 1769e9665e842f46232ff6d319f9158f571d4e37
SHA256 7dff14d539deda66ee8559c01d49c1fdfe6f3e270642e33db2b3f04602cf6717
SHA512 e363ac2ef466f27d72fcdb9dc8f926194ebbcb9c4f510672be78ce13428fb5978348642edd3b3867223b123cf30d23497e8fcd4c978510ee80d1ea05c78cf0a4

C:\Users\Admin\AppData\Local\TempDMDXB.txt

MD5 78ae847a4902a380780c237744d552d5
SHA1 5368f59ba12b4239de88fcfe54c731662e9df805
SHA256 f5f57ab54170b0f6519f06c8d69c7a1a52a36b516efa65c3872a3154aa2c1fd0
SHA512 10ef53f81d6e4b622e55310836a7eecdcfda178ad2dd2fca7e9807a6c1c7ece3a283b279a2041ea3ca23c577538962895c6e56cce4a02399387e0281056b8d57

C:\Users\Admin\AppData\Local\TempVRPTO.txt

MD5 b66d5614e1ebb4edc0ab92750f899d4d
SHA1 9433f75ab7a38ae3c5e091f9f3a814e4a24a48dd
SHA256 6e801c870dbe5bd15955ca6f037dbe9241fa39159f41788b81b4ab0bf682b2ee
SHA512 84d78e6b5781ca47dd5ec3564ba3044a890d28224e5a37f9f3384225becf140f5d5fae998c778821cc58cf5c0d52c7af397a42c10d1666a2ca2d3a20cee9cdf6

C:\Users\Admin\AppData\Local\TempTFLQC.txt

MD5 5fdc4334080eb57ed599cb8ecf27c797
SHA1 9764d3d66d534c00985a6c71e936bfade032342e
SHA256 6483482c002bf0abac07e1c493c467909df3b4eaca81edacb64b4d9c50da7282
SHA512 e8ba60c01e1a9445f80d8cdb64a0bb7a7ad9fc7b1ebafb2da2828a394f9cd62a46f7fac2b3c66a9ea307255f362ce00d1df19db0437494e6c65bd098d2bdbbe1

C:\Users\Admin\AppData\Local\TempQYNNO.txt

MD5 2ce25cfb3114c2337ce71c2243ec2afa
SHA1 f004b142db197163469eb6b0eb64dc0639ed99a4
SHA256 b0d46e5e3f5c5078cfbbfc4da8a8008d798df2393428af717c18826b66faad37
SHA512 0104653aac2be26c087dbc083ac02ed729d9f8c7f2a71ad91b7afdb719d0b4dc1b703b980e83095c805424f67d5cf08364af4ab989726fc41b7ee744ee0c5bcb

C:\Users\Admin\AppData\Local\TempKIURQ.txt

MD5 17e57b690fb951c74e49987294720de0
SHA1 195c0727f6ca65059f8ac5cd65f9c75e4a30af51
SHA256 0cc95b535340109b7ae3de1f80da81a0609680b50de6989237dbee911881c951
SHA512 9d5db76f19c146f7ddba87ebb75a78d60f584b7a4d8832e2caa347cd6a93c524ade4ec6bc5f368bb7710abcfe0fa5f9fca00e7436aac79b1d6ee0a517ef3e943

C:\Users\Admin\AppData\Local\TempWRYNN.txt

MD5 a43b3917b4d090b6db61f47f0adc0b97
SHA1 0d79f58a27b9cb14cf86ba6bb295bdb93a9a50f1
SHA256 5a717c25c4bc1ff9c3a1eaca8037fa9ea0270f67eec4e21c654de25ad77129ab
SHA512 2b3e3ee7338b0d3bf8ede1c03c8e502def2696bdfec06dc6df6e2cca95facf7ac58c8a04e0c4a8463bae5f13fc354319f649b05dc1475d014271e7f6bf6063a8

C:\Users\Admin\AppData\Local\TempSPNRM.txt

MD5 911764927d8ae26bbe38aab41c17b967
SHA1 cb33e2ea6e68fa2be9c00ef744e4f3f0421917a3
SHA256 17f1ff54d944804b2c141c5916765464b844b862c81ac26a6c460c1da455410e
SHA512 250499de61d181b3360609372f3d237e87a7b7b7239991ab36d544c143759adb65aa2fd455cb117965c84426338313174610a3aeb8d0dafe7aab9e8012c20893

C:\Users\Admin\AppData\Local\TempHAEFO.txt

MD5 b811b0f7f2b21850e9ddb3b1400d335c
SHA1 28cdeaef0dc9ce613277d5a5b3847299f9a5f140
SHA256 0a7e57151b987e731196dc0dfdd7c9785a83c8a330ff42d1f4efde246de5519e
SHA512 ad1902d4371cb2465341e5617bfa5262027fb58f98228f0c92bfce9728790b778af96ac42e311b76d0d80e70b0bc48d85015219bfcd1f66af1ba6e447057a3a3

C:\Users\Admin\AppData\Local\TempAHLCU.txt

MD5 eb7d5620938149f3803f77a522982192
SHA1 a84878e136a3dc0cbdd706080b0803e4d350d900
SHA256 9f58f651c1ec4b66b967d8887d26000d104f4a2e813532e18c9e0dc12ec7bf6f
SHA512 552677e566c4c0cb59e8e5fe7f834769b62d160614d984a5812ca0f8267149ef7caf291ac181ea04ad289887690c4f33a313947c401efc9f3087d555932d3f09

C:\Users\Admin\AppData\Local\TempJHLGO.txt

MD5 ca11205f27e35f2feb67e8af992308cb
SHA1 6c5c0f7b3f59749bc90bf789fd21cb688887c220
SHA256 fc65a317327cf4cb98ce72f1832696bd911dce6a4301a13c1536d9ff6d4f62a5
SHA512 0c45dfea84d507fd195ed7455d31c1453cbcd22b6430f6f08b2f26f849967cc86b9251ab9c01a4714cdeef72193fd4f0e487f3e750f85c9fde650edff48f98f0

C:\Users\Admin\AppData\Local\TempOWOIB.txt

MD5 98b44b8429ec951ec9015d4eb9c7030f
SHA1 dd5c438803bcd9ffcacf0387882598a0ed483fed
SHA256 b09409b09a9d0f0a9c07ac68358847d95023665a9a3d9d527868a996684d9dc0
SHA512 15ef700fa0ee323e6c44ac190355d349eef961d680bb5aab08de777aec3875e08339a17f84322933c25c5fc176f573fa59d8ea32271b36d408eeae6610f81fe8

C:\Users\Admin\AppData\Local\TempSDPAX.txt

MD5 2a36e02d5cc8e480b059c14b4b98e354
SHA1 00ecb994f84e432a0c19819a702fea4c8c93c22e
SHA256 d33c7fdf201838c0bfab6b2e4aa13a284e369d17b420b1d6cce7782102c6ed2d
SHA512 478b8b4e675eb718abe1bf14ac587e077458bbdefa25feb2d4e5d2d1ab2f618bd19e92e43b724d4b60ffd35aabd2efd0b53605df249a66f7accedde0b9647dc5

C:\Users\Admin\AppData\Local\TempBPOAI.txt

MD5 25a2741f570c14b816e95255ab5ec544
SHA1 e159eda41571519afffff24bfd52f6925538a908
SHA256 b7ec033956b6b828970a538da1ae322d4b8ee5642007e6b86fe6816a789e7334
SHA512 67aecc4685553fe1f097d88077f34f5c015c3b04749a849ca7e0ac62f343abe04f880af51eb9df4f94586192bd15fff015720466870141920bce08dbb4d54427

C:\Users\Admin\AppData\Local\TempWSAFD.txt

MD5 451632865bb33e43ca12b708676338ac
SHA1 759cd591cbcd3388cb3fcaed3cf6d7b68bf1591f
SHA256 77c9045499735233a9d88509cf1db1a3316bd615c7aae06f4dfbd79153fb3aae
SHA512 479c58b43e6840294383f2fc90e5e5d6aaa2d6b4017c8de023b9a216db6e11bc3b1b95df204d82f264fc3167692ab63f2f6fa517cd3350b064ee2465c8de41f7

C:\Users\Admin\AppData\Local\TempOQGTB.txt

MD5 dc533fe7c47a9d1060f64887f4f0dbcc
SHA1 2301520d86e94c38437c4207bcb4928014491987
SHA256 821c879379449d00c4f752b9c613b58a6e2b0ec2cfbc256034665a0c0609607c
SHA512 e1a63f5edd4610b26f1202559963c41d45f46ced9e481a96972fd209a5411b3081875a152885c7db004f10a7afe9ea90814b44c9e46e81eac0816944e138895b