Malware Analysis Report

2025-05-06 00:12

Sample ID 250223-1vh12axkdj
Target 35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6
SHA256 35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6

Threat Level: Known bad

The file 35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades payload

Blackshades family

Modifies firewall policy service

Blackshades

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-23 21:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-23 21:58

Reported

2025-02-23 22:00

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGRH\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPFTPMRERTOHL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WYOIBGNXNSKSGRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\TPDQBAYEWVRSFLS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQAYMMNIHNJMTDO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUUIJECFVIPKPLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWYMQVCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUUIJECFVIPKPLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AKXTBWYMQVCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\QEQBAYEWVRSFLSS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RRBNMNJHOJNUDOT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWHFJEMAXCUSBBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIRNIDCSTQYK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\TJFESIVRPAUHAUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VNMUJIJEDJFVIQK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIIKFBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDJARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJECFVIPKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKXTCWYMQVCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WDMVTEAYLEYFVOR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPHNUGGTARNXNJI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\KPCAOWOBDXTOCYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDLCX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVCLYUSDXKDXEUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTEFSYPXMWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAVRMVGWBGVWTDO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKXNXRPRDHNAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKBTLHCSLMVLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FAWPUNDNHFIYUVD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXENWUFBMFGWPSU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQJOVHHBVCSOYPK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\IXYVEEQWNLPKRGH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGWFNBBCXCTOBID\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETURAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\LAUQLUGVAFVWTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AOKYWMXQORCHMLT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\BVWKWIGKYCMRYKA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YEXHTTUPNUQFTBJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEPQMKMCPXGRWHT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AIRJFATYJKIQCIN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ECGBIUVQPRHUCLC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENEWOKFYOPMVHNS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\JXENWUEBLFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQIOVGHAUBROYOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOULTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OCNWNBCXTOBXIYD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\CEYUPDKFJXGSYOM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDAPXP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\WVRTFLSSDXWLUHG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYXNXQPRDHMAL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUVJVHFJXYALQXY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XDWGSSTOMTPESAI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYFOXVFCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWHIBVACSPPL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVUYMCPLJYOAOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPGXODND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\XVANDRMKPCPRMFI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TWMGELULQIQEOFA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOSFSUPIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCHOYAAOTLTHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\QOTGKGDUSIIKFCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXWEYOEJBSJHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPTGKGEUSJILGCD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQFYWFYOEJBSJIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXVDEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVEMBABWCSNAIC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYWFFRXNLPKSGIY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDTOCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBYUSBBU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNICCRSPYKQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCNLJOBFAPUNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWWAXSQXTIWENE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIRYJFAQJKTXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNSLBLFDGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\BRRPXJQUGEIDLWA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKXAXF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\UWIMRFCQQEFABWR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JLXXBYTSAYUKXAF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWXUDDPVMJNIQFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MFUEMAABVBSMAHC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTAJWSQAVHBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMEKRCDQWNVKUKG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQVCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3016 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3016 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
PID 3016 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
PID 3016 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
PID 3016 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe
PID 2168 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2848 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
PID 2168 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
PID 2168 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
PID 2168 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe
PID 1228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2332 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2332 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2332 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1228 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
PID 1228 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
PID 1228 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
PID 1228 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe
PID 552 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1484 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1484 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1484 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 552 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe
PID 552 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe
PID 552 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe
PID 552 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe
PID 308 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1380 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1380 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1380 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 308 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
PID 308 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
PID 308 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
PID 308 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe
PID 2288 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe

"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIXYVF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OCNWNBCXTOBXIYD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempURWRY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUIJECFVIPKPLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQLTHI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CEYUPDKFJXGSYOM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe

"C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOTGKGDUSIIKFCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPTGKGEUSJILGCD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempELGLY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UWIMRFCQQEFABWR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe

"C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPQMKMCPXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe

"C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe

"C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDXWLU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QEQBAYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe

"C:\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYWFGO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXUDDPVMJNIQFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe

"C:\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUBXXR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVRTFLSSDXWLUHG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe

"C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKSEKP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKBTLHCSLMVLM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe

"C:\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWALYJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ECGBIUVQPRHUCLC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

"C:\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLYUSDXKDXEUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\UOGMTEFSYPXMWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HWXVDEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe

"C:\Users\Admin\AppData\Local\Temp\NFVEMBABWCSNAIC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFRXNLPKSGIY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDTOCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKXFOF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBYUSBBU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\IAQHRNICCRSPYKQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUEBLFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempFGDME.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPSU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQJOVHHBVCSOYPK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLOPUB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FTAJWSQAVHBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMEKRCDQWNVKUKG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYGHQL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IXYVEEQWNLPKRGH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe

"C:\Users\Admin\AppData\Local\Temp\NGWFNBBCXCTOBID\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJBDRM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUVJVHFJXYALQXY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe

"C:\Users\Admin\AppData\Local\Temp\XDWGSSTOMTPESAI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKYGOF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWHFJEMAXCUSBBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe

"C:\Users\Admin\AppData\Local\Temp\IBQAIRNIDCSTQYK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOULTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBRKNO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TJFESIVRPAUHAUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VNMUJIJEDJFVIQK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETURAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVFCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe

"C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEHISN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YVUYMCPLJYOAOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPGXODND\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XVANDRMKPCPRMFI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe

"C:\Users\Admin\AppData\Local\Temp\TWMGELULQIQEOFA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUYKIM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAUQLUGVAFVWTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe

"C:\Users\Admin\AppData\Local\Temp\AOKYWMXQORCHMLT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempACESA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BVWKWIGKYCMRYKA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YEXHTTUPNUQFTBJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempURVQY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GUUIJECFVIPKPLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJXTBWYMQVCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJECFVIPKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQVCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQVCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQVCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNLJOBFAPUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWWAXSQXTIWENE\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKIQCJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIRYJFAQJKTXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNSLBLFDGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempSYEFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WDMVTEAYLEYFVOR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe

"C:\Users\Admin\AppData\Local\Temp\VPHNUGGTARNXNJI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNWSFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOSFSUPIM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPJCHOYAAOTLTHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEIYWF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KPCAOWOBDXTOCYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDLCX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYTRAA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BRRPXJQUGEIDLWA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe

"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKXAXF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempULJNI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LAVRMVGWBGVWTDO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BOKXNXRPRDHNAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMVREB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPFTPMRERTOHL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe"

C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe

C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WYOIBGNXNSKSGRH\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempIXYVF.bat

MD5 3008fd248b83d07d9467ddc3a0292154
SHA1 03b319edb52087ed08b5e97da5f3b10e7c9c0fac
SHA256 dce7434d7e067067c0f2d96115992a424a8441b4f59a68c06bcbb9886cdfda90
SHA512 99d3980c6acf7670ac37b6fc9dba9ede15d60fb36e4932a5fe949ffc16dc8a03e139193e380367718080047468292978a42b02e4e605a69da7ce7920011ad21a

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

MD5 af67f598e0034fe8568b6bc4358c34dc
SHA1 e6ef81528a9d231836cafd397709c3342429990c
SHA256 5e731ada430dc9b8abf0db43e8fe1281729370fcd715179b8601e868715cc6b7
SHA512 ab47c21b5dcc324b03454a7f9e035bc8c61f6647bcbe3f58242cf3dd8cd7322eda99d8f3eda856fa4c674fae92e44b4adae38e01ed71219e19a4d9cf3c1f772b

C:\Users\Admin\AppData\Local\TempURWRY.bat

MD5 5bdb321f6b56b57c47865c2bc74de991
SHA1 28960808440ba29d37c356052c914289e102067c
SHA256 ff9ed4bb35370501898f4a4f12e6617961df220200e2a6c9a2cb3688960b8c76
SHA512 fd1457149efe3e769c58fd32637a41809a562ba0d827afd8465903a37bca01792feb3e9ea9e3459593718c53d0df6c174549594d4f1a37ae26bdd0280476356a

C:\Users\Admin\AppData\Local\Temp\AKXTBWYMQVCDAJB\service.exe

MD5 33af1088d9126f0b7ef58b5e012c30d5
SHA1 f5e24b5d07f748771c00c30a0ac7d9c222f05cda
SHA256 2e2f167bc14624dfc3fc550e9a496eaba15515139d9e6058ecefbcbfa49815ef
SHA512 e091fcfd7d181de0b29e97e84c711046b0f935611ab38d35c9494c152b23a2924245d2cc2ab63329f395e4e977437aee963ed033f99d00d6915bf36d513357cd

C:\Users\Admin\AppData\Local\TempQLTHI.bat

MD5 54727cbb67d70ab8d9c6af1f005fcab5
SHA1 7bc190c8f4f41a0549363212557ef5a4eb0e8247
SHA256 1e54d8575f379ba1050f0910f8aee21f8b75d06709544ecb5509fa165b2dfd03
SHA512 200a6eaee9bef6b70bd5c23e32197b50b8c467b816326e724a4c5838a9df04a677d3a12c962b61428cb8f3c8b11cd2f97e44b4180972718e68ce6ba361a5a00c

\Users\Admin\AppData\Local\Temp\ESORUTVHLQDAPXP\service.exe

MD5 f705e2443bca4c77fe8e4ac88c33d99d
SHA1 bf587fd138af300667335bfa80e146e0dcfd21e7
SHA256 85b88830e030a986f232e8a6fddca6b906009aa36161481bd2405c5129f6733a
SHA512 94c79ecbfe522abe0921f657fe58463d8dfc2e6b47b04d5c17d958e979350279e5be8a8b654c02506a0885fad7ec81a58edbedb5472e8389ace0a2cbd7a820b0

C:\Users\Admin\AppData\Local\TempMIWVH.bat

MD5 3d6710b0c788a455710af4e9c75eb284
SHA1 858206583bfa0609747e015ee73af854f7145096
SHA256 4129bba47b51879ed3e653e9366d2a1308aaaa499a0a98b0f3fdaa392271cc42
SHA512 a98db869cb7144e6d25b9cf16d4eb80c86bbd63308d6b18d39ae145e414f18b682600531beb81910421d33d00ce852784c5214aad8cb57bcbd0d2f5161300523

\Users\Admin\AppData\Local\Temp\NPFXWEYOEJBSJHS\service.exe

MD5 c6058dffce9088bb96eee80c092a0f26
SHA1 bcc04f136584ee73feaa42118e2fde58479b8618
SHA256 8ab30d955dc5f92e28405d123371c947e4d706fff58a809b93613774b03a2e43
SHA512 68b473030c8e5d3e6e8d656610f4310ebaec55d3b167c0b76903655a92d0b516555ea029a73e0a6a18d384a372b313380d7c9d12527c74453dac54d2f9e5921b

C:\Users\Admin\AppData\Local\TempMIWVH.bat

MD5 02588bde156f4fec5f0df3d0ff8bede1
SHA1 34461a5ce0789fc448f493a9e6a1c583a0d1a89b
SHA256 e619e4dfcc93453be75b64b7938e54164a7f979fbeb92de6221ad7f9c6a2d0d0
SHA512 56790994e090fa5cf5d4c5eea229189c7cf591ca0554a1c463c0e1f8ef18aa376fa2e53078b417a5bc7063d606d12743113585cefc6b1b232be14fe7dc161c73

C:\Users\Admin\AppData\Local\Temp\NQFYWFYOEJBSJIT\service.exe

MD5 9e52708f16fde9ff6d72ea9ad1db28b9
SHA1 20ec17cadbbcefbb4643144a5ac62190de18640e
SHA256 ed109a72775871716d7122dc0890b17e6b7013710922f0182ad4db1c4d399db4
SHA512 1d7ea247ebf1a38d15617fe2c62a82eef168025320dd4469b512ef18be17a926941317e71fbeb5d241d78fbc9192d9834f610baefa0179a91f9c7ad05f02550d

C:\Users\Admin\AppData\Local\TempELGLY.bat

MD5 47cd9f3690aa352efbbc78d49aa81537
SHA1 9e236ea8d12cb50dc3583e588dde93eaf9a470a2
SHA256 0931ff2f9cf95d7ec52d212fa7ca78012c1ee0eb20259f487628df0bba97dd53
SHA512 ff9634e84198632dc6e43706602ccc4e3823a66991e3e7f815e6be298f51e14be85395e22ac20bc41baefca69b021c9417076a7a12ec439d2a21e4acd7a3f076

C:\Users\Admin\AppData\Local\Temp\JLXXBYTSAYUKXAF\service.exe

MD5 8b49fa9e58c7b43b9cf7583fb40faaab
SHA1 799d320c4417925f87b7ce3245065a062dfab3df
SHA256 0ff9c15e03b262b7a1b671cec10d846c5350475eb6bf0f7fd5ee2d40b48060c1
SHA512 652493fc92d608efc9878301024471e37bcdcecdb87ad8109052f2358f2f52c14f3438bda67c45d5b5d6ce94a77924c6bb55fc40e3ebc47d36e0fd2a6cfca09e

C:\Users\Admin\AppData\Local\TempEDHYU.bat

MD5 9d955223a0a0d90319da9c1979c7fe03
SHA1 e6614428ba99de605add67d550ee537e05e5bc6f
SHA256 8baa737cbf4168d3bcc84475caa1b3982a0040beb35826e7e58c6751890ebf9b
SHA512 8609d58bb37828ed935a657b5a0722cf085fce791ad252eb9abc782a429e75bee147f540e9067244953e645b23ce78df3a7499a65c405acb8cc2e0b132f54159

C:\Users\Admin\AppData\Local\Temp\AIRJFATYJKIQCIN\service.exe

MD5 9e9e4d7494419852176c96ebf969a6ac
SHA1 2b9231d272ac252264092339b5213fbcbff2187f
SHA256 940372d1f6183d3a70c79862af87240724dafa5758b23a1d51689ecee7f59f5b
SHA512 c23d7a1a5d86a9eeebf033e0a29eaddb0feba3178d324d0bdea2544360b2d8d4f0685207f59f2f0cdea454665b55016e50d99f1f7bff41de09ad96fb98c2024d

C:\Users\Admin\AppData\Local\TempSDWWL.bat

MD5 f12eabc05ad07e28998bba3d0c4b7517
SHA1 21aa28ea0e9786833d2cea38e7f8176560945456
SHA256 d6ed466f36738b8d14060e25c85244877190aeda44d43d0bd7b71203a44163eb
SHA512 e25d3d9b2ace750368e8a212701ef5415922669b72231abd716faec01db65ba14ae93cc3e5d8d9c4fd65e9edc69e0c6650268b6ef2cd9d1d0445a58b23f1561f

C:\Users\Admin\AppData\Local\Temp\RQAYMMNIHNJMTDO\service.exe

MD5 40242b3d291fa645295d47dceaf33955
SHA1 73ad44a88aa607acb12e5f8a5685b0f744190f25
SHA256 7143330e19737117aeeac3ee9bb0508cc8f2c7fc2455b44dbafa3c75ea9e64e5
SHA512 a4a18677dc45da5793107ad70234451569932c44c938dc5debe302dd37a873c329994d5b0abe77e8ac2415411611ed9338835e1a782a4b9b76c4260f8bf3180f

C:\Users\Admin\AppData\Local\TempDXWLU.bat

MD5 bf8829b93bd4721c30c50c59420f8d8f
SHA1 74a4eb81d517b3722f086c0638115e2c91499f6e
SHA256 077ea513392b49d9cefdd480bcba4fc286ce5e21c2a4070ab0869f71302d4bf3
SHA512 3d754c55b7b496043d77977bcd8e9fa772a78b9c69fa5e754b19ca3ab3b6c5073231ae5dcc18b13ae6a0d32be861cd0845a66c05ad54e08c1524615a890311ad

\Users\Admin\AppData\Local\Temp\RRBNMNJHOJNUDOT\service.exe

MD5 e52cec4c12c128991492cf2cbf03ac8d
SHA1 a74825459e8fd9ca9f1ff4b7bc31badc56de0619
SHA256 723aecb1c231864ade39750cd86ba02fdae176570b34ceacbbb75b2de58b14e3
SHA512 cfc653a755d6b336fbb0930ae467038c85d33f0950f106c967e0c9f2bbe734ce1b13f40f564ff537778cd77f62f63dc3d3da3b0362d0031efb0e75169f05339d

C:\Users\Admin\AppData\Local\TempYWFGO.bat

MD5 7e3facbfd1f323f14d0e0b6b9304104c
SHA1 d49ee38f589393b64f173e6ad02671f9685dffce
SHA256 f5f44027a982db4a8a159b6d2961ae86be5a45153cbbba09bcb51bbce2745e5d
SHA512 6afc7b8927856ca58453f2e73bb1b792a0ad379c449ff9df62c0ca22563733f2681b39ff37b788688b021455187eb683ae9f5366b450b49aa9969f6635872d2b

\Users\Admin\AppData\Local\Temp\MFUEMAABVBSMAHC\service.exe

MD5 a06abf139f1a6d7f2e90e51d8829b502
SHA1 b30c09f1edd21b214a860818e1913526157c2c1c
SHA256 108a8f87872682ca3950afba88c55ac4efcc01b4f9fa3411597b3893dc185599
SHA512 16bc3e5c4c239864e5ce04bb9804658d25c38d2aee4ee79587ff9c5e4acfbacc7cc0b45a16ad761f559068561a12665ca99100670ed61cd1d567c679a0d09f41

C:\Users\Admin\AppData\Local\TempUBXXR.bat

MD5 510c51f3c8abe27fd0bcdcfc74da9289
SHA1 cf960de9fbe385c3fcc2cf4df981975a24d6ebc5
SHA256 1a3fb04a17723f003444f17a9ec5742de390875af1f1d397606c2b649f6b3ba6
SHA512 c4f0b84b96e72ece716a10e819f32373433e0fdf04a8bf0c0a8efe388a3f3bb2672682cf623236530cf0662955aaeb02aa1c793872c260a912a81b5140bde7f6

\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAL\service.exe

MD5 7cb64f9c3de00c4ea69f7e09fedeb64c
SHA1 9ac094a725368db634ac95b75d15bdb25c944cb6
SHA256 a19a5cd12a75545278933d94e1a0a69ff07bf7412c73970cd24bece8fd286c3b
SHA512 01c08957b20c3c34d590f06606d93a602573efe37407c9c9e320c2c63edd101d38354f8f011f7c0f8a76744d0051987391be33fc1a30959a867751dae089d111

C:\Users\Admin\AppData\Local\TempKSEKP.bat

MD5 cd7b255d6df08d7c8ef515a65695d1d3
SHA1 adf73803df44319228413e5033db99eb46557217
SHA256 bb419376e5134a6b2b6a426c8d2084b4f382b3a6dc4f10469e64dca5c802d69f
SHA512 5087efea27901a9eff581da7f7febfc2be20c7dbe2b955bab8966a2ba15f02802c37b23ac5860aebaf6287a0af5131a5fb882b1b051fc7b1c1572bd5653ea08d

\Users\Admin\AppData\Local\Temp\FAWPUNDNHFIYUVD\service.exe

MD5 36870c156f3c417af1fa214b9c9f209b
SHA1 623aa662d44ad150a9281aeb70f5a3ae34d7ab1a
SHA256 ee65c6940573697bef474882deec7e9d40e6aa80f74a304e57ebec7e91f63de4
SHA512 1044f8cc8bd571ca674546c20251f10aa43ba5838672ca644255901827e15a99cc559ca305f008386a61b389838558e02508d9c268ceb8ca634b0bf89b2b0e26

C:\Users\Admin\AppData\Local\TempWALYJ.bat

MD5 b4537d9f9239a9d8fb8d2064451913c1
SHA1 34090adc73b2d6b3b0cf04d885a064ee6e5377c6
SHA256 f38f04e0cc27cb23d191310c696c4884db22e4ce7ea87203b351dd596dc1aa56
SHA512 03efe5b20261c714833d2521397ba672cfe94ec888ca856b6ef7302115523be05032f37511de4e09e412900935380ddde02251feb71cf660bec32afca2763fa4

\Users\Admin\AppData\Local\Temp\ENEWOKFYOPMVHNS\service.exe

MD5 eeb4e02e5ae1c664517da7005af829ea
SHA1 810a326b014bba96f649d2a1b4a7c91c27e6cba2
SHA256 edcb9f797622d85ed4174ab0e5f18c937d4cbe09e3d6da0b70a614163bf6375a
SHA512 c4a5cd9494303637baf5a98e832d79adc381ffb36c720c728b36607f2eba53aca1fdea045f15e211b0ccff012a5ede789fdaf78c527168f2a682dabf8c0086be

C:\Users\Admin\AppData\Local\TempQRWDE.bat

MD5 7b3f0fcc7c03d7b552b471000ee71b7b
SHA1 f85d7f034e1e723823b05152a4d1c80f05eb1865
SHA256 2ffc2e9ad370cce043d30ce721a627551872e249848e5f69e684d1ff6d879849
SHA512 ce33d49ae66b9d0a1c87516e65213838e8ace527ce6d9d66bb014d9bef1f5e117c4334f44b87be10ef1c609b209ad0ca35534609ba9048fb7f684a7e51f05dc2

C:\Users\Admin\AppData\Local\TempXGGPK.bat

MD5 f79af593b565fa504b1730c2420b55f7
SHA1 e34a697f00f16e8e2dd8bf6fd18e2e018cd106dc
SHA256 614a7458b0b0066233089d4051258aec9bcf4a3cbb6247e599a9a88182730062
SHA512 0e9e838e141443b08d93fa3f9aedad58f39bbf8dac509ecb47cb5cf9b55e1ca36b921c91702815e2bacc46732bf56dc81e795409c7c214d701187fc25f5b628d

C:\Users\Admin\AppData\Local\TempAHHQM.bat

MD5 2209abe4b63a1e93e6305f5346e5333f
SHA1 dc56b6707f03200627ee56c4994b6cd16097c5fc
SHA256 0b4804c5db5273431f94ae6ee3c0ab61689d9d8f7d52ff99da2e91a0a01245fc
SHA512 ab80612b70e0395ff6ffff10a8fbf91a27b95f53a53221e2d4c12b70b8cd9f93e0fb9d9b215367ebe38fc843299ba66c29be65d824edae3a0a277ccdece3ca14

C:\Users\Admin\AppData\Local\TempKXFOF.bat

MD5 b196951fba48b5977560e9753b785b65
SHA1 e22f3e6d2c9c03545b5dc31252623bf766673f4a
SHA256 8b7922292951a99acead0d2660c90515a483da5780dfefc2417325f37d807731
SHA512 bd899da3d81da6bab9cb78167b9426efacab052eda353821e30afb1585749bcba973f92cbb41868a111a57b6917a8f0d0ae6019ac78690e822534923133b9aa9

C:\Users\Admin\AppData\Local\TempYFGDM.bat

MD5 277bbee719763e009a5e8bf22f8bf81f
SHA1 dea210d15df545f4d65c50f2695ad608c0677681
SHA256 3a58e680b7c79659f0a8588513dbe29d259c8d7e60f5ab806c80c2894b2ff44c
SHA512 7ff238358d28238418cc5af223051a206ad478ea6f48067bfefa6779b37b88668394df6b4f35f5bed93e0ec01fde32689b5e246586df6aaaf5214895f9be5ddd

C:\Users\Admin\AppData\Local\TempFGDME.bat

MD5 a4e079fc1c7dfab5dec4d6c6cabc404d
SHA1 54dfb72eca895f6fbcc750ce8919df4a1eff9c8c
SHA256 079860580f33ec79576d28872c0a65d1d18daa5e656c96640540f21c1e61ac52
SHA512 ed8ff202731d7ad276b37e85dafd64772879cff086511f99f2989526aae738f3d566e77b7c9f68265fd01dde38b02c851380a1f8c30707622c2dbef81cc752cc

C:\Users\Admin\AppData\Local\TempLOPUB.bat

MD5 5d38f5a1b5aa1b30781c0c84f64331fc
SHA1 acf15e6ce88d606070b06c3cc026a4046a2ff90c
SHA256 6d6f51ac46cba699c83bfd2d6306ef11d5e7fb0c0fd7a9c622dfc7b02c54badd
SHA512 4d881110cd080cab828d06a8dbf602c6f9e29aeb5c8d7fa1f77db6890b5d7161e7f5b433d884dcbcb6dbb0c49a05e05d1b46e726ab53f64427653203dc7b7415

C:\Users\Admin\AppData\Local\TempQRWDE.bat

MD5 5f86bd202bfcd38eb1df9dc3f99b3f2d
SHA1 20eb5c3c335c0ae536940a2687e7a4b19f36ce56
SHA256 d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84
SHA512 4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

C:\Users\Admin\AppData\Local\TempYGHQL.bat

MD5 2b8deb0667dfe429ce39ef9eebbdf9a4
SHA1 67f6fd313dc8f3ca57b6c9c2b2f2da8b737f7214
SHA256 f75ce084bf721bda52af7d80b4616808b5a39c00492a14348e021e73fcdd3b14
SHA512 6f5b82cf626fdb0230b3995a4642d24628e6985c3aec4daf1102f5c055b6652ca3630b97e9b3f4c91d7f00fdceb37050d8d5a10a3505a97aa74a9b09c10e188a

C:\Users\Admin\AppData\Local\TempJBDRM.bat

MD5 b96232100b90d0b4a9a38041264315a0
SHA1 8cfa701a3dbbae1ced82e5ca1d202c1b6da65cf2
SHA256 6611ac1faa5df5c466b2ee588d0abd4d8714cd2648aa1847c3a17b3afb7a7493
SHA512 7f4f599a4e72eed86ec835b5b2c9804fd75cfc033885ef0a39d1d15aa3905c79db4e8343ddadff4fe6f8a6aa0bd2dd677f0b1e5a879de82cb8e0da90bc3fa65e

C:\Users\Admin\AppData\Local\TempKYGOF.bat

MD5 d045e334e544bcbb03bc06c6826a3669
SHA1 208470d91b843cf1c5c15863d8a7e746debf2990
SHA256 0028ebcdf30b526f8b48c089bf8ae15e9d48999898e8a06954a94b71cb91aaf5
SHA512 7187e05f55acb096f9b0f2a54ef81c3b822bfeee11fc686e03035ab8243083b7c5e47322b681f9b0069c73e49a148b9aff9e1e5c23ff3d7c18d8d63ef2c1205e

C:\Users\Admin\AppData\Local\TempMNWSA.bat

MD5 08a46825f8687526303d13241600973a
SHA1 43085350ae1fcefab6da5f21cfa61871e88094cd
SHA256 53d3ce1ce804418b19fd7ed0d1e65aa46092117a49cc26a2a32750ede80c6b97
SHA512 684220fc914968d010ff118585b463bafa1c5909334dae5138caae443082278909324530016c7dc5a95f4d102573082db7a33abb5b3f753ed110a50945ab942f

C:\Users\Admin\AppData\Local\TempBRKNO.bat

MD5 c32f4450ac2d1bcda2dc2e26c4bd9c12
SHA1 bad1606cfff4753baf26a8ef901c2c52db2c2a8c
SHA256 3a2b7bf6fe0bd10a7ee71389200015958057e1ca0f72b164aea10d1ca8e81bd4
SHA512 6efc2abce8ca8f39183d914e40c06e34582d137b4a0fe1ea501aed0b4db6797da6f791857f740fc600c19158c44096f289b7425fc4d9b92ce443ddf08164ed4a

C:\Users\Admin\AppData\Local\TempLHVUG.bat

MD5 de69c25118df8838f32524d5b65053ba
SHA1 d79b8934dab391b2f85b02ec96a6cf696e23d29b
SHA256 40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921
SHA512 71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

C:\Users\Admin\AppData\Local\TempMHQHF.bat

MD5 aeb4d38b60edc8f0aa4f95ecc32cf195
SHA1 d1c7dc58eb0f534e1a4b64ad17650a3c945292a9
SHA256 8de5f04ed63c66698d8c9ba4f4e830fb284f9320391cde5ef27ff1018edfb281
SHA512 ae56452b6f45ed80a5cc95e1710167675d354113f21cd7113514122cb335fe66a67ffbc262184d78063fad4d2880c7f39963cf805551ca1bc82748d828cc5591

C:\Users\Admin\AppData\Local\TempGHENF.bat

MD5 2ba129511c5899c8e1f9f8029bfccd77
SHA1 f9592a99e3d1d4a95c169cf9f3b4cc3cb0526765
SHA256 607421953fa673adb45977f97d755037afa7565f303e63cdd449d07b37e39acf
SHA512 1445ebf59d57cba5ea3b6a651da3f7c3f1a4def98b9fe3a04e4b5aa37a8dbe3b0b309230235995882d5b5c53b224ed13caaf27f684b9751452c3b22e258d1700

C:\Users\Admin\AppData\Local\TempEHISN.bat

MD5 ea44f5e47be7a898629829a5deead3e6
SHA1 92ff4557f55824c9382ebfcc6ee66af395dd5e91
SHA256 6943ccd5c841cfa4d1704ee7788da82146476a0af27d06f13403bc251245b4e6
SHA512 6abab88e9b66f85119538229dc4b51b996e841b79935ddaeaf39485a64b6c776f420f554e264cead651342a5a38aeb7540d676066cf89685bd0627b9f774d663

C:\Users\Admin\AppData\Local\TempKTPCO.bat

MD5 e4163c25c45912355ef19da22767b956
SHA1 1c12ec2627557b0a43a8a806ccaf1dd865aa5edf
SHA256 6da6d41aceb20b5a47767f40a84544be9137721b63fd01dc7f22db1cb6e95d29
SHA512 0a6b57c03360003e2c8864e65a10a9a224e1e7dc63193907c5bae8a8a355d13acedbb81e514047ac2e9e69593c77ce03f294da5c738463ea15f62a71f549c747

C:\Users\Admin\AppData\Local\TempUYKIM.bat

MD5 fc06b62ab62c73b33327e4b1e7bab0ac
SHA1 3de4374ff7150cb05c1d731f704ea77d56516cd6
SHA256 cd6ca65a6fb7bf52ac57ccae8fc44271ec6b500c4ed84fa25b89077498c93b46
SHA512 3dd351a87c62962243a26216558d27d1c3f757f6c39f338bdeb8991a993e95bca35c9c09e503567e9735cc1ade3f6e1007287c3cda898e2631208ac02fabf449

C:\Users\Admin\AppData\Local\TempACESA.bat

MD5 c6dadd9daa4f7839b639405d6c0aa376
SHA1 32622e34687bedd75b616bcb03689ec3878b6d8c
SHA256 3d80e6c36247c550ed9a5d8a98864bea7a158176df8af3b06125d1866ec5eb41
SHA512 6b2d45c53d65da5d58ea7cac29a4c8c08c77c8d510fe1b29568ed41c59205a4a257a229d0130d60fc01db033348de17126ef3f0f4c70cda74c07d5df1942e26e

C:\Users\Admin\AppData\Local\TempURVQY.bat

MD5 1d66c5240addf33511e955a29c025fbb
SHA1 36d91e5cd413ff7a6e1b14a7b1ab692cf42d98ec
SHA256 5bade5a99e9ffae2aec60717f147ce28536cdd5cf5c5e72376f1690c322d7f0b
SHA512 3b5b41091212db91723976d2de1fd2cad7709ff72a1976d7af033c55cb2012e295a5f10c00fb701d416567b64ee827d18154b95b244f9c398b37f992a83dc116

C:\Users\Admin\AppData\Local\TempUASWR.bat

MD5 3296eb0d4931e63a9841d8f26635252f
SHA1 e078d93e382746df8d0ba15525614712cc694194
SHA256 a8748d6c7d27564559ea5967c93498d1dc0fad714717eaa3a35eb6c212811d06
SHA512 ab3a93c9b30a5ced8e3a5aae2b94109977c17c50ba843c4a04d23189549fa57a289061d5e7b5a3ec7c420c142678f033164565e331e06cea36daeb64c5d4132d

C:\Users\Admin\AppData\Local\TempMHQHF.bat

MD5 7ab00c2d0ec3d74d552ef677edafa12d
SHA1 9f553e5d98a60c4e079c57b27d9545066605e02f
SHA256 898f879244a352030d694967feced2116a26e20ed258ec21ec23df4afaacfdc5
SHA512 23c9e91b67f5f3868d16d43fa5d3271f945ac0c48dfe77ca6aea7e0b24832a86e8b8da26647b200b25e1cf6445f75802bbd33566e25eef9ed5c86e9949f8a9e3

C:\Users\Admin\AppData\Local\TempAHVDR.bat

MD5 15e1372867e970b91375effe5a748248
SHA1 9ac65450525aa421316ffc5681c15c16ea0c819a
SHA256 ad09311768152098e3f821d65e6d3eb60a0582382cbb731537932b514445ba48
SHA512 26399d87b8a7219acf7bf7f3111acb95781cef6453388b1b75f3392e2caf63c2700e54d0a0f64227a57d0aa8f8f9f8dc5b170a81945a18e73010f89cdbc35d66

memory/1932-943-0x0000000076B40000-0x0000000076C3A000-memory.dmp

memory/1932-942-0x0000000076C40000-0x0000000076D5F000-memory.dmp

C:\Users\Admin\AppData\Local\TempKIQCJ.bat

MD5 e8d566c7e20a2195f8d835b81e0d8735
SHA1 9fbca05594a6aa204b4ea944d25c30b02297f074
SHA256 8ad5af32fb41ddd4c969bba9c41d6e0111a7cfc65bc4b38f5d7954e8fcc40856
SHA512 6432ab9cd9574f00c74b9626e2f517c424c4976ade8913884a2d8cb9b5285e7c629f62f92c80db61b5304da37152206484b235b8e5245e6a9590027f353bdcb1

C:\Users\Admin\AppData\Local\TempSYEFC.bat

MD5 8f6e93c5788ab7e862a4a8b9e2cabb88
SHA1 180c97764b02dbfed167be2e645232661fc91787
SHA256 b0c5204560e86ad1cb2b86b11c05964e66767ea84d4f66d08473aca923a09f30
SHA512 ca30674b3ae38184d576363299827452a90ad8ca5099c36ae7298240e2cd5361fa6162d4d863b18a3889a56dae0e67f9703e47e1819e3169e18e5579d4ef74bd

C:\Users\Admin\AppData\Local\TempNWSFC.bat

MD5 543169eb5726ce39eb8f083424122dfd
SHA1 aa9454765c3161e4eeffff1bf013fcfc259b1273
SHA256 7143e2265fe438ea6ded40faf746bffd04099e41508d04f730c9433a9f3ae6ca
SHA512 68fab6b4f3891bcd02a18cf26df4c48b5c4ee42622843198ba52e96d994680c84640a3c90872997cbc71638425c4bdcef57202605f941bf90b205aaf840d4abe

C:\Users\Admin\AppData\Local\TempEIYWF.bat

MD5 d1138f4820d1655b902a6c7cbfecce6e
SHA1 dea1c53b6520325cc6ed6ba80137e6b515d0c948
SHA256 2792a785eba2d15444e2a61313b7d64eaff7ace91bc5dde889c489076c6146ca
SHA512 107b7c626490cf59393a62dd699ffcc53961893c7f8248d7030737fd6ab5f56850a4277e621be11f0b39bb6917fb0d4ec1ac2837c5f3dc75532b3d0ce604746d

C:\Users\Admin\AppData\Local\TempYTRAA.bat

MD5 1b7df251701ef9018010000e50d1a146
SHA1 a90e8b2aa9a0e6f1fabc4e07ccb886374ec96a5b
SHA256 9363e5fb9e3e75e4dd788b7ac793ff83a739e0f0341ad63f2b6c18ae333355f5
SHA512 69f1141e72ea170be7cc8b3a6a17cb42c5cf2c88d76337ddc2b2daafb05fcfd21feaf94b3742058f4adb31ae3e0b0cd694d9e2b8c16306ca561d809bb297c275

C:\Users\Admin\AppData\Local\TempULJNI.bat

MD5 400d6474abb9dae040297b4109e7db28
SHA1 283a3c7dde4a01360c7003f5b88a6561205a70f3
SHA256 4997888233ac72bcd9716d22dde145bc0b5d9532ec86573cab9bd657a00a8275
SHA512 ec0e63bb2dede9a99c90eda2a012e1f8a145cf32779a5f6b75f082f775d2f124971a72d137a4efd77141bf16c9a6d51442832150744c904ecba8f8b7acef48a2

C:\Users\Admin\AppData\Local\TempMVREB.bat

MD5 f66f3267a3bab1cc959fa1d5af0c6a43
SHA1 30f9d9b5e0260c4a26075122ed947ae0bb817ac1
SHA256 62b73d8deec06eec732c12de69805934be35c1f930e35984602da606c4fc7fa0
SHA512 792f9a42f41bb37a52f567b0e73af29ac2dd946c0043a6405945418f5dd5cbf3c64a70a5c54620a2d69d3fdf0b302646b0b3dbc8833b800f7c85056fec2fe82f

memory/1820-1125-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1820-1130-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1820-1133-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1820-1134-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1820-1135-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1820-1137-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1820-1138-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-23 21:58

Reported

2025-02-23 22:00

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNIHNJMUDO\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUSXKAOJHYWMMOJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMSKBLEYDFVSSA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VURSFKRSDWWLTGF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HGTAKXTRBWICWYD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXNHAFMVMRJRFPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TKTQLUFVAFUVSBN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXVMWPOQCGLYK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WESRDLDVMJDTNOX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVVWRPWSHVDMDX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BDGRTOMPESAIUYJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCTLHCWMNKSELP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPFTPNSERTOHLMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPXJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XYBLRYYJABDRNMG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUQTWVXJNSAFDRR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PCGCAQWOFEGBIWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNVIOT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCFRSNLODRYITYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBTKHBVLMJSEKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCDOULJNIPEFXWE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LEUDLAVARMGBGVW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YCHVUGOGXPLGWQB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KMYYCUSBVKYBGPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NLJNBFAPUNDDFAH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQCCPVNVJTJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QPBJBSKGBRKLVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JCRBJSOJEDTURAA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEEAVQDKF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RPUHLGEVTJJLGCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NQGAYWFOFKCTKIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYWFFQXNLPKSGHY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBCXDTOCJD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BGUTGOFXPLGWPAQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RQBYNMNIHNJMUDO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DOLKOCFBPVOEEGB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVGSRSOMTOERIT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AYMNIGJYMTCOTDP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWRAUYWKPUABHET\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NOJHKNUDPUEQCAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYGCRVHIFOAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FLQCAEHSTPNPFSA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SUPNPFTAJAUKWHG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FPYGDRVHIFOAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RVQYNOAGNOWSSHP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWVLVONPBFKYXK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MHQXIEPIJSVXIJG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GRPNRFIECTYRHHJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPWRHUCLC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXGGRYOMQLTHJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIXHPDCEYEUPDKE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BGLYKSKTPKUFUAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRQSNLSODRYH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YOKJXENWUFBMFGW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PHXGOCCDYDUPCJE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KTPKUFUAEUVSBNT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NJXVMWPNQBGLYKS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TAGDSRFGBACXSFN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLYBGPGF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDGSTOMPESAJAUJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CKCULIDWMNKTFLQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\URQUHLHFVTKKMHA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKQXIICWADTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XWIQIRNIYSDTCST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MOEWVDXNDIARIHR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QOTGKGDUSIIKFBD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NPFXVEYNEJBSJHS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUJKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFBWQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACWSNBXIYDHXYVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQMYPSRTFJOBNVN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FESIVRPAUHAUWBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRLDJQBCPVMUJTJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1044 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4992 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4992 wrote to memory of 1192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
PID 3988 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
PID 3988 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe
PID 4924 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1840 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1840 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1840 wrote to memory of 384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe
PID 4924 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe
PID 4924 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe
PID 2420 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe
PID 2420 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe
PID 2420 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe
PID 5092 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1224 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1224 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1224 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe
PID 5092 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe
PID 5092 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe
PID 4604 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3412 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3412 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4604 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
PID 4604 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
PID 4604 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
PID 688 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 408 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 688 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe
PID 688 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe
PID 688 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe
PID 4236 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4792 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4792 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4792 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4236 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe
PID 4236 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe
PID 4236 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe
PID 5056 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe

"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKXBBY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPNPFTAJAUKWHG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCXBPS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVQYNOAGNOWSSHP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe

"C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVGFJW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BDGRTOMPESAIUYJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempRAQRO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCHVUGOGXPLGWQB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPFTPNSERTOHLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQLRWH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWIQIRNIYSDTCST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe

"C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPSTFG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YOKJXENWUFBMFGW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCFHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WUSXKAOJHYWMMOJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe

"C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIWDRQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DOLKOCFBPVOEEGB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempBXQVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XYBLRYYJABDRNMG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe

"C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYJHLG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KTPKUFUAEUVSBNT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempSRDLD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PCGCAQWOFEGBIWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempHMJUR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TAGDSRFGBACXSFN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAYDVU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AYMNIGJYMTCOTDP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

"C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWVSST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUDPUEQCAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPBHMA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MHQXIEPIJSVXIJG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTAWXQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VURSFKRSDWWLTGF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

"C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTMPQV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HGTAKXTRBWICWYD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUGEIW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BCFRSNLODRYITYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempWHFKX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDGSTOMPESAJAUJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMIWVH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QOTGKGDUSIIKFBD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTYKHM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKTQLUFVAFUVSBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe

"C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNOLUG.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WESRDLDVMJDTNOX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe

"C:\Users\Admin\AppData\Local\Temp\GJVVWRPWSHVDMDX\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempVDRQC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NLJNBFAPUNDDFAH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRLDJQCCPVNVJTJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKSOWO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFBWQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLGEVTJJLGCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe

"C:\Users\Admin\AppData\Local\Temp\NQGAYWFOFKCTKIT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQWMKO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACWSNBXIYDHXYVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe

"C:\Users\Admin\AppData\Local\Temp\CQMYPSRTFJOBNVN\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJAUKW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FLQCAEHSTPNPFSA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe

"C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempKNOYT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempEABLH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GRPNRFIECTYRHHJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe

"C:\Users\Admin\AppData\Local\Temp\GYJVUVRPWRHUCLC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempMJRDK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBSKGBRKLVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe

"C:\Users\Admin\AppData\Local\Temp\JCRBJSOJEDTURAA\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe

"C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAHHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYWFFQXNLPKSGHY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe

"C:\Users\Admin\AppData\Local\Temp\OHWGOCBCXDTOCJD\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIRNVM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXGGRYOMQLTHJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe

"C:\Users\Admin\AppData\Local\Temp\PIXHPDCEYEUPDKE\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempDENJX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URQUHLHFVTKKMHA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKQXIICWADTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCDOULJNIPEFXWE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\LEUDLAVARMGBGVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUVSBN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BGLYKSKTPKUFUAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WCVFRQSNLSODRYH\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempAPQNW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BGUTGOFXPLGWPAQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe

"C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe"

C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe

C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RQBYNMNIHNJMUDO\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
N/A 192.168.1.16:3333 tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp

Files

C:\Users\Admin\AppData\Local\TempKXBBY.txt

MD5 e87cbf5a4c1c669bbc412470c6c61713
SHA1 9c03cbaf1c8c661b93d9418cd07be958897eb1bf
SHA256 5e48044a5e56b995d5761541de8dbdc7f4432170f19653bfa78f44eeb04996a2
SHA512 a3634480eae734a55a6d9efb522afbbf1235c46de525874bdd4380d4b9f31f683236199cd10a8a0066dbf2944a7df9976419edd8c7f124a438055325859b492d

C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.txt

MD5 a2f397435534c0b6d0c38aa774fcc9ed
SHA1 46a5b4a5fb2ee1e444e3fe197e51deb46b669045
SHA256 79ee22f8aa537bf6c8a2f8174aa0e9c2f226832a7555f0ec83d1f5209fd80223
SHA512 f25e97ddd24c0564d02d706dad78a5911262cdd69e60d368350f1006d7d1ff52096e2f33c7bad501ae01b92ef9de6094ca8b4a4543b025347540caa43cd25437

C:\Users\Admin\AppData\Local\TempCXBPS.txt

MD5 e7ee6c5aae24ee6096f1655aa9b597b1
SHA1 d535a42928208a5532f0057784bb67d27c6c003b
SHA256 856aa70c17765c529408c2b368c9330558eaed4617b9ffa27eed16d6d1b8a787
SHA512 ebdf92a36196ac31c02386908cd13d2793c02214ab483b76e18d8f956f0e85663e11b659abd317c8a5f9daccfa3a19b15c78151cfd3f16b0921c50b433296348

C:\Users\Admin\AppData\Local\Temp\MIWVLVONPBFKYXK\service.exe

MD5 8ca7f2371e097396e5982aa04e2e2f2d
SHA1 c3d8a4278005f1ef85c1b4c426b8417571601d53
SHA256 894d3209a44aa27a529200b92744b60cf5e2cb73ce41ccc796dc52c3e47a5956
SHA512 455ab08e328b7aee09ae192ee23ff564222dd6e57b6114bd77ecbddf3d37fc2b49bc94e947f524546ea8d9f79d514b71558436e3fadedce6a8fc4ca385929a43

C:\Users\Admin\AppData\Local\TempVGFJW.txt

MD5 ac25c8c9ed6bcd533246820219581d49
SHA1 48d325f7a561d8de40e892dfc28e05bacd7a9637
SHA256 8c5c2f6e28be144dc065d86a1fc060648df942eea0b3a65289dad855126a4176
SHA512 9085d29aedd00a6be910a9b4b17484e744164ec6c3c8cf10cc70d2643bd2e1f69fe5299fba25b4a5fe56dc75f16830b4b884f3ddfa26f1741fa8322d5e0d0555

C:\Users\Admin\AppData\Local\Temp\CKCTLHCWMNKSELP\service.exe

MD5 074e550432c16487a80e2af62e57305d
SHA1 78a6626e39af3635e145c97d005b294f5c1ebe19
SHA256 4942840995e8f4c495c51cb9f3f2c42c3b59782f4b1a578e5af1819a153eab16
SHA512 766b267181325d7bf705b12fb51f48b1a62a32fc43f9c1e9fb7bb305185ba5a208f6e9b5c6b29e4a234240617438cd8a4b5faa46a38bfd60441e82656a6b4e96

C:\Users\Admin\AppData\Local\TempRAQRO.txt

MD5 9e2f111a8fd658cb7feca04145462d86
SHA1 b21b5e7b6294ef801a3684bea27f1f0020ac1016
SHA256 e911e7848a55b97cbceb7a0be4437c9d2d79274edc4da0c193d9ef2787ed32d7
SHA512 1fc10863ca4ff04c6d90c4452ee29924891b798da8c9f8d8b486bb7bdccbae21a093b85c975955adc0dbca3e3acc02043babcfdcdc762f552726a474787cffb5

C:\Users\Admin\AppData\Local\Temp\KMYYCUSBVKYBGPG\service.exe

MD5 242c2390cca813c446b17bcbaae8bff5
SHA1 b8673a1a5d3709dbe490e20d7d293b8873d62d3b
SHA256 ed601e9677d9a297f0ef1d07ebd56e6158f419e29a797f3463eacd5a01dc54d8
SHA512 984f8e51d7e4c8564c45ec1e73a0bf9f90bd16965029e76087ad336baab64be8b865a63885f045ed2d0133f2a6fb2b34af91b446b5c30f0696b025c73b4112ee

C:\Users\Admin\AppData\Local\TempREBQY.txt

MD5 5d3f8c9f7ed635f4e6fdebdae32e64d6
SHA1 463326b0e09f78fdcfe26e29ad3e802cf55a4f8f
SHA256 83e84c2e1c5aa7c04c1f9ddfc80399035abffb68ac7700ba12d18aacf7f89359
SHA512 ad44dad082d299f9b3bedc2006dfdc70445a8b3d460d68c0a9a8c2964d33d2d9419912c27e72b3d2a191eef1de6e1d7dc9681b1b5d9a3dbe756b288f50cde882

C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe

MD5 f389b385a183103f54dda35d317ca9e7
SHA1 d6dc4f44bd23df28700df28aaab7fd71a2f5c3ef
SHA256 1be46f310b22fe03b1ab7ea465ac3803fa0938ce1e9e3b324a12126472c4fd70
SHA512 59c1f92ba70323742880a3abeb2b2a0478e65530a428c981d6106640a970c0b39d1640c56fc554e70af67e3160772cef4f6a09606d68b65e17d6bf81a3b2fb3d

C:\Users\Admin\AppData\Local\TempQLRWH.txt

MD5 78982a697a138745537b353588a315e2
SHA1 d50fd40dbc4c3e587cfcd00aca7fe569ee8022a8
SHA256 12415d1a43e9408e7107066447b936d0fc3fda0973999cb5ec13a85c79ec6a4f
SHA512 1e77656f58f7ed2570f5caff57096bb0b4699de8a0c337f2761fef551ab80bbbe7af7385f2fad8fac7121a6f076581fb9f31ae84025df2c098e7b99fa54de5fb

C:\Users\Admin\AppData\Local\Temp\MOEWVDXNDIARIHR\service.exe

MD5 803dbca30856c5bcd62daa18b9f2e4a1
SHA1 ab566a807f9a0fcb0b8f79711e97e222ff3ae125
SHA256 14c01548ca07a5625447260ff0465e3d068027253958d716a9418a908c5967a4
SHA512 3c92f99c0fc8eb84495105a5d8b39e45d01adc3c0c40ababf19cbf676da4095a393f882c4f659790a072398861b3197074ff2708bbe5f02d47960ab2c9aa1904

C:\Users\Admin\AppData\Local\TempPSTFG.txt

MD5 3a26eadb4b0a35ab043a0e0e8e582b4d
SHA1 408ee48ffe56437014c6267d5113343cf0c36099
SHA256 124d26455dddb5942a78b80f3abbefb90d1213dd29b8c96c5bd2b36e4fc7100c
SHA512 5016d10ede767c67a07dfaecbbd728f2391aa954a1e020361f069f65becb5e9dce27199511a19a446f19fa39b975ac97c0f2bb686794e642f77601786a2a9fb6

C:\Users\Admin\AppData\Local\Temp\PHXGOCCDYDUPCJE\service.exe

MD5 74a8eddd889093386bbe896a0d32e107
SHA1 77ff9a388200f8627f277270866bb7a741a90a31
SHA256 c98847e2b63696932fb16474d70300d3cc3aac96f8599a705f675085f6570e7d
SHA512 99cbf86662101fc0816534af17f0bc2143ce3141ec194a5a7a07e59f7f4c81177ad4b41bcff7e7ce23c54408f8efb981136439ef10d89796fa91d1bdf8faceb1

C:\Users\Admin\AppData\Local\TempCFHQM.txt

MD5 0b4aef119eee6cba80557dc852e615f6
SHA1 5caf597c92a9603eafb62d1a367cb13b545a5a2b
SHA256 4121af4a96eba577837cc540b5900cb709aed6ecedae3348084e308f1671d288
SHA512 b7aaa74e0963f2c73bdd0faf311d037f3e430dbd02a08826dd1fea5f570575ddc685da904b7f57a9db2250aeb7f1121d6a5220984f00dd4718fec10f5b3d98d9

C:\Users\Admin\AppData\Local\Temp\CTMSKBLEYDFVSSA\service.exe

MD5 ebd2f451c65cf113e5c0b7d34761f35f
SHA1 22729f7ae311171766c131c4e1d594f96cdc8d29
SHA256 8840e3cc06c6e285f03031a5bdf383bd26a81ae7bbe32f73e8c1569879ff93c9
SHA512 c49f794c8919427453f5fb4a442de00e87464b30ea7be65db805a7e6a029effa9dfd6c4a98962c3cb2ad9b513eb125ab48276a8c7ec2ff5e51fc15ca5f753cfe

C:\Users\Admin\AppData\Local\TempIWDRQ.txt

MD5 f7845ecb29b5c5b066c3b8367af46e42
SHA1 2ef667a4c16bb139d075b8b5e2a5ea62fea2dd14
SHA256 4eaa4e62c5b8b41d4312b43a9cb4f3eae0ec3e6025f96cebb91b053d2082dfed
SHA512 1a052b3e18da93d9a5b9d768348f2589fa716badbb692752fffa34ce045ee535d099f079b33e5879a447a9e212f226b78955c3ab760b1c113e229e85d2952768

C:\Users\Admin\AppData\Local\Temp\WDVGSRSOMTOERIT\service.exe

MD5 785053b902b7d9c552a8af49a51dab2c
SHA1 0d692041035d9550fcec8a523183c6e647d9357f
SHA256 06ce15160e9f7afbb7683ded16dfb0779c9c1c902a9d22b9c9584e65a4314e2a
SHA512 46b0578cb47beb8ea0727f3be8666d46f1a1d21e1ea24dd837e7becb10f54d4d7c29c3dd422dce8ea76cb80368956d0cf71913f0687537516754fbadc45fae5e

C:\Users\Admin\AppData\Local\TempBXQVH.txt

MD5 4d1ced3d4c8bfeae6ef98e0df0357e3c
SHA1 8c30c873839f10d7f2d5d5b5184683ea5644a472
SHA256 c62ccf24c2e11171b45ad618c44b49a6c74ee39b009a512ad00b243784b9879d
SHA512 57aaf7e80597ff4064ad138c34ca347f0ce392e0005e31f0971674de94276f0885fbf40ffc3bdc25ce5cfc0f7edabca5167a7690cfeca879da975835139abfd2

C:\Users\Admin\AppData\Local\Temp\GUQTWVXJNSAFDRR\service.exe

MD5 ef195115c3740bb26cc423d59fc32d3e
SHA1 58279232be3e5be0365497857762c86a6f5b9295
SHA256 9fc6c555d815b7dd40b1c743d174985dd8c558b690c77a299c0bc6e3ce0f2082
SHA512 272e2d16198b6452b6d92f52b98f6f8be0216000aa08b3e85badcf43ac769406c4e0703d79b54327f9fa478159be5f26ad6c140f9099c4fb4d590d2ae01554b7

C:\Users\Admin\AppData\Local\TempYJHLG.txt

MD5 0ca7594c784c080f3b7cf8d15a02526a
SHA1 9c6ea961890ff783136516cdbabfd8d3c667001f
SHA256 ae397b4f337d77e456a48b9618eb8c1f7b63da7c551fee05e5d3376e3f4ec527
SHA512 1d11e1ff9cb3801e477caae5c8f974cc27096e9b28419c5a5a9a8fb9a1b7afe8bc92cd3876a1c70e9e3b2ef500405dd361301e8c28461fb845a99607e5db77d7

C:\Users\Admin\AppData\Local\Temp\NJXVMWPNQBGLYKS\service.exe

MD5 c1fdc9ddec83d8b14b9820963b4d1ef1
SHA1 860eec701aa457ec2115d59327ca40ad99a8d181
SHA256 dd738adcdb1ce4cf3e5c5c805da21906cf63fe2281ca36f6ead4e01f1bc12e47
SHA512 d7e8b75a281677df1edbdba8589e506e607232fb2fffd5933d60d7c7ec62f986222890342f797f133f28504e03bd4135e7aee649bf5547ea4b5b06cf0747acf1

C:\Users\Admin\AppData\Local\TempSRDLD.txt

MD5 564688e1067a74eb742d82f3ed5f61a7
SHA1 9b80a8d9ad9b86a1074ff273837ec07e7946010a
SHA256 ec8a69291f2ec828092dd7002e415db9ff33dd664d202fab964adb0a9c04254d
SHA512 06d8c2f64397ec9449ae69a4b18608fad289711079d104791798f77a44d1809c642a9d655c166dd5ec372182cf38c1786e3fa9b1600491196c238bd5ed938ab6

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNVIOT\service.exe

MD5 daf37cc382f1cf2ffdf6b6ce4f2d52ee
SHA1 ed8adfec5bd80f5eb31f99b88019a30c24fea903
SHA256 487763be96166fdd1be2f7d1d23454a959eecf844673b35a02d927c74e1c950e
SHA512 a0cffc6b1bff1aeed3d56720383ec55dfd69af9b81bd333daba0fa9573fcb27cc2c3bff66098e5532babe2b35df9683c09e9691c6e335474f9a09004d4bcc08f

C:\Users\Admin\AppData\Local\TempHMJUR.txt

MD5 020907a59f8f3e52c210a3d639faeb45
SHA1 8077476d95955a43c0d85e293044ef0dd0ffcbae
SHA256 c34090bd775c7763dfd3517e707e5cf62793ff216243c94a39b04b7cafb7d940
SHA512 51a90c649d9932462ba3da28a656825fbfa8fc6c8c2b98d6098b67bd808b422a1fe340014274e63d04be58eb3816b2312cc6f5452cd728b6d944f65907ed090b

C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLYBGPGF\service.exe

MD5 f5acf5dca4b98ab8aa0dd17f18bbb81c
SHA1 48f55cc36a195507574006853eaaf8823453bf97
SHA256 0d10043f01c22ef16ccd5d79f89412ec92f7bc432acc5fef347ecace5e42f387
SHA512 518271e4244be7e4d88e3889733b1971aa0048e1c8b3653fa1f906e26944214ea4c8047ddeb87be307b0cb460f2f338fe5724928d9ed0b1eca0ae82545df7345

C:\Users\Admin\AppData\Local\TempAYDVU.txt

MD5 2f62b625ae332625dca4ed7d67dc38a2
SHA1 5fa5dedfe0592ba5a771de70f9ae19ac12826508
SHA256 8ad4f88b92eb916cd2b66856c0e3461b028dc27365552cbd0398ce8e9aef620e
SHA512 1ec2d2b97366d3ca58fddb6f89869d5493a7f5d18755676a35a46bdc9b7e0374f70aacf91664409eee4db6a05d2e6b3127af622b75474dfcafd9f453b687fbee

C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

MD5 fd804752348f4a138677c4eab498e3ca
SHA1 22611aae2a50f3129ccc5e040a155b1e390bc69c
SHA256 81796de1544b4128e71f91343028eff017f4eae592b5ca9d2c959593a75a8101
SHA512 e3c4d3c1d0e0e4c43037dfca793463fdb8f863d71e04a6779dc27a842c30dd98806740de4d348bcc6e4f6c1319cda72e1e8ce9f11586526361c06ebd35e4fc89

C:\Users\Admin\AppData\Local\TempWVSST.txt

MD5 7263bd0df17a5ae271fa59745cdde26a
SHA1 1c9d8b250257a149b67daaec96471871de9129a6
SHA256 7ffde724cf09f4918e391d1a352935f9561ca1afe0131db2504ea27c38fb07e1
SHA512 12aeaf2ab4867e8f1784b361c6d847302dbaf5b407716f0cb3af448e6478fcba19c13c95185bbc5d717215223dfe0dac392d6f4d0951c67d770461cefa8dbce0

C:\Users\Admin\AppData\Local\Temp\FOYGCRVHIFOAGLB\service.exe

MD5 d44dc15d5e1727b1100b78713f3eb80c
SHA1 ed08f651d792a3db6252514f2df5c9242f6e5054
SHA256 aca1aa6b770b75f33e11e5cf14e75331ec3aa3696c229b42df39527f2b7343ab
SHA512 c5f7653017c0787978f23b9f22f25c28edc15088a1c689cc8c7108792e80d8eb60a3da6314e33161d3a864dadfd93a9b293a65aeb3787c4f50d72073c21b308d

C:\Users\Admin\AppData\Local\TempPBHMA.txt

MD5 21e6280cb7ea4d89a081ff0b7dd8cc89
SHA1 3f55e805946697cd183fe5266de2ceebd50dd2f1
SHA256 416a0271beccc72b2e148c48d1c0593b088d947f5b11c679752694215b9d9163
SHA512 e22eafdebd455f1c841a9840e91de0e939106f192a2766588eb9fd43c91ad1cfeff729e158d7502f8af58ac153dd531fab7f185617717475e50c3ceba19543e5

C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

MD5 8b0d3000758ed1b408b8e8fa4b9a91aa
SHA1 54932d80df76d17a3c52e6fbcd6be2db64dbdc23
SHA256 5c540c475e20f0ac4f9fcd90459b1affe46fb32bfc9617c0651870a1fe00f89a
SHA512 6f0763d1da1da95262b29b5734d1ca1cb44b57931de6f06d06a692351e308fd5f3d80ebffe12101fe5f740b6386cff28dd3029f1c69e1587862d51491593ef80

C:\Users\Admin\AppData\Local\TempTAWXQ.txt

MD5 0f5f918e94bb2a4ad5c69674e5a6f128
SHA1 319e72171810dbd8ea09f1cb294a0baae761e514
SHA256 3c8a6def445c0ed7512ffd5f3177d84bce4068242ecc77e87407aaf50c44b0e5
SHA512 ec9919764e2f9f535ab22bcc3c9991ae4d7d9512e7587a56736dd8bf446cbe855ab26efee5b03d099c7644771d79d9b591c5f0036c424cb6510d712124af5d19

C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

MD5 c54f50c0606ea528b400fabae109b9a9
SHA1 bcb829372dc673e9d1627cf9b193e808480aa995
SHA256 75ed5bd2b7f39c281ae27e77304d342784fbc12356f6d285fd25912735123955
SHA512 9aabb9e3026465e05a672260bf1eb5dbea85eb252cc6b5bdc4105c841143581fb121365ea7465f41c015cd9791757178886f473e49cb3d85cb04d62a5d20c4ba

C:\Users\Admin\AppData\Local\TempTMPQV.txt

MD5 42bf80bf3ab31843555afd47aefc91ce
SHA1 e6550a0d3ba7d1ce5c3bf58bf5b6bc21354f37d7
SHA256 57995eb76711a6f8aec1ac8c785a8338fbf6157916c36398fa0bc9fff7807ee6
SHA512 dabe5436e1cabbd3b801883e6f6312ff623b256aa70634cee08495f68ec62899baf90fdd20cd7ceda54466f72def27f98c9acb7324004d920c1689638cc51828

C:\Users\Admin\AppData\Local\Temp\UXNHAFMVMRJRFPG\service.exe

MD5 8ee461597ef2dd2546a9eafb21aba690
SHA1 427034366961fa4d5da930903d804e47c1631947
SHA256 b3e57ec4d1b1169885f0a5087d8d0760ae894eb66df6265d910d801c1c268565
SHA512 a2398ebe47b5e73051808db1cc4cfeb407cd309af4e8a0ebbe4d86e3014f228429f83b9a3e44879d39808d804cf9973c8e5734b28f4c3b6c94926acdec15e8ee

C:\Users\Admin\AppData\Local\TempUGEIW.txt

MD5 c6ad413703313815cb7b72e3d5e4d387
SHA1 702afd950c3d5cfbf13ea5e27932a792ef9c2e5c
SHA256 28d8d55a537d91dfd6c059ba0ecd06b85cb84da39e4a2ba1a9a3794dc8d61f84
SHA512 f1b5250a66c6b97546ed4caaca5cd56924a9471c91063e08758ac349350b28b5843b4b1831b425d3e9054609ae421923bc0354687fe7678f66702fa93cb79bb5

C:\Users\Admin\AppData\Local\Temp\BJBTKHBVLMJSEKP\service.exe

MD5 dc86c3627f7c51a49e0628c178e1f110
SHA1 d115506aa7abd92f609de25e8d84aa335f3610e0
SHA256 420ea4f5294309ff5aafd0ad24ed94079cdd01da7768ac6354db68d0b31fc645
SHA512 766a85c2fd96ec0203e9b5c8c101e7d958460c16e8e27575eb3927f362d58b2310a72e69523d20a4815188d537804619615896e461ae57e331e947d65ccf036f

C:\Users\Admin\AppData\Local\TempWHFKX.txt

MD5 ba5f9b1988e932bc9725380bb429969f
SHA1 60f8bfa16f254a72a26689e7fe13913835968073
SHA256 7f2e5f8d2bf4846e862c605804ae53b8332bda9d1a6d16d0a625c9199aa3542f
SHA512 549192fea8b82c9b36c4b4c0a63ba084d979614d831e93ae0d649d914c25de615d483314f96ba87df612d290ab23fda51fc84f75064cfdf97a60980c88ab5d37

C:\Users\Admin\AppData\Local\Temp\CKCULIDWMNKTFLQ\service.exe

MD5 345076bac10d15e064535ddb6564c99f
SHA1 ed1f89050c1c83b9ba760747104941fe4b79746e
SHA256 5c9302eb3a033a97cbb86ce374948d0791fea51de8dea90e75df8ac76590b03e
SHA512 edffd6b6710dfc462afff6bde089e7fbffe3bedcafa9003f773482853a84f6869ea9760488dc9ed928109fa9a15465b26af81e5bce93285fae6eec55467974ec

C:\Users\Admin\AppData\Local\TempMIWVH.txt

MD5 ed29e7a8f7dc432a78b96eca9a08642a
SHA1 c6adc5520e0f5dd0ac12a13cfe3fe8cc682c3ab8
SHA256 895b9882491838cef15eae8fe21e3478e07273988b817118c579641b93689190
SHA512 2547184dbf7373b39db0fd6fd81fa8c93e396ca308a3e3e5bf82bf13be5dad4cb8964047b96b4bfbae225f26831d95ff423b5edca6179eeceefc97f9d4f068d7

C:\Users\Admin\AppData\Local\Temp\NPFXVEYNEJBSJHS\service.exe

MD5 36f054bc93f1a0f84a7218bafd5570d0
SHA1 cd9ec80f70e3473fea51de7d7de63cab811525d0
SHA256 8d63d4fbd36dd40f0e9be7b294eca22c2b6850bbb6de1d91d54dcc2a8e062617
SHA512 db0294ebbfc59c59caf486d1341981a9dd085822f42a331fc149b39e9f31abb95588e8516671468365d88bb244741fa465b769c6867d3bf459c18eaf84aa4c12

C:\Users\Admin\AppData\Local\TempTYKHM.txt

MD5 e8e32524e36ee057c07930fb73c593f0
SHA1 47b1458e34d280a6ce43a992e8b5e47a5644cc29
SHA256 333800e64ecc52753e36c5a484d65bcdfc9e52a0e67fc14d19f2a10e95b91a4c
SHA512 578d39c6233f809442280678835cede9d6a73f8d3011d5e613508f6ceae34460b9e6dccc6e318f616e9cb6138e4071fe906b543d300bf48c339579c06f20d7fa

C:\Users\Admin\AppData\Local\TempNOLUG.txt

MD5 e26d004c18e2ad99e2dd3784e74d29f6
SHA1 0d2cff5688897f03f6c9002fb2f52042d748ef30
SHA256 73a708e8b6c5dbd3dde02c9d9e232b6210254b16c28196a5bccdbdd8edddebe7
SHA512 df6610fd9840ae07a9a4c8de2af3f33c2bb0096e4558fab6bd4bd99b8cb9547be30352e64fb61e88a9ec4df3f5047803a0cf677924abfff095c1eb73eb9263b8

C:\Users\Admin\AppData\Local\TempVDRQC.txt

MD5 4d75596e64860e4261a8bf3fd26ed5c8
SHA1 25d4f10f75661e8baf02111f133e33c5d4c790e4
SHA256 48b30374461980efc713c3dcebd0d09f1b8deed3f30850bcbcba06e964797668
SHA512 1edd0d7ddac4c7c7f728be03fce86383c12af533fa05ea1fa5cfe90ce22343c877fd6c127a04a850c03afa92a9f03d75e0e6ce135cfcb52f67ba2a8eac4635cd

C:\Users\Admin\AppData\Local\TempKSOWO.txt

MD5 aa842c27a669217c58e6de3659796b05
SHA1 3dfd6b999c27d1faf4b20931cd158e5bac351106
SHA256 67a4bf4a0b0dde05c2c8892f8a5bc44cbe99f54e613451a049b61dca2291e45e
SHA512 697f1b874d92c72fe8462b5ca2d6f3b085d08447da51c1ad281a68a8dc3ea670c19c3a9e4553c3f01435b5cd17feeb0f30d083743cb7b4e8070c4f329f3e3857

C:\Users\Admin\AppData\Local\TempQBUUJ.txt

MD5 0bc5d2a03eb0e150f6c2e1c71a4b6ca4
SHA1 6517bcd5e3d3b9331e07c0f6007fec1a8e79f0fb
SHA256 c706566be3feba2adba77cba96e6fc5e2ddb1bd3cb1d46ad4603cde39d3d0eac
SHA512 cc27807ebf474e2cb006231aa877249298c8db378f5157fa0c5981275f85ca7c9bfe7229501ac11b616960c1ded92448a60b410de44c986ed1455e611ef70032

C:\Users\Admin\AppData\Local\TempNJXWI.txt

MD5 351119e46f798c1415001c88658bfaca
SHA1 690217c27eff4dcd537c066043fcc631e8b2089b
SHA256 5de0e56c154157dcd309b2f2112f7449347d3be617e07f7153c9c45ea0ba86cf
SHA512 769d08eb6e49d2e9b7abe512dc6745b0c2daa06144cc879b97a364337b290147b1ede38903a55d003f9546f356f4ec880bc0146c572da400f73adf64dcd8eef9

C:\Users\Admin\AppData\Local\TempQWMKO.txt

MD5 0dc97faab010bf174db702381c9ba478
SHA1 a515e6ccf579eda7e6aaae83ab4117c18cb73290
SHA256 0a4fcae90e3b4dc146f1f7a0a9fb11ae9c7ed566fd6029eca327b296929071fb
SHA512 c1ce922250bfd779f2eb09d8745c712af490d93e2ef6376b8a7ed624be9758208b4437990fa4a0cb53e426e971e4696ba358556e23cc7811bea22818ae4af716

C:\Users\Admin\AppData\Local\TempJAUKW.txt

MD5 2ac4cc5a4317bfbf945cd2d419f1dbe5
SHA1 e729666cbee1a78bafb451490c4d17a7338610e6
SHA256 867d0794c50babcb2c120e15f373bc98d7ffd9b0ca29f734b20d49731da940ab
SHA512 077bb3c7011abe236f83044468d7d4b769ab088484326ebec46fb8ffafcf00a8d0ea1548705caeb2c569319ad8368af4c69bc5baea1026a74f91ebad490526e6

C:\Users\Admin\AppData\Local\TempKNOYT.txt

MD5 f485eb466d124afe4f05082cc3b835ff
SHA1 00bd1a4c37f772616c2e3f6e3fd4c53341e1d523
SHA256 6246d34daef7970b9cab9952ec458e097ce05455408db8ddb3589dab848a9f9f
SHA512 dc0bb4ddbfef6bd302503539ea82d43aa0bd338da0a46a4e63a2701a77e87bb41c6f447ac5504908c900a7f511d6c9e516395b56235c00f56ee2eb5ca12325af

C:\Users\Admin\AppData\Local\TempEABLH.txt

MD5 861776b76831523679682a5ae15fa0a1
SHA1 b6a477f907a8dc193dbb1ca35335cf9611829764
SHA256 a35d3629e48fd0a31867067c2c281d9b80830d422be91863fe5b69b65922d3ff
SHA512 56949061de6a4e95a7f0fa8f146de809db47a5aca19dff1400e87241800a4c947a10a0e12e5908889ce63d2302be4e0a910dc1db711ef3bfeef41e533b5dbe51

C:\Users\Admin\AppData\Local\TempMJRDK.txt

MD5 a5fb00a96087f06911c0397be1a8fc9f
SHA1 f782d32a877c1035746ef1e994c1165a71734cc0
SHA256 37be668259048c9a00752ef14ca65be4b765997e97b5fc9cd707cb16591eed61
SHA512 40c8a6d4a167be5e1ed6b97d5bbeba0cc85e78e0ffa3c0ccf315f51141bcd9457bf8cce9ea7b4cd2ba134732eb898ef9d1bb5081ec01d9d07a84dbbb2918fb07

C:\Users\Admin\AppData\Local\TempJSNWN.txt

MD5 ee8e024e3fa98ca90d73c83a2dc91f46
SHA1 1f1b115ccbc4e85647fdcc90adfac5afe6639ab3
SHA256 99fbe30c0f81cf6cef8df23964828c71485f996912067a132955bff5859b4b4b
SHA512 150461dc208fa543f2f8e058cc84b9793a6f6171724e22d7a41642e7fdaa97841ad9c4b2f7ae87295820ff9105e729295fd87eb048435df37d1a0a40d6b12d94

C:\Users\Admin\AppData\Local\TempAHHQM.txt

MD5 764c6f83e516d4ca1d3b7408a50f18db
SHA1 be1d7c04d9861a6e80d770bdabac26e3250094fb
SHA256 f527d9d42fc7734e28a29d59910815e1550b0c1cbc4efaabcc15b0580be94881
SHA512 d990134e94fb1915536f64dcc10fc5d52eb2720cf337563583b1d07750272c3c71eeb029c382baf0225c57995d35626ae39c3611b57803ec78466fdc8ffd424b

C:\Users\Admin\AppData\Local\TempIRNVM.txt

MD5 2a68604252ca51ebbea26597dc2478e7
SHA1 4ddd87e1cf3fce03d24f98e54c78afffa5fa1896
SHA256 bb71df9c9ef903936d6262469a5ab4af2a1ca0b39d03ea3c4961b885651febc2
SHA512 962578b93c55a25030fa80efd44497a9d2ed90133a30c98cb7c02aeeda8ad6e8fca751d568d5a718a0bd0b17406aab428d3ead3351a4e6cc9ad0d165dbc37e7c

C:\Users\Admin\AppData\Local\TempDENJX.txt

MD5 4cbb29ee9f4ef94b5b3f6d1f0f45f313
SHA1 3b880e04ff8f1bb6a2ce6016080cd506ea746093
SHA256 b4ad76192e42d67224f1c5c2b3139552e2548600e48b81990c647c4358a2060d
SHA512 839dfdba7e0ba017ee7904c96b34a8738333adcd1eb34109ab362b949acb81f79e4af2e31684bbf3ed2cf88bba611019c6174db75dbd8549972e59698d14a67f

C:\Users\Admin\AppData\Local\TempFYOJS.txt

MD5 a6fd2f8c9f4c3b89660cde9a8798411d
SHA1 5e5225840746c55716f45aa65010d03dcfb72829
SHA256 e6fa6dab8769b1e03af0a5bcd75ff7de4c9855a060e61ec39a57a4f1f154ddc1
SHA512 befcd08692bb3937718d613a8a76079b64ac692b808c698e923cf5a339d0e85833d1fde91ca15142e676e2b2dcfce38e7a1894a2ba47c2cb2816ef906c168ebd

C:\Users\Admin\AppData\Local\TempUVSBN.txt

MD5 1863dc0be26821a12849a59d41f8efd6
SHA1 bbebbbcad37db8bf390c43674677db0eb38051a6
SHA256 68a9ee889dac14e10700a8cfdc0abd8475d073b752428c234d2c77b931746a7c
SHA512 ffcc7536fcdd0b35815416f1dea2a12db4efb754cf5b00594d280327750548c16fec53fb60650db6e225505c1dcb22f0aa1505d80938217ea30add2d443394ec

C:\Users\Admin\AppData\Local\TempAPQNW.txt

MD5 1aac6cd43898aacab093a3aba98719e8
SHA1 1e733ae851ae4110bac0da82ea01ab8276418e89
SHA256 2500182bf360be4c8df56bdda4eec8d53e534f645e8226fc327016e971dc742a
SHA512 5fc28e5de950c673b7739cd3f49f9ccb2cb852e210d21cd0aba750c5c287aab45cb8e49627f3938a92df87188df0360e711d9bcaf1230f294001b501f9281236

memory/2792-1002-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1003-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1008-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1011-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1012-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1013-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1015-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2792-1016-0x0000000000400000-0x0000000000471000-memory.dmp