Malware Analysis Report

2025-05-06 00:12

Sample ID 250223-1xy52awmey
Target 35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6
SHA256 35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6
Tags
blackshades defense_evasion discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6

Threat Level: Known bad

The file 35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6 was found to be: Known bad.

Malicious Activity Summary

blackshades defense_evasion discovery persistence rat

Blackshades

Blackshades family

Modifies firewall policy service

Blackshades payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-23 22:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-23 22:02

Reported

2025-02-23 22:04

Platform

win7-20240903-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRXTJWENE\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSINFWNBMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLYFOYVGCNGHXQT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XARKPWIICWADTPQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMAMXUASWRNPBHO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VONVJIKFDKFVJQK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCPGTPNSESUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPIBHOXANTKSHRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLIRDJO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDDFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVXSQXSIWEMDY\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PNMQDHDBRXPGFHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCUTBVLYBGPGF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXWMWPOQCGLYL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDJQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGFLHXKSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQMANYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WONVKJKGELGWJRA\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ULAVRMVGWBGVWTD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BOKYXNXQPRDHMAM\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YWUYMCPLJYOBOQL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SVLFDKTJPHXODND\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSTPNPFTAJAU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNLTFMQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\AUWKWHGKXYBLRYY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XEXHTSTPNUPFSAJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MLGPYWHDOHIYRUW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YASLQXJJDXBEUQR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIFJEMBYCUSBCVK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IBQAIROIDDSTQLR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVIKFDGVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\PKILAOVFQVFSDBG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GQHESWIJGPBHMCO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IOTFDHCJVWRQSIV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULKAU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYFOXVGCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWHIBVACSPPL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUOPYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPGQJIKWAXF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNSPDPAXDVUQSEK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BNTYJHLGODEWUDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KDSCKTQKFAEUVSB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMGQXHEOIJSVWIJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BSLRYJAKDXCEURR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPNLQDHCARWPFFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYBGPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NSOCPAXDVUQREJR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPXLLMHFMIYLSC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJFDFVIQKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYTCWYMRWCDAJB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSCJTPKFEUVSBB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEQWMKOJRFH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBACWCSNBID\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUIKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUEPUERCAF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FPYGDRVHIFOAGLB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERIVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SQUIMHFWUKKMHAD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTLJAU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DAEHTUPNQFTBKBV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDVMJEXNOLUGMR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIVGEJWXAKQXX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WDVFRRSNLSOERYI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SXTHTFDHVWJOVWH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQQRMKRNCQXG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XKMHFIXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKEETURAB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDRHUQOTGTVAQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKCIPYABOUMTIS\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBOWCUYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPOWKKLGELHXKRB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTQBVIBVXCS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFKRDDRWOWKVLH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUHLHFVTKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORGAXGPFLCTKJUR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JETYRHRLJMYCHVU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\NHRYIFPJKTWXJKH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHQNHCCRSPYKQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKLUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWSTBP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\IPTFDHCKVWSQSIW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GCXQWOFPIHJWWES\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DYCQGTPNSFSUPIL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPJBHOXANTLSHRH\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\RNMGQXHEOIJSVWI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YBSLRYJAKDXCEUR\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXLBOKIYXNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUKECJSIOFWNCMC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DFAAVQELGKYHTPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTPSVTWHMREBQYQ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\YDNLKOBFBPVNEDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRXTJWENE\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\EYDOLKOBFBPVNEE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJXEN\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFOFXPLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKKWTQUPXMNAFMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TMLTHHIDBIEUHOJ\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWANDRNLQCPRMFJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CDYUPCYJEJYWGRX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ERNQUSUGKPDAPXO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQLJMBPWFRVGSDC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe
PID 2032 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe
PID 2712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2436 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe
PID 2712 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe
PID 2712 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe
PID 2712 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe
PID 2996 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1400 wrote to memory of 684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2996 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
PID 2996 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
PID 2996 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
PID 2996 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe
PID 2788 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1608 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2788 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
PID 2788 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
PID 2788 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
PID 2788 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe
PID 1940 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe
PID 1940 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe
PID 1940 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe
PID 1940 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe
PID 1872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe

"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQCINA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NHRYIFPJKTWXJKH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSTPNPFTAJAU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOMQLT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CDYUPCYJEJYWGRX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe

"C:\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJACDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AUWKWHGKXYBLRYY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAJXFT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PNMQDHDBRXPGFHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVGCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe

"C:\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGBHVD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EYDOLKOBFBPVNEE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe

"C:\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempIACQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIVGEJWXAKQXX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe

"C:\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempBPYLK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SXTHTFDHVWJOVWH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe

"C:\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEQWMKOJRFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe

"C:\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVGHFN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLYFOYVGCNGHXQT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUIKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RNMGQXHEOIJSVWI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YBSLRYJAKDXCEUR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe

"C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMVHNS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUOPYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe

"C:\Users\Admin\AppData\Local\Temp\HDYRXPGQJIKWAXF\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRCVVK.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NSOCPAXDVUQREJR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQPXLLMHFMIYLSC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempLIRDJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKLUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe

"C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWSTBP\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOXTSH.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PMAMXUASWRNPBHO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe

"C:\Users\Admin\AppData\Local\Temp\VONVJIKFDKFVJQK\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempHIFOA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MLGPYWHDOHIYRUW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe

"C:\Users\Admin\AppData\Local\Temp\YASLQXJJDXBEUQR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGELHXKRB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IPTFDHCKVWSQSIW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe

"C:\Users\Admin\AppData\Local\Temp\GCXQWOFPIHJWWES\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempQBUUJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBOWCUYTPQDJQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\XPOWKKLGFLHXKSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRRCWV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNSPDPAXDVUQSEK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe

"C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCUYTQ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFIXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe

"C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMWRFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCPGTPNSESUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPIBHOXANTKSHRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXPLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempVRRGP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKKWTQUPXMNAFMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\TMLTHHIDBIEUHOJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDGHRM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXLBOKIYXNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe

"C:\Users\Admin\AppData\Local\Temp\RUKECJSIOFWNCMC\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYGPGD.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WIFJEMBYCUSBCVK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe

"C:\Users\Admin\AppData\Local\Temp\IBQAIROIDDSTQLR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXWSST.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUEPUERCAF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe

"C:\Users\Admin\AppData\Local\Temp\FPYGDRVHIFOAGLB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDGVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempXMIQI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BNTYJHLGODEWUDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KDSCKTQKFAEUVSB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DFAAVQELGKYHTPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe

"C:\Users\Admin\AppData\Local\Temp\FTPSVTWHMREBQYQ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUHLHFVTKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORGAXGPFLCTKJUR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLIRDJO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGPBHM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMGQXHEOIJSVWIJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe

"C:\Users\Admin\AppData\Local\Temp\BSLRYJAKDXCEURR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERIVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

"C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQMANYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe

"C:\Users\Admin\AppData\Local\Temp\WONVKJKGELGWJRA\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempYXTTU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKILAOVFQVFSDBG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe

"C:\Users\Admin\AppData\Local\Temp\GQHESWIJGPBHMCO\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEOKYX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SQUIMHFWUKKMHAD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe

"C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTLJAU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempDMDXB.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IOTFDHCJVWRQSIV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe

"C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULKAU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe

"C:\Users\Admin\AppData\Local\Temp\JETYRHRLJMYCHVU\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempOULJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ULAVRMVGWBGVWTD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe

"C:\Users\Admin\AppData\Local\Temp\BOKYXNXQPRDHMAM\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMNXTA.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDRHUQOTGTVAQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe

"C:\Users\Admin\AppData\Local\Temp\XQKCIPYABOUMTIS\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe

"C:\Users\Admin\AppData\Local\Temp\KCSCJTPKFEUVSBB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGYXUU.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQLJMBPWFRVGSDC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe

"C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempCAJXF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPNLQDHCARWPFFH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYBGPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempMWSFC.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DYCQGTPNSFSUPIL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe

"C:\Users\Admin\AppData\Local\Temp\WPJBHOXANTLSHRH\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKXIGL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DAEHTUPNQFTBKBV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe

"C:\Users\Admin\AppData\Local\Temp\DLDVMJEXNOLUGMR\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempEHISO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YWUYMCPLJYOBOQL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe

"C:\Users\Admin\AppData\Local\Temp\SVLFDKTJPHXODND\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDDFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe

"C:\Users\Admin\AppData\Local\Temp\HKWVXSQXSIWEMDY\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJFDFVIQKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe

"C:\Users\Admin\AppData\Local\Temp\BKYTCWYMRWCDAJB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempKTPCO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWANDRNLQCPRMFJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YDNLKOBFBPVNEDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe

"C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe"

C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe

C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRXTJWENE\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempQCINA.bat

MD5 132ee7f892bcd0d0e5b996711fd34cd2
SHA1 d76384e799dad01ca934cef98f2ecfb4ce20a5f5
SHA256 482366c7c38bca8a31cac2fe83c84e6269a84043eaf665885e58b84ac9a365c5
SHA512 3844b6dda104bc3f012b4f21874aa8efb315409f592d8a4fe977de6ee26123b4119eabc3fcac3911f712103a63f5a3991eacfe6090a49d6f46516db182d33343

\Users\Admin\AppData\Local\Temp\HAPHQNHCCRSPYKQ\service.exe

MD5 be6675220d2463bab5e6113cb9675360
SHA1 834ba1d38f0c5942cf559f2a0134247c8b660f0b
SHA256 361d2cbfeb6a72f96de13379215650f7c4ef2d90b9f9199d955d924a276784e4
SHA512 0d0b623c2bdd592940c780f3599c635c04bb94aed81c88a7228db993832662454df76e76b71d300211aaba556c6867932dfbc0f7cfa90c81b021aff8b33e25d1

C:\Users\Admin\AppData\Local\TempKWHGK.bat

MD5 26dc1b311a85668f400d2ca6a520c43a
SHA1 c3c32cf0a9c2e34e642a96a8fb02ae33dfaab962
SHA256 64bf4db157623c7c3b5793e1979cb2802dca2e64c99cf9cf1a1a89b8e8d262a8
SHA512 3a60c95a339cdb4477938255a03af444969d2574bd3ae341f0b61524a1a435673185ad385f46acc758f01ff1e6df4258040a0725314a263db7f353ff7fbb0107

\Users\Admin\AppData\Local\Temp\DLCUMIDWMNLTFMQ\service.exe

MD5 92aee1b50e78def0612095f0faa59492
SHA1 f23dd4488d64fcd46abc4b708f7d90baea055ce5
SHA256 44407e204f58daad73cf8894750035a085e91163e6873f579b92a52ad5eb099f
SHA512 b584580c45aaa036e4dba5c57aaf828559fa05fa4527ddbbaa6ebc61017bba15415c732ae8a0c7de5c35d1db2c338e548c8439c987767e60edd19bb646e75f00

C:\Users\Admin\AppData\Local\TempOMQLT.bat

MD5 9b8ddcb8a03dda0db854de76f0b97656
SHA1 33e6cf7b482d51ef46095957b6c7757aeaf3fe6a
SHA256 4e81ba1a0b8e70dbfa0c5b77c2b2ba7e2a1e1842ddab305960de4d3f8422a368
SHA512 967d33476d233c9f45d452247268ac5c03eeb104330a885bf6bfaf9143c19a67680ec766122a884aefeaf6375d2b9c4959cb7458ebca18443b5610a2a8223840

\Users\Admin\AppData\Local\Temp\ERNQUSUGKPDAPXO\service.exe

MD5 ed3e1b579746d4046cbd6a4cda4506a8
SHA1 077d30f5d8870b84e0856bfba48f12d10f0fda5e
SHA256 30378eca94a46f32c9a81907fe1a448bcb58d9a25729f1f2350ceb401e09152e
SHA512 5300f14aed837bb4817fca5968a35ad64350706f59a71b26c63d0f06a54cffbe8f9101393374c52dfbde95649e1663da922889456a1ef848a8f1568c576019b4

C:\Users\Admin\AppData\Local\TempJACDR.bat

MD5 207c5e2e589fb20b3290f4adb1e585e5
SHA1 7fef3e2e35d9e04b7e2841eca3b3fd3b740d2903
SHA256 98139c5f13002d6873a1eceb5caa23ae8e4d32856baf9a3ac9a3b60b9fd7bfc1
SHA512 7cdd023c660d4aeb15864141dc0b8e82a8c58b4cd1c15252e11999ef5596b14232238898fdf1b1e1cae084727c68993d40d82ca3055bc55b4e44846a5c72fafb

\Users\Admin\AppData\Local\Temp\XEXHTSTPNUPFSAJ\service.exe

MD5 7aa810a0e0ad9d1e336bfc86de25f3e3
SHA1 1eb54bb999d47408ba44ea70b489fca65d9eddc9
SHA256 ba450fe2cc0866aa22e86a8f7b80653ad3c849ad2915fb343675811d0c98d143
SHA512 df54c5fb787d91bf8c88c6648329bb0de01c48baec6730a5b01bc106f58bd16d78e7651411f7041d9bbfa5a117eabab2e52a35a2cee7166445e0779fcd4f8b42

C:\Users\Admin\AppData\Local\TempAJXFT.bat

MD5 a30167e31c01f85d6c92a66e4a1e7a45
SHA1 e6827711f8963253c69d0bbb93b1cdf6a9a6fc33
SHA256 2193d0aa846a104c72d63655057f9e3e8d2db56f6fef38704c962da0420eb015
SHA512 c06abd285482f11a340756bb44fc90dc258062b4bda20625c561e4b2c5013300fbd2a7cb643dc7888c33547db25e132e34863d67a1bbb3a27d19949b18cc5d3d

\Users\Admin\AppData\Local\Temp\KNYCUTBVLYBGPGF\service.exe

MD5 dc7f130b15e013906bf59727d068c563
SHA1 2ff3ff7b7873dc1f585fb063381175f9328bed7f
SHA256 db14e872ed7f1c61e3057c3b69e3b5c3d9046d5c5ff83e2d01fcaa74cd003417
SHA512 24c918a4ae6d8925a639365818e03c7854fb2026cfba6165880ea2bd0db6a99901cec9722a14003c1b505b8d873adb44b2a4dfba5d62d9b48cf3ee29750bf7b0

C:\Users\Admin\AppData\Local\TempGHENF.bat

MD5 589436d2282c919a7471972002f0b1d7
SHA1 ccd1af9490b3201fb03e8ca72c3b036bb889065b
SHA256 658d9b4f290c38e30eb6b599cd21aa76a16ad64d5694e1543f8c5c6d8f5fe1e9
SHA512 1d9e52be33fa2208e76082b4146853ff33877ba956e9fe77263b6093381ee836d052196d6f3899750e5553c94fddf2e1a7c32db5b098fe1dce9b694ee6b809de

\Users\Admin\AppData\Local\Temp\XRJPWHIBVACSPPL\service.exe

MD5 e0b003352a3e977596d046cbd42f374b
SHA1 941a845bdaae058ac9d864106c6e1d5f0407646a
SHA256 fc4ba345eb916428693b9a37065788051ac8f386cfb61eb695682212b627de9d
SHA512 db63a293eb06e170dcb5a1f6f328a1a55cc1f71d43855dbde3b6dcad502be5c3d3f69c34698bddaab66c6733e154436b8cd3e4e671d4f686ee0b9c92839bed4d

C:\Users\Admin\AppData\Local\TempGBHVD.bat

MD5 eef7357c045170887b4993762e5dd5cf
SHA1 21031e1a02aa4160baff2c33dcb5e923facf65f7
SHA256 86bab36c4455d62e74523fa3fff5943930a38b858fa9043df93eb6906a01999b
SHA512 be86486ed0ec7459c6306edf10196a647aebb0e46f453d001b0838c064e9e233f16dd4532e79840365f2051110335a11ef60b0f22a5d97fd9f17804050a297fd

\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJXEN\service.exe

MD5 aee31a9d17205c606ad1b79edef34973
SHA1 48443e9eb42496f4e8220adc5f5b153e7bf15825
SHA256 a08f3eb5a5fcc973af9434eb39b588c76c36f5c343bcaa9c49e6890981a28446
SHA512 c46d8c5c8da4d4274c505ec01b19897e62f39a6cb315d1838c6202c3ec09f2932b3c3c96f9a8a039e1c660ed747d21362875d05a17c51823c3ebbb02a10b744e

C:\Users\Admin\AppData\Local\TempTYKIM.bat

MD5 ef318d36c60c50998d4ee3612bb2c364
SHA1 6d4260c806898d4833c0fdbf33cb6261633477a3
SHA256 d17d6d8fc2dfe6e06c477d461b937c0ed710312c8fad215f656b48ab5979cb97
SHA512 c319cb274db910d20ec4b0f5c540d4cc4f29ef05283f406cf10ca068f08164115031b296ee8b31e316dcce6abf248041cef406b14692277f9901cfda5bf841a4

\Users\Admin\AppData\Local\Temp\ANJXWMWPOQCGLYL\service.exe

MD5 dec65c9aad9a24611cb9c2cfebb483da
SHA1 cccfa5db5127605d3fb697ff45ee3085a6e35e10
SHA256 c811785ec916d1a99b04c82a9d84cf0ad23a07c55673455a4d9f0a207739d771
SHA512 cd05e4265b375dab5f36080d90c8624c553e1e2e46e68d6dc78deea6e2092ea50d88408ef0a948dd709fc53e4563a290ea1b36d3996a959cd9bf24c983a03ded

C:\Users\Admin\AppData\Local\TempIACQM.bat

MD5 9fe31522e32686d96aa4b7f746e43622
SHA1 eb58bb76f771b5113e0cd148c3f708dd5544bb28
SHA256 3409ec305bc11e703108de450fd3ecb5593ddaeef8f099d0ea7d065310c19a6e
SHA512 6966491fbbbb745f6d21cfc8a8717902cab3e448009722c51984162e202e6feda31d5dd4f0211bf5bfdebedc20a1135b24af227d2788ccf3342953cfb98c5a47

\Users\Admin\AppData\Local\Temp\WDVFRRSNLSOERYI\service.exe

MD5 e3badd68e786495bae742015fd1ce9bd
SHA1 48d54b0a1f1162dda4337d3ff27151ef0120fb3b
SHA256 2a09baa2c29ab6063b90a63db7c27b878288edce8df6d8c6b8a84d29de50be15
SHA512 b9213db8938b0afca8187380c2e6b81e214dfdf4c420064df585226ef2ed4e734cb694d1ec40cc14f886ba923835c58b41e5a19fa12ce04a66b4b1156f8e706e

C:\Users\Admin\AppData\Local\TempBPYLK.bat

MD5 a10f7849903f762fe4fa5132e5c47f3d
SHA1 27d9b61d92991d2ca2c120be1b4a6f071f8a240e
SHA256 03b747a65a1f1813551874b2f4e6133dbac1efd8bba28abbbe874d38199286ed
SHA512 4d922b5fe3e2e3a385bd7cc7e9b21ac489e9eaf1e9fac1b3675804cca68bfc6f9ca37a7f7726d19956d0337abdd44de758e338356d07fd4bcdd27e8ca23a92cf

\Users\Admin\AppData\Local\Temp\VBUEQQRMKRNCQXG\service.exe

MD5 a176592e1a6f756ac11c28ccdf952b5a
SHA1 968d6e6f2103543520c14e0c5c01e5b01a235e2f
SHA256 19af71d5a1ac35668f97c003e80a74d8ebc45138ecc1ecf13094002b4912481a
SHA512 fbc608566c773d85bab6ecade373b1160d8ee0eb10eeb2b99b73fdc17f4d4f8a87d11776f2395e39dc640e4fb7fdd2bb93df64f6b63f897fd387886af7e92213

C:\Users\Admin\AppData\Local\TempXGGPL.bat

MD5 2d88b6f973244a550fc52969ff4731d0
SHA1 c2ee94c917051b866b4e86c4a9172cb5bd55fcbc
SHA256 725fb8315a8dcc5fc12d0de6a3a0e307b80ad030920bb41897555c0948b4372b
SHA512 7c09587a68a3813cf9554294c66cd27828ff4852dc1fc2d66aa792da3f78716b4e626b749ce0264a0148093c1400b6a1f8120777d76f1408f295854d6e8fb693

\Users\Admin\AppData\Local\Temp\NGVFNBACWCSNBID\service.exe

MD5 fbd0da60992c474fa8f710a05abbc7a0
SHA1 bbea64e98b9e17e464c4676b0b39906fb251b82a
SHA256 bbd22cd39bf24e54e4dcbf1dbe64519878d37df8868d7d435028132e9ec0e391
SHA512 b505805af2556922147fa98af06e63bfee318d33b91f9d3575a9fc20d9aa5e1eda901a73b74dde81f497f058bc05c6b71718f1409469b764b0423a45e3354faa

C:\Users\Admin\AppData\Local\TempDGHQM.bat

MD5 0b57c15fd2f954e4c0ead7c5b4f07712
SHA1 5b73040f77d43fda38413a933725a8c217d927e1
SHA256 0306c67f59bc629b07b635cd19ab7b7393149afac18b8ff119b1c84fb1ba32cc
SHA512 0cc8ab2799c04ad5ee51a7058b5eb3d01e231440f737c2695fd43ae466635ea4d7eb0c7d27d3e4d43076cf8d2c7b266e0486ee0d7e097ed236c27de5749807c4

\Users\Admin\AppData\Local\Temp\RUJDCJSINFWNBMC\service.exe

MD5 b34cf32225094536ef476673e881407e
SHA1 d2a952eed56b4e72f94f42f4672380642ff38ceb
SHA256 c8e66148b36714797ea1edc36f893eca02fa802082c6a6f3684422339d935423
SHA512 ee95f25a788fa6478298a40d5084c2bf16f0005dd3a01d33a9020561d1c08ea0653b27e4b8d975df11d0b1075543e443a4c1fc23434f7ec2dcc3df134b609c98

C:\Users\Admin\AppData\Local\TempVGHFN.bat

MD5 649768245ee376ffc501a33bebe3ff51
SHA1 d27f6c33ff1c4afc71dcf3eb412dccf631a44782
SHA256 9ba2fd48a5053939f3a6ef807b75510608cd60c4fea4eb8880b16af43695b8d3
SHA512 8351c21ac564aa3a93cbdf4bb0f8277d10db872bd9cacd8c5257475f89133383431b9687642f743cb91966d98bb6cde1978b2a33536dd5799bc063654d389adf

\Users\Admin\AppData\Local\Temp\XARKPWIICWADTPQ\service.exe

MD5 87948ac7ae836725479f8eb5719f2962
SHA1 723c4343c61bfe097b61292be3923d7349cce6d3
SHA256 aa88fda8f91696e516a8045f35c13c25439d09ea40821cef55266236185b471d
SHA512 8454575e22b8dee37ce737cbcf41d34833361079617730e6eb58ad793477d98bfdd8c1e3f849b1dd1d05c65c54bcdb58d966e5e5361d939892a31ede0165d41a

C:\Users\Admin\AppData\Local\TempJSOWN.bat

MD5 d39cccc913240baa6efa209416c54650
SHA1 a80a7efbabf2efeb182cf64e9f19153c475cf2b1
SHA256 305e94792baf3df0a537a78527dd659f5359f28291242e09928d6c78f916f545
SHA512 c951547be1a48011283fa7bfcb0dbadc01e21b377b1fd1fab96f61c4ef692544fcbfa87f5d981221e6a8c7e2520dc87ba269c8cd8532e833df6d5a5df047f5c5

C:\Users\Admin\AppData\Local\TempJGPBH.bat

MD5 ed6b9ff4ddc912cb5e4b9dea8b4eab46
SHA1 76088644ad856ef052be0511a66e55227937c96d
SHA256 42ce7a5e9fae45e628311783ba8bc11feb7f136b32a116f89935b46b64bd87e3
SHA512 52f394838fe2bf38eb858f9686a58545c6e9f9911c00c9271b42e19146a996be895646c260138790de95199d044a67fe418efb24e9113ae55ee7e4fbe6d9b175

C:\Users\Admin\AppData\Local\TempLPQVB.bat

MD5 0b5902a513078dce612bdb0904f70d14
SHA1 96280bd49e5a5305afd1e9564f063b95218562e6
SHA256 e1a1bdbf6313d19210601de717b5f513cae9cf90ccfb50ba9e06b6627b20bae4
SHA512 76067c4641dd3e186b1cbf0f8c969fd58a38b5b72f444ba6c1be91e0b1d9d2dacaab831691e972d1fda45e9546469f6400ed3d2814d2435fb91b838e6ac6095f

C:\Users\Admin\AppData\Local\TempMVHNS.bat

MD5 3c9866df0081bf211407a2e5ef5b956b
SHA1 27c071f2ffd32e19eab77cf1f14bd73d7380fce4
SHA256 7e0d3b53ef1eff61a0dda5f24bc00c980c12eed99c2087f11286e06c96cae586
SHA512 ef5aee8c438ded5dd4c03ef16c951f8c86eeb7ad0d19ded0db1247ff26c7f09d610325e4c51a353a1958613054230d08d287081065c71ee616856acbe1f612ec

C:\Users\Admin\AppData\Local\TempRCVVK.bat

MD5 1b8a00edd0fc407d3403cb505dbd5f65
SHA1 01e6613e2bf660ccd6a0c976b7ca8a7abaa54fc2
SHA256 e11c26837d37df3c197fa7828924cc2ba298fda359ecef1db90c23f8f2503a5a
SHA512 b63261cbc40fb7e5cb957f9417b78e8857ea5fb57c49aa98421737892626ccec8cf51426500e88e942be731c5fc8eb48b533e7c962081aa0c049923c31688f4a

C:\Users\Admin\AppData\Local\TempLIRDJ.bat

MD5 fd2e1ac873abdcf75d414027ffc438af
SHA1 031fc7c7a45c88e0122241cbb6d2d8f5be1a12be
SHA256 397ccbb85835159e8a38e447cc96082365901a66ed882919641a6c6f114c60cb
SHA512 9565732efe62cca6179aa42fd6c403ca1b333a63c2cda04478a9589fa67b48efd2369961ab01fc7fc8710f078a52f402d621772650e1eb185816adbfc327d4b9

C:\Users\Admin\AppData\Local\TempOXTSH.bat

MD5 f7bfb453faab979096f675bbba881d5e
SHA1 0018fd00202db197fd7efdb7d17749bae0f863f8
SHA256 282a1d54c280c2510264d7957caa67f6eb563107017bded592a55c3d5fcb6a15
SHA512 be71e8a29234d0de31003c30af92dac7986d192c5a41197c7b6159f4428bb94be89ac777e15322e8d7e11930dc7adfd24fd2ce001884599113a8149f5f87f7e0

C:\Users\Admin\AppData\Local\TempHIFOA.bat

MD5 cdfa77971a1f9127b97660a76d4fb58e
SHA1 875b079728e19436dd88625936b1006a4ad03e07
SHA256 b299f4cb54fcd5fc0b66cd58f10dd34a3edbc01e542cb6ae3f8e2e23cf29c2e4
SHA512 74fc432277874fadebdfbc3ce5e2c2b299fb4eefdcd9fb971664eef39fdf29e5e4fd5f6c1befe62065a5a4827cf0d99f33336da413343e1e1e9dcf01702037a8

C:\Users\Admin\AppData\Local\TempQBUUJ.bat

MD5 373e3e79d33ab24a63920df75aadedac
SHA1 025ca3368b01e37d1e2f466a1612d6be164af035
SHA256 559746d47a9aab1f4b5e26da733afce2275997ff8470bc178f65d8865bd4ef52
SHA512 33af5673baf8114720e31fc265dbbf6f3331709e0e9608acf90ab02f67e90c8dc57a860d19be1b5ad0716fd2c43e7739c2c70569122c009c42a6ea9e9d4d48b8

C:\Users\Admin\AppData\Local\TempDMDXB.bat

MD5 86d46b22ad4be83bae4400be75994f3a
SHA1 36833b490ee0da163a18b8135947a608c5076df1
SHA256 d0fc60d20c3b5a2910e4cb3c545f042d32e5d3c350a755fcd5edaf687fed6f4b
SHA512 384347bb010665ee7325babd297f3cce0756a88ec3019dff2f6521f70e873416b56cd773034c5f91e3913462ba5fc03cd0905712021e20b67e423f159f709328

C:\Users\Admin\AppData\Local\TempQBUUJ.bat

MD5 6b22f9a52b2074c541d9fdb9568d82ec
SHA1 0ca1a1050df5be325decf699718c1c9ac037596b
SHA256 7e2f886fff4ca79f00e82433820ef385513659e190c15595c09b0efc3b35d806
SHA512 e9a9ece7080be7b19eacca0b9990ce5f1f629d0a6b448bae8c9ce2ee8a0f5b4e0fb8fc8e7bc7022339a678b8837296487f7def6f75e7fb730d06b9b9f6efe9cd

C:\Users\Admin\AppData\Local\TempRRCWV.bat

MD5 1c62971fb6a107488ab956b7fa44de74
SHA1 800a7560fafd0eb6277307513266e9cec10a2dd0
SHA256 7f3f14eab8ffcd3f6b0dffde00360b5a99862e56d05588b794a0f4b2c8737159
SHA512 6e98ba70daba32ce6fc96bd721f704bee928c7c1c3f1b470e9aeac71b07adb42dda54e7efa86d601061c71ccfe093d400ea6fda9d74a16ac107adf2844a57c23

C:\Users\Admin\AppData\Local\TempCUYTQ.bat

MD5 b643d0a270af101a499759dcdbd0c158
SHA1 322b05844e3c68bf26a948bef889376bf098599a
SHA256 c223e954ca44188c8423f4b8043401d93fe8d5c4020d194ee8b4c89bed33c671
SHA512 73486fb470f3e99b5a402eb148b9adcc44899218f545ef4e5d03f8f191739e68affcf33c8f311384f31859416764baea4c6712d7814d78dabc7c6380abfe98be

C:\Users\Admin\AppData\Local\TempMWRFC.bat

MD5 8ef398f10eb3af1865b8ec58c18aa300
SHA1 888e18364349d6e9cbcffb02a5b1a7850e11b659
SHA256 51c32cb3454514cc43944ed14e7dd22eb408737eef7ccf8e2196ad5494895278
SHA512 744b2b7be22dd6115ec3608fc8d940e3489f606d1365374c65b7268acfdf3cf418455ac12cde71a3d7a729b1b9c7cf703caa1c5223c7bd79fc3c6d1974b23ff8

C:\Users\Admin\AppData\Local\TempNWIOT.bat

MD5 3fa377d490e135358ff8715b7130b57c
SHA1 90826df37fef897b8d9b2a225d23b581e87e5e71
SHA256 07652d1b9830b4d5d201dd0a67c88e979c0a47fa940c7cb638286e51b638b7f0
SHA512 cb99c54fc5345e204f70433c41f232e80d8893ee4447f152781f9b7a07b24319ccc47805fc35669ed599fbdce7c0c58ddd70bd6b3b0878716368f0bee0c1b61d

C:\Users\Admin\AppData\Local\TempVRRGP.bat

MD5 177ef685f101b4514d38da08c26b4916
SHA1 a8de1a4932d0a294866dfe6df603332810798f01
SHA256 68d249174563164568155732d8d4b0f6a204dabdcba1dd9cc0200bd546553a52
SHA512 ccf51f66d9de532f2d73d7618484c1305001aa7739d1ee7330d9dad7dc08e8f1a2ccc50fa02e594681d534f453992d455e41f5df76274c4728cebc5f11cbe384

C:\Users\Admin\AppData\Local\TempDGHRM.bat

MD5 0249cdd5fec49f655d0544e0408066b0
SHA1 e4570b515d8315dd7c7ae990fed0e0531d9f6717
SHA256 770e28d52596e72f3cc06bf58ba8b7055cc4a67e4015ffe5cdc92249d62a134f
SHA512 135aa6d91b2347882a50de341f8e7067958b94332342af2c68f5ed31d02d4689d34b014385b9ca6bcac26db030f6fe9601ec421f0ad028c04d66b8056e85573b

C:\Users\Admin\AppData\Local\TempYGPGD.bat

MD5 1f8f579ab62cfe581c4c6de860067269
SHA1 6f7cebb86c094487b897e28f8bdc260ff16775b6
SHA256 206b0a8b5576f2f0dff9c0c148dedaec8c2e8b12e29a91b89e3af94010328d84
SHA512 c3fdc977c60ffa648d4e3e9d79773512721dad09ca6502c700cd4bf0f8f8fd08f6f559221b108263af8163df501cf439d73cb2c4d64937501551171dcc3c01f0

C:\Users\Admin\AppData\Local\TempMHQHF.bat

MD5 7ab00c2d0ec3d74d552ef677edafa12d
SHA1 9f553e5d98a60c4e079c57b27d9545066605e02f
SHA256 898f879244a352030d694967feced2116a26e20ed258ec21ec23df4afaacfdc5
SHA512 23c9e91b67f5f3868d16d43fa5d3271f945ac0c48dfe77ca6aea7e0b24832a86e8b8da26647b200b25e1cf6445f75802bbd33566e25eef9ed5c86e9949f8a9e3

C:\Users\Admin\AppData\Local\TempXWSST.bat

MD5 9345f08689fe9ac123c094bb65366e77
SHA1 470d5369ba4dabee336ffd97339d7dcb6396621b
SHA256 0a26021dfbb14124ea33771520cbc86fe44997638dea0ab0f44d423e3d36bfea
SHA512 55c30f1fd537ad7d87d282faeba49bbf76700f3d1a497f3c0bb7e90cf900099945804c860235db2462b10de94c90d75dc6d44aac4665066d855179191d02419f

C:\Users\Admin\AppData\Local\TempUASWR.bat

MD5 a3e636817c81440b8ec8f4a3fa40fe14
SHA1 7ce060d703b153db843dc9c98bd4d751fbe06292
SHA256 e9336459ff6c1d72c98003c12815003c4405a650da6ce3d5aac4ec3b2906c12e
SHA512 90256f066693580819968efbaa7c70955b49df02bede8faa27c6b9ac8de6231ed31d16f7456e69779e64dd4c52d2d4f0952db5132b2b335a6518e6cf57a97a4d

C:\Users\Admin\AppData\Local\TempXMIQI.bat

MD5 23b334148f422c981734c5e6931abd32
SHA1 73309ce790362c60b09e6846bfedc5fa0fb97007
SHA256 eed120a8c0e01c0cc8dc5b653e163e164398ad91e1ceac1413ee081c23539d1f
SHA512 6086a33d99e2b73b1d03e52641651f6cfb4910e40d3b50e31dc3e4acd123ea5dd85f6e6cfdcac965adf08dbb32cc7af70e8fcfeb1f346b4a664de3cb71f23619

C:\Users\Admin\AppData\Local\TempRMUIJ.bat

MD5 759a614ace0e3352f7d48e1e47c9c016
SHA1 3f96be3a19dde37ff44f0630880feeca3c6a2fd3
SHA256 7af5d185d2338b34d83e10d849f5424ff517bbd2a1947f15952e8b346020be89
SHA512 6a145c0ba87f9a98d69c68bb1f6f16eb85e1f10019e75241fe3ca77010cae4ec4fadc6625b11a8725a0f7c48a0df57062adf01f74ea5156bbf5fb76e83e8c4d4

C:\Users\Admin\AppData\Local\TempNJXWI.bat

MD5 f3b8ddc4d4fad0bc32f84eac08e8b5bf
SHA1 e01268ff601b676b24a9523067c804a7acd5685e
SHA256 645541f0f595c8bd565536eac2333a00019fdb7cb74fe9ffa313dc4c64ed881b
SHA512 d0ca064e5ade826aa3a5e80f30dab95565ff2e7ed104edbdd2e036412559cc78c9ef5090705e95f079c0ad6bee1386f5a4beb75b2b5bed282dee5762a27ef865

C:\Users\Admin\AppData\Local\TempUFEIV.bat

MD5 80fcdb7f0d083ecadec5420f5524c4df
SHA1 04f86b3afa07b6fbe7e2591bdb3799cc2e78750b
SHA256 743bbb4430056d2e432396ef2bdf38480b70afcd1ecbb099e087614bf01377fa
SHA512 7bb9b15afb6a60fe1a635d4eaa43e4dfbadf5580c2f4cc41f38cfed8b1c850a5a0391b647eefc3c4cb6b0936fc79f279e799d04df5b99c1acd32c97dbf80da04

C:\Users\Admin\AppData\Local\TempGPBHM.bat

MD5 acab14ba87bf9ddb2147ace156e97372
SHA1 6e0cf4c039c56b02039ac63b61028dfc21b416e5
SHA256 5f4492ded316fb712b9a15073e74b254b12d79c6b08846dd6fa29422c6197ed2
SHA512 b55629884b3b98d998c7c1761d43e6c01d3aa45a43580e8d8f32044394aa0185722515393e370153c7c01170aaebfa0c2e2170beb804f186d271a21804100188

C:\Users\Admin\AppData\Local\TempPVLJN.bat

MD5 577f5996f783f890ba33c6040c10977c
SHA1 d1915aefdd08072f2e106d8b9542286c8a5fa759
SHA256 d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f
SHA512 a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e

C:\Users\Admin\AppData\Local\TempNOXTA.bat

MD5 4febd0c69ee4be6773ca67e0e845b982
SHA1 176496a4a3d6cb0371deeba7367c63d290169c9d
SHA256 0a869712ea250aa0f1512fd5feef21044ff2b2b78bf1173adfac70039415706c
SHA512 f3574c2afeb12abc3fc528fa09e2786e4e3b41dc0aea0e351df3f5005536981e947753df9c3de78e06a6f9892d34cd7c33cf404ea5a1bdd205936fcad310049a

C:\Users\Admin\AppData\Local\TempPPYAT.bat

MD5 8017c40b3b87f358920ddc3a7822801d
SHA1 d1707ebb4875777b38e09531e15d0cc1bb133731
SHA256 ae1c8c15c6aa20d60fc888d7e2067bfcee9d767bfe85da8c6922e998f4c2ed5a
SHA512 b9f5f59b6d2d8e5250737c461625785dd78e697c9abf87e5f94751aa0f07e1f62fca270c00202ec6af2b18afc052de611eba4cd126b5ce78c913b0d518ca9354

C:\Users\Admin\AppData\Local\TempYXTTU.bat

MD5 b02893b7e1264e03427657ad7e8d60cc
SHA1 67a83d11cabb1a5b009643c45f8dd03f84b36b69
SHA256 b23e099f605d205a37e7d6817808f1fe52c00187c831f87488f66936efab9ac0
SHA512 17ee8dedf20937b83758dc7dff8fcb0d03468d724923870c49be71c25e5382e9521fd35b744d0481ea3920e1af36f851f60b46ce3b15f39a51adfa963152b187

C:\Users\Admin\AppData\Local\TempEOKYX.bat

MD5 13fc67cd31ffeff8ff68bcb3338f3759
SHA1 c8deca1940e43b5e3ece21d56196eeb6e765b671
SHA256 086ba7ec0ac1b7daa0b72a2247f392c20244eb218562f4894dd0afca268fed4a
SHA512 d26880b67eaf33300b4b62533af01a80efe00bb233ae3edcd6068d8548cddd4a13a4c85af9fa404307126776b22bde1dee871c49143ab07af6bbd1e4066c81ae

C:\Users\Admin\AppData\Local\TempDMDXB.bat

MD5 f4bcee1dd00530f989ef44bc06d800ea
SHA1 96efeccae00723e1510681acd4ca9812ecf34070
SHA256 a3f12075725eb1e4f59ac358217eb8abf0bf93321ddf9c5302f7c072749460c2
SHA512 8376bb982210ccc7ecbf4ad36aa46c841c98834751f76b1395e04d5f7a2c9f1d23097aeec3842e7dc106efa3ffcab08a8c74023b7a42817ea3f9dd590f137c65

C:\Users\Admin\AppData\Local\TempWIOTF.bat

MD5 652f407aec6e62db91f8dceaeb49bb33
SHA1 0eeded2abdfe0fb8c0eeab654b062b4bf3030bfe
SHA256 9a073162fd314d1076ec3bd0432a678aa65b00df5414ade34a9f5fb716951e5e
SHA512 7ccb3fc2c29cc1257bb2eb0d163e07204c476d0c26a2208a38bef33ad45781d50738b8c356d29f478bc467efd4d767cc406ea26035dc010e6672de293d228960

C:\Users\Admin\AppData\Local\TempOULJN.bat

MD5 1031de00fb12877ca1ea3a3c30e9c1d8
SHA1 9d7f12c6855696eef7c341525b06b4b3ed3a55eb
SHA256 bd33a9c2689e3f7798a532cb2d7212a91bf702112aad1bd0785cf1fb5139a6e4
SHA512 144624c0fa8a42299345c68fe6f8fcf9e4a74dcab009d69039fc24d12c22a35484bf5f28d270bc50eb15351e99c16c9d3376fd27d3b6a5b9e632a06dad9ef2db

C:\Users\Admin\AppData\Local\TempMHQHF.bat

MD5 5a25b81aed74b167ea51919cf873d2fc
SHA1 56b2f2e5184300b74b0e947721dd445ab94b5fc1
SHA256 c94980ad5bb0ce23cd44cd7ec3580a7fc7f4104201304ab657e3506921f5c05d
SHA512 a96b1a46f7957df8ea087efaaf0fbb2b6045df6b371cd56e5b4f475e0c0adfbc2c3dfb3d2fc85041202874bc4a58d6e28eb98f8dd08ea2203dc1cda217d3f0b1

C:\Users\Admin\AppData\Local\TempMNXTA.bat

MD5 b5f1dbdd61899b01889ca36394bfbcd0
SHA1 b7d45fdbf9502664c05df2c24fff6e7c9dfa8550
SHA256 e4dd63554ef451959bd56b71673a60f004decfcc5a7270cf39832964288cfc45
SHA512 8c8472ce9959299f4878a84ef0d667f0efd367fdb40e90da3e1f651cfadd0477a4bd0f906dff1ddf1b1a6b3207623bac0b4a9b6d48e81a6764a7200851158458

C:\Users\Admin\AppData\Local\TempMIQHF.bat

MD5 b1d806a91b70ca83c060d89048cdb273
SHA1 0865d2932c37142a30971e2d143e1e5c74657934
SHA256 cf11fc51fe8d86044f4c0023027a0608655684e11db86884295c0427ab5a3b81
SHA512 ba3ea12c4bc3857bf241eeda86de6cb6d45f9820e84fa90e6b89be5f2257800779414dadf34ac6709590a437d1ed79bb69459614646822f29b72152af656f7ba

C:\Users\Admin\AppData\Local\TempGYXUU.bat

MD5 580b41089b57db8a6c700604e3950814
SHA1 ad40f4de6e646bfbb845bed835dccf60c30c2c9e
SHA256 0ab38778cc72a8cec5b9954bb5043c04da77550a00e508919f5b41208e892e44
SHA512 28f72cac31fa657b415f221e2bd06bab74324484cee1cce39cfe05d681dc4afba69ca801521b575943473534103c924ec996b1e8ea5d9bf3762ae607751bad0d

C:\Users\Admin\AppData\Local\TempCAJXF.bat

MD5 dd9b85c1af6e757ed070222ec926d5fa
SHA1 3a3315571ea00bc351bcb25f1771fb38de381a6c
SHA256 cc1528e64456e553119a25e753b1f1bf04ff3006b4c32805d0607193f2a840ec
SHA512 c7f1f4c75a3211f0a023c7a8a5040415545a676b7b183a4814de9f7b305809285fcdf789f27f3f9a0b7b139ccd488eb17bf3a7183e32e084f1310488dd8038a3

C:\Users\Admin\AppData\Local\TempMWSFC.bat

MD5 d436191c50229e232e217c85c462aa77
SHA1 b2aa8f91e2a09897c42675400e041b62bf538101
SHA256 9ffcad743b0bbc3436f3b164eeb4a24245c1cbc77f61b527e918a3d31e2485a6
SHA512 12a6358d4d810873c33b140f50c7ae47ea0eba0d9ce26c3b37b8a24a52c1c06d2b68aeaed032fde2fee3fa4e836baca9e144d9b56062ee1ee7733718dacac5ce

C:\Users\Admin\AppData\Local\TempKXIGL.bat

MD5 ab03218c7bc1990e61ce6d03bd6b272b
SHA1 9eef00ec9f1e78c08fdc054d860c351f31030a07
SHA256 5d861be2c28e0c100dcaf688357b1541f2cdd40e62921da3528ec2fde5a4ddf4
SHA512 46298481ed75c80951bfeffdcd2bf2222fff93f9643e90dedf70a0df8ddd921719995ad65ed352fbfe9b59ebaac3a9f990355b1897da94d25ebbe36ddd70c3ac

C:\Users\Admin\AppData\Local\TempEHISO.bat

MD5 817581e4cfe28bab2be4f4b73f7ab372
SHA1 ae99ec7f67ac23fae736086d22defc4434e1b7af
SHA256 e516494166781a16fa09d61ab2d51fc1b2205c7ad04f4c0b58cdb160915a8b59
SHA512 f74af482a46e730970d30bb87096b69d1e0c9409a51ac6ba0cdebc973e088aa43c67992460e076bfd0c12374b267e2515eb2f62435727e0ab1c5d82da02db39d

C:\Users\Admin\AppData\Local\TempGUCQP.bat

MD5 9d8c823aa9d6fc3f009d667a0b5c2aeb
SHA1 9cc26bc83d1c543b737c4880b73e40a6ed254bce
SHA256 980325fa121f72202cbd9a4e320dd85478d002b45842c3b39d504bf7b72d9ca4
SHA512 66b0ec285297046e694cc6889ad4402bbe9d18677b40a25dcec92f363dc1f6ad46bd49033204d1a182f69d2cc8d12120e7bcc02c1c394da8a56a932082b54c42

C:\Users\Admin\AppData\Local\TempUASWR.bat

MD5 61101519a3da1228d0e0498cf23f87f5
SHA1 23984750bbaf6fceb0c0fbeb529e99639b05e8be
SHA256 9c159a7dda38e907392f7f5f8eca5e53c87da914822ec84ede5bea5c8c8d37ac
SHA512 26ba91b2024c784543aa8b1d4ee53960426804d7e818bc01b7ee35966601d6d5cf9a520ab631fe0f86285f4ad5cfcf7796a81db944e4f89b6842e4da25103a71

C:\Users\Admin\AppData\Local\TempKTPCO.bat

MD5 e19b90bfba2c69d2c21ac3776c877917
SHA1 85d70a13fc6e4842be8e175522d24be6bd879a9e
SHA256 f26d0a66680e921a772d938e06bdbf148c6c8cf1d28d0e2d6f33b202f4fd55c5
SHA512 3473e5d438d56038f4cde527e74c8ea478621af9702f4e6f18d1041f45da675dbece582c6157a46fe76c79a6445d3f8833830ea6d2e717263cccbb563b90b46f

C:\Users\Admin\AppData\Local\TempAHVDR.bat

MD5 67268169a450d00a136aeb8064928cf6
SHA1 2ff1c026bb20b5f389c3be97e1d371ffa9fda84c
SHA256 fa60dc9662fd2feb711d924c44f9a5b09b975c5d5694037ffb38aaeaf25555ae
SHA512 43ede016de0bad1a5cf6c85bee13503e7ba215de4e3e9e38a0b2015b0a318984a460500da0946727ecc94d188ac7365f2a120ba15c1d62e986ae4ea8718c3466

memory/2700-1482-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2700-1487-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2700-1490-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2700-1491-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2700-1492-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2700-1494-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-23 22:02

Reported

2025-02-23 22:04

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TFOFXOLGWPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RQEFABWREMGLYIT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFWOKFAPQNWIOT\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MBVRMAWHXCGWXUD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BPLXOYRQSEINAMU\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FUUHJECEUIPKOLX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AJXTBWXLQVCDAIB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KXGGSYPNRMTIJBI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PIYHPDDEEAVQDKF\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CRQEFABWRELGLYI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UXMGFMVLQIQEPFB\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TCDOULJNIQEFYWF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MEUDLAVARMGBGVW\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JXENWUFBMFGWPST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQIOVGHAUBROYOK\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MQEIDBSXQGGIDBK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\URPTOWKLDLLUPYP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEESXPXLWMI\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IYQEOEAXVNDQMKP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACFQSNLODRYHTXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJBSKGBVLMJREKP\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NGVFNBABWCSNBIC\\service.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVSRVIMIGWULLN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYYCUSBVKYAGPG\\service.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3156 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4024 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe
PID 4024 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe
PID 4024 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe
PID 1284 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe C:\Windows\SysWOW64\cmd.exe
PID 220 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 220 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 220 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1284 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 1284 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 1284 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe
PID 5008 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3128 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3128 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3128 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5008 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe
PID 5008 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe
PID 5008 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe
PID 972 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe C:\Windows\SysWOW64\cmd.exe
PID 3732 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3732 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
PID 972 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
PID 972 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
PID 4832 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4424 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4424 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4832 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
PID 4832 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
PID 4832 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe
PID 1692 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
PID 1692 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
PID 1692 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe
PID 1184 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1184 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe
PID 1184 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe
PID 1184 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe
PID 4852 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe

"C:\Users\Admin\AppData\Local\Temp\35ba852d6ec8277f1ba478107cdb88eddf97aaa9ef9fc7663dabfc38c930b8e6.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempQOSNV.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQEFABWREMGLYIT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe

"C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempPVLJN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MBVRMAWHXCGWXUD" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

"C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempENYAW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URPTOWKLDLLUPYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe

"C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempCPRMF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IYQEOEAXVNDQMKP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe

"C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTRVQY.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FUUHJECEUIPKOLX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe

"C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempJRNWN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGGSYPNRMTIJBI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe

"C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempUFEIW.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQSNLODRYHTXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe

"C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempTQOSN.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CRQEFABWRELGLYI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

"C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempFYOJS.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCDOULJNIQEFYWF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe

"C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYFGDM.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JXENWUFBMFGWPST" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe

"C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe

"C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempIBEFO.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KAVSRVIMIGWULLN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe

"C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MQEIDBSXQGGIDBK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

"C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXOLGWPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

"C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
N/A 192.168.1.16:3333 tcp

Files

C:\Users\Admin\AppData\Local\TempQOSNV.txt

MD5 3d1d4cc9ac30133d38400ce48f853715
SHA1 2761e55d0326738fd3c9acf1211942cb24f94095
SHA256 71638fb1743e447142677089779d8945573e8e2e8b5eedd779047568158fa390
SHA512 fcb33344037ec7b1005d0a87f9f198a15b64707b9977b12ef295e1c30a5e07157fd9ddfa4fb341b30db8eb91c53b9dfa195be0e0fb9414be64b683f24b6bcfce

C:\Users\Admin\AppData\Local\Temp\FNFWOKFAPQNWIOT\service.txt

MD5 be6675220d2463bab5e6113cb9675360
SHA1 834ba1d38f0c5942cf559f2a0134247c8b660f0b
SHA256 361d2cbfeb6a72f96de13379215650f7c4ef2d90b9f9199d955d924a276784e4
SHA512 0d0b623c2bdd592940c780f3599c635c04bb94aed81c88a7228db993832662454df76e76b71d300211aaba556c6867932dfbc0f7cfa90c81b021aff8b33e25d1

C:\Users\Admin\AppData\Local\TempPVLJN.txt

MD5 577f5996f783f890ba33c6040c10977c
SHA1 d1915aefdd08072f2e106d8b9542286c8a5fa759
SHA256 d08343b6b8202d4a4277e3a76d5aa1eccaf3280293107211fcd647cfc318679f
SHA512 a60567082ad8f9ba8e96752f664c270dac82056d1fc05720b3b9854994b19a1d2b2ac47a707140799a24ba08acd1f4e096821228f167c29855b111df26e4db1e

C:\Users\Admin\AppData\Local\Temp\BPLXOYRQSEINAMU\service.exe

MD5 b4fc05aa924f1555b4f718c218490043
SHA1 759e00aad17d3362fd8baa75284e974f5e388dcd
SHA256 55f1931d874cb4bf56396bb4f116e67be644c2835560b0a66b882fa25fd58884
SHA512 13a93fa8175add6685d1c198e9b299a2a6547cbc0aeba3fdcf3ab82cfd5e2ae6f9271a3f63873e95c0b74808013f8c083e068d5731b919425a599790d55553ab

C:\Users\Admin\AppData\Local\TempENYAW.txt

MD5 f4f1eb33c618809fcc1a5e7efd3ee647
SHA1 7555e3e3d1ed1644baeea31bc2606914149b7558
SHA256 974fd4a357e27412e97677938a520a00d64fb2841c59ebf7bb5fb0589a0833b8
SHA512 0bd2cbcaf16f5f9f6d79981f50fad1192c50eef8be047afe3d692c959e1c7161e972fb48286c23b741650ff1912016e39dd36c7d9ae93ed3b5dc8452a0bb906b

C:\Users\Admin\AppData\Local\Temp\TNGMTEESXPXLWMI\service.exe

MD5 c31a447fbb37522e259a0b183f827fba
SHA1 5528f12e49e258abd7f7f4c3e09199732d4b9117
SHA256 f49a992974c308d619efc70a8c1ee3cad3a72c4ef41b64643bdb6ed421c799ea
SHA512 a137ec5a28c6b34062fa0dd4a1fd16a99f2eedb7adcfc6c945d6261ba7136a373643449d4dff21b77b875057a6f180983fd0be20581debe5863ba09a0ee74446

C:\Users\Admin\AppData\Local\TempCPRMF.txt

MD5 c39bc0d04600b23543c168ab5e493954
SHA1 90d5fd1968bd4a36d533e1a33df65f0d974d3875
SHA256 a84d6ed78bba9e913ba15f198aa9c3408dab195d36d79185d212038f27264218
SHA512 b7eea376127c82dccc97b1b10653ff567f5a6e4523865bd06edb5059b05be00a42da95d8089748e5d6e230baed46cdc10d1dbc891af31ae3d3d2b2c0c7f17dd1

C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe

MD5 e3be5cd48bae3705db82b9b2cf45529a
SHA1 0659c2991686d0934ad1384fb6873c45330199e4
SHA256 8e1ed9f3f6e1362bfc2c3677255933923bada3c7665b77537873c41559fa6793
SHA512 6d89aa9e59ac54c9bea05d80f87964fb34702e261f4f228ea5e223a21905b3a66bb12ae9a84697d2546906d88ca36a8a85647ca95e404448598fefa064597cc7

C:\Users\Admin\AppData\Local\TempTRVQY.txt

MD5 cc2281b5290761dd2186c3350cc6f4a4
SHA1 17624a63b7d755f01bbbfe2898ad67b1d2a1a24f
SHA256 f03902729551f314f17f2ebd714aa5f186553d3c0f666017dbebd151cd4fc2c5
SHA512 444e26b2253d5bfe51b3d12faab6d56ab5fbcad19333b9a5c6e0ab645af918df3f789a32816ee438bebba76357c0df4dfb969d7f9fa9adcac29c49307f1991b2

C:\Users\Admin\AppData\Local\Temp\AJXTBWXLQVCDAIB\service.exe

MD5 70d64863b06154b39a108f9fbe7543af
SHA1 663a50de48afd491f0e2e1c7e53eb421049437d3
SHA256 99bca21d3ef5746aead4362fff32c7778b44016d173d1ba76e2f7b5d41427074
SHA512 961cafd10bce7f97497b380ea66d0970c937dc9efa12c472f6d3bdb281313aefa06e277ba4b6acdfd5fca55b21a61e6c43e06c2863868b8aab1624cdff912c59

C:\Users\Admin\AppData\Local\TempJRNWN.txt

MD5 2d380cc3f146925fe44172c92e910e8d
SHA1 b1d5e5101f8cefe9172abf49268d8fd88b97f14f
SHA256 5666808151f654bad0d5af7dfb6f63834031767bb0b58df3e40ad50acda00e09
SHA512 81192ebba1983d6a9174040f6e8ad0f3412a78d4836c016a1840d273ca0b48dcc64e4b74b9efd6251c7ce18b4347fa87df56f9e9e9894ce0fdd6fb7dd845b5e2

C:\Users\Admin\AppData\Local\Temp\PIYHPDDEEAVQDKF\service.exe

MD5 eab890278c681f557845efb0f78ee70f
SHA1 a9d57329916c3bcc5fa5f8055faaeea4eea8ced4
SHA256 c32346487218149bb112c6e60c5fc5ad6d1bf28ae8f285af54b3a32a07113260
SHA512 b0ceddbf7d57d7f99dcf6b96a17639bba58c5b799cdc44d1590cadeb6931da7ba9c08d7926cc149a2d02b4aecd436dc1141f58cbf265b042a5913798ad502752

C:\Users\Admin\AppData\Local\TempUFEIW.txt

MD5 1f5b0a440773b1dbb89d3187b7e32108
SHA1 2bd09f5cb3ab6a3beb077b4848607654414f011b
SHA256 ec4fa25a78ce38848c382b67057b80ab4e045d3704bfd33b4973a8203b147336
SHA512 86dea559c5744a01dcb7744151f57c5fc11cb42ff0ec3c203518abb470d7101bfd7e4bd6f689721367069b4ba29f488c632539d3c1f5caeb043e993430241c3f

C:\Users\Admin\AppData\Local\Temp\BJBSKGBVLMJREKP\service.exe

MD5 8d7c9c9d8a21f45a03015dea0581313d
SHA1 76e94d59882c16a453b00cbd96eacdc9df2fc7c6
SHA256 9968f0e1a41e2bc903b0fa1e738be4fd4a7b45d8a82f81968966d76327473e91
SHA512 48c0cff28929f269a28b2eaa9157f64e48e58c8f74cb993750f568c19616e91d3cdf3e667124048997d7f58c0a8c9d20afc6855ba8a6b8c41b0a24bd49321f60

C:\Users\Admin\AppData\Local\TempTQOSN.txt

MD5 2d778d21e9529cae1b0ef11236939a9f
SHA1 874b84a286703d6d55c7fda23e7c332a83d35708
SHA256 af57e6e302018e7881a8dab372695443a67bf24904bf09043c1d7f6df2c9a21f
SHA512 f7ead2790c88a47965b49eca28709717070bae22fd2759a4b1fffe4babe883eb2d9748c0c7e26cf099018a9125c9e10f399fbd63263d5d0012027a68628fb548

C:\Users\Admin\AppData\Local\Temp\UXMGFMVLQIQEPFB\service.exe

MD5 1c83d86b90032d468781f4cbbd01d423
SHA1 7058b802f0afc1678426551b4edc247f5f411509
SHA256 a4b5ec1e3690660b11a1feb6d2f361291e2cff72c123d6b51f26a8ac036f8716
SHA512 1d4e2d4821a636c0b1e9da98af5de2fa22f148a59603dccff0487cb5b2215291f0a1431aa98e831a043aa784ec07e2a903bd30e1eccc154ec0c1d2937babf049

C:\Users\Admin\AppData\Local\TempFYOJS.txt

MD5 fea3c7b3ae3cabaaf93ad02ba3fd3d93
SHA1 5056b9c08d9ced49a83b56b6cbf839ff890d2bd6
SHA256 c1891b16a57528b5c2379900dac7f471a2d8e59285cb6a81dfdba776124fddb5
SHA512 4bd117741577e9370597f06bc0e8dc2f25d609cd85a3a5b4ee6c6e7f13fdd3d260a8a05792a8f3acb821656c167366e48ba6bcd6ded8aaa3cd6718659a6a7fff

C:\Users\Admin\AppData\Local\Temp\MEUDLAVARMGBGVW\service.exe

MD5 15e4593b1bc1c9f4c03a317d0eac655c
SHA1 37545f2340876b5a7d2813664fc4ac98cbde1675
SHA256 3a8a76b03637b48d3c66d540e401485717de06d27000855c0e2b6832aab4b2d1
SHA512 4a2e882d0ecdb0283e8c30954310517fe882d73d400c20f9d4e32baf3462910214555cedae354b6c807032d614f5746bf875f81898faa3b158d3eeba1c2a2ac6

C:\Users\Admin\AppData\Local\TempYFGDM.txt

MD5 e6e6da5ea023ba4c6496bbb070a9c7ee
SHA1 37130ee4905b289db4c1f553b07bb77150dd3297
SHA256 5087cf2626fb2a96482b0464e09e5a779cf355263109ec1fe4c8c963be2635ea
SHA512 017a188e466c677b3ceb39f59a73f35ad690f0ed8a65e268f90b6d62bb05d062aa7a4dd4e24abc1d490a4650473c09e678a09e968f658b587c725d53e00bb482

C:\Users\Admin\AppData\Local\Temp\WQIOVGHAUBROYOK\service.exe

MD5 e4e8283f710123c27c0819f6146babea
SHA1 0f1940b8111db7fae400a8f2bc853db2e2329174
SHA256 0009e4c04a084eca6b7a5f87427d8e2808de5b5474795ee2423588b1c0497211
SHA512 5e43fdc83f3918c2d703ebd3dea80f56464bf3ef0d8c6826c2b493568127e2e6c9e75c34818455afa1b430b9c90f99fc6c537532b78355fdb68bfbecc434fcd1

C:\Users\Admin\AppData\Local\TempXGGPL.txt

MD5 89513005f9143b990d479cac195289c5
SHA1 e07a5766d9d51b746317a52f3fc033dbf64604b2
SHA256 8f58e225a0302a9795f77a7db14e811edf7ce1b2cb6ef3682d0996532ab03307
SHA512 3c0533cb70f027f7373999cd71e6e708f8519bfa9d13e303acae6c921270933a4ba16fa32994ba7f54875324ee1aaad8e67c123e52c783d5a97ebe0b5fb849b3

C:\Users\Admin\AppData\Local\Temp\NGVFNBABWCSNBIC\service.exe

MD5 3fb337747a520e6d171e4debf9cdd668
SHA1 e4615d8f6555c849e157bebf7557746f70a1cd04
SHA256 fe9b260f5a4e714a19b0c741550a0f1e363780d5bf4a46d19747686308a811a0
SHA512 a589bf13412e9f43f80012917db5b3682d763f893d5830c50154edae352c0e718a8457706fff4cda9080b71e4bb227024d8879f730b91fbf60e1f058fa6ea86b

C:\Users\Admin\AppData\Local\TempIBEFO.txt

MD5 72b4575a7e487b928a7720741c22ad4f
SHA1 ab913f3839d4f22ee33d62a0c00e0dfb1d456d05
SHA256 f38a9e1a3288e171ae8ccc9cf9fea9fb81bd4c6509fbd789d58f349209176d2a
SHA512 f582ee3a512f26844187ce371af9d197b8c561e7812cf543c35e8ea420c318a33f0cbd15c2b35da0235e56a6d62b63f2680225e460ab7e20e057a44337bea6f3

C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGPG\service.exe

MD5 3b55c16776a41a047115b24374d319fd
SHA1 0c4fb627dc31c1b2005ca2fec9831fb5f33c4507
SHA256 6c3552ff1bd29c259e27a36ea1bbb83d6e513ffaadbfe511918cf05dce06e0f7
SHA512 1e853220ab488f1e407453b8b5558deeaba6414667fecc0315446cdf46c32ae5e02c1c7ab2483a7c6b34e73749a340e533a77c955932caabf14b987b89145797

C:\Users\Admin\AppData\Local\TempYGUTF.txt

MD5 e65cb9e897fc570d7094a3666ff08b69
SHA1 6d96f008bbd2008094276acd382d00262e8817a9
SHA256 53df98660cfff8f32a7535b54600cc34463616c4aac3cb4b7c53b403c5395c8d
SHA512 ae43186fe4b4ab8338a4943d973b2b74f8e8d080ed39ff6479035ff3882dabb32d7510ef9f5291d02047ff68344ea5f7a8a2194230f5818e2a5632199727b73d

C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe

MD5 c6b0ab7f38a55fd1bb0faca8a51faaaa
SHA1 29aad5301e5061251fdaa0ac8915fa461429d252
SHA256 a26d0b206cab0445cdebd067adf4a65e962c4d6bc4b6d226e7e729310468d018
SHA512 89c1981c79dd5669b59a9f297adc27a2564887df1f67623f6d6e836c3e13da0a479d8ff2c4939bfb596bb4a28d52e999afab45f04eedb0fda449038baf3dadff

C:\Users\Admin\AppData\Local\TempNWIOT.txt

MD5 80375619bac59e9bd5393853d6684257
SHA1 ac34026c601191e680b9e86b11e15f4d727edf52
SHA256 6d6305816bdf8869557c5b5f3dc4aa633ddb6bc82bb12dce45ca606b547b2f89
SHA512 a72507aa375f4231759f1f56bb83c6fc88325c7538087059669b96add3be309c31d9a3b4aaa417f1ed152248e72564096faf525224698bc7edef82c1daf0dd48

C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

MD5 1600ffe587376e62c10298b8ff339681
SHA1 9b257afb5d6c3bc22fb709a0c6096c9aa3be5e33
SHA256 86240765a74df36c712448a09515ba4935a79d84c8852907960f8ccb1d8c1867
SHA512 2d7c20431104db8abd27ab757e10619efc13fea300dc5a335b668fd5db91798b46f4758ebb81dc5bb7c1737c4c3c2bb74aa5df0fd910adf0f5e0fa79ef8df8e4

memory/2604-382-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-380-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-387-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-388-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-390-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-391-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-392-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-394-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-395-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-396-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-398-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-399-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-400-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2604-401-0x0000000000400000-0x0000000000471000-memory.dmp